Presentation is loading. Please wait.

Presentation is loading. Please wait.

M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M.

Similar presentations


Presentation on theme: "M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M."— Presentation transcript:

1 M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M. Rostami, A. Juels, and F. Koushanfar

2 What’s an IMD? Implanted Medical Devices (IMDs) are surgically implanted systems that monitor physiological conditions and (usually) apply therapies. Pacemakers Cardiac defibrillators Neurostimulators Drug-delivery devices 25 million people in U.S. alone fitted with IMDs 2

3 What’s an IMD? Medical devices branching into many areas; someday, most people may have one Example: Transcranial Direct Current Stimulation (tDCS) Improves cognitive performance (May also prevent migraines) 3

4 Why do we need to secure IMDs? IMDs are embedded systems Microprocessors Batteries Wireless interfaces Why wireless? In order to Update firmware, programming Provide telemetry Communicate with other IMDs (eventually) 4

5 Two big dangers to IMD users 1. IMD access is too easy Landmark attack by Halperin et al. in 2008 (UMass, UW, BI) The case of former U.S. VP Dick Cheney He has a heart He has a pacemaker (IMD) He was assassinated when his pacemaker was hacked over the air… In real life, revealed two weeks ago to have disabled pacemaker wireless in 2007 over concerns about hacking 5 thankfully only on TV

6 Two big dangers to IMD users 6 1. IMD access is too easy Landmark attack by Halperin et al. in 2008 (UMass, UW, BI) The case of former U.S. VP Dick Cheney He has a heart He has a pacemaker (IMD) He was assassinated when his pacemaker was hacked… In real life, revealed two weeks ago to have disabled pacemaker wireless in 2007 over concerns about hacking

7 Two big dangers to IMD users 7 1. IMD access is too easy 2. IMD access is too hard E.g., Patient collapses on sidewalk EMTs arrive and try to read diagnostics / reprogram IMD They can’t get access… (They can’t remember their first pets’ names) How do we address these conflicting challenges for emergency access to IMD?

8 Some previous work Conventional password / device key? 2010 U.S. Dept. of HHS report: medical errors may be third leading cause of death Password or key-based access to IMDs would be a key-distribution nightmare Physical processes, e.g., magnets [HKH-BF+08] Ultraviolet Micropigmentation Tattoos [S10] Clever and probably workable May not meet patient acceptance, may be hard to find, lacerations? Distance-bounding [RCH-BC09] Nice approach Power considerations, hardware modification, various attacks Wearing a shield or jammer around the neck [GHRK+11] Can violate FCC rules, inconvenient Transmitting key via Piezo device [HH-BRC+08] Our approach in H2H: Measurement of Physiological Values (PVs) (EKG) 8

9 Heart-to-Heart (H2H): setting and approach Two devices: IMD Programmer 9 IMD Programmer Access-control policy: Touch-to-access Protocol in H2H 1.Programmer sensor touches patient’s body 2.IMD reads PV A 3.Programmer reads PV B 4.Devices check that A ≈ B = ? A B

10 Authentication using physiological values Earliest mention of approach: Patent filed by RSA in 2008 Not implemented; few details Two published schemes (EKG): F. Xu, et. al., "Securing implantable medical devices with the external wearable guardian," INFOCOM C. Hu, et. al., "OPFKA: Secure and efficient ordered-physiological-feature-based key agreement for wireless body area networks," INFOCOM 2013 Slightly different settings than IMD emergency access Both schemes shown vulnerable to cryptanalytic attack: M. Rostami, W. Burleson, A. Juels, and F. Koushanfar, “Balancing security and utility in medical devices?” DAC,

11 Heart-to-Heart (H2H): What do EKG data look like? EKG measures electrical activity in body, reflecting activity of heart R peak is the most prominent EKG feature We examine R-R interval (heart-beat duration) 11

12 Heart-to-Heart (H2H): What do EKG data look like? R-R interval is also called the inter-pulse interval (IPI) Underlying processes have well-studied chaotic nature IPI is a good source of entropy (used in previous work) 12

13 How much entropy? We analyze some standard EKG databases (MIT-BIH, PTB, and MGH/MF) 13 We take error between left hand & right hand as surrogate for that between IMD and Programmer, i.e., between A and B… IPIs are normalized, quantized, and Gray-coded, yielding 8-bit value

14 Heart-to-Heart (H2H): entropy source Effectively have common, secret source of entropy for IMD and Programmer It outputs a 4-bit random value x 1 x 2 x 3 x 4 with every heartbeat IMD and (honest) Programmer tap this source over (slightly) noisy channel IMD reads A, Programmer reads B 14 IMD Programmer x 1 x 2 x 3 x 4

15 Heart-to-Heart (H2H): entropy source Of course, four bits aren’t a lot We can measure multiple IPIs to harvest more entropy Default in H2H: (n=15, secs.) 15 IMD Programmer x 1 x 2 x 3 x 4

16 Challenge 1: How to compare A and B? 16 IMD should only give access to Programmer if A ≈ B But how close should A and B be? Previous schemes just look at Hamming distance between A and B But the error rates are non-uniform across bits E.g., x 1 has 8% error rate, while x 4 has error rate of 0.9%! This naïve approach throws away entropy! Our approach: Use Neyman-Pearson Lemma

17 Challenge 1: How to compare A and B? 17 Neyman-Pearson Lemma: For PV u: Let P(u) be probability adversary (no skin contact) makes guess u for true PV Let Q(u) be probability valid Programmer/IMD yields u for true PV There exists an threshold T such that an optimal classifier accepts a reading u as valid if log (P(u) / Q(u)) > T

18 Challenge 1: How to compare A and B? 18 Neyman-Pearson criterion: log (P(u) / Q(u)) > T Conveniently, bits x 1 x 2 x 3 x 4 are unbiased and independent Paper contains a number of tricks for implementing Neyman- Pearson Lemma efficiently in IMD We benefit from full entropy of source in comparing A ≈ B

19 Challenge 2: How to compare A and B securely? Idea 1: Have Programmer send B to the IMD and compare A and B on IMD An adversary can intercept and replay B How to compare A and B without exposing them on unauthenticated channel? Ideal 2: Use a Password-Based Key Agreement (PAKE) protocol (e.g., [KOY01]) to establish a secure channel between the IMD and Programmer PAKEs require A=B, and we have A≈B What we need is a fuzzy PAKE We could use fuzzy crypto (e.g., JW99, DORS04) Incurs entropy loss No clear way to integrate into PAKE General secure function evaluation too expensive for embedded devices 19

20 Challenge 2: How to compare A and B securely? Key observation: Entropy source changes continuously, so A and B treatable as one-time secrets! We can expose A and B at end of protocol We can use commit / decommit approach 20 Second observation: We can bootstrap protocol with unauthenticated secure channel SecChannel In practice, this means TLS without a certificate

21 H2H protocol overview SecChannel (TLS)  s Read A IMD Programmer Read B C A  Commit(A,w A ;s) C B  Commit(B,w B ;s) CACA CBCB wAwA wBwB A ≈ B ??? ✔

22 Prototype implementation: Design choices 22 Design objective 1: Minimal power consumption on IMD SecChannel: Low exponent RSA-based TLS (e = ) with IMD as client Design objective 2: Stronger security than ordinary 8-digit (e.g., SecurID) authentication token Read n = 15 IPIs (11 to 15 secs.) FAR, FRR < 3 x Design objective 3: No hardware modification to existing IMDs

23 Power-consumption profile 23 ARM-Cortex M-3 microprocessor

24 Do we really get touch-to-access policy? 24 I.e., is skin contact by Programmer required to read IPIs clearly? Photoplethysmography (PPG) Subtle changes in skin color due to heart Our experiments show it isn’t a viable attack Head movements? Capacitive sensing? Ripley’s-Believe-It-or-Not attack EKG can be read via EEG of someone you shake hands with [BBMG13]

25 A lot more work to do… 25 More detailed security analysis Remove idealized SecChannel? Extract more entropy from EKG for protocol? Using H2H with other PVs EEG? EMG? Sensing attacks against touch-to-access?

26 Conclusions 26 Heads of state shouldn’t have to deactivate IMD features Today, though, it’s perhaps prudent to do so H2H offers touch-to-access authentication policy using EKG Doesn’t require hardware modification to existing IMDs, e.g., pacemakers IMD authentication is an important and interesting problem at physical / logical security boundary


Download ppt "M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M."

Similar presentations


Ads by Google