Presentation is loading. Please wait.

Presentation is loading. Please wait.

Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices Steve Hanna 1, Rolf Rolles 4, Andres.

Published byJanae Graffam Modified over 10 years ago

Similar presentations

Presentation on theme: "Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices Steve Hanna 1, Rolf Rolles 4, Andres."— Presentation transcript:

1 Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices Steve Hanna 1, Rolf Rolles 4, Andres Molina-Markham 2, Pongsin Poosankam 1,3, Kevin Fu 2, Dawn Song 1 University of California – Berkeley 1, University of Massachusetts Amherst 2, Carnegie Mellon University 3, Unaffiliated 4

2 Changing Medical Device Landscape Increased software complexity Software plays an increasing role in device failure – 2005-2009 (18%) due to software failure, compared to (6%) in 1980s Increased attack opportunities Medical device hardware and software is usually a monoculture within device model 2Hanna, et al. The case for Software Security Evaluations of Medical Devices Health Data Connected Devices Medical Device 28,000 adverse event reports in 14 Models recalled 2005-2010. Automated External Defibrillators

3 To be clear… 3Hanna, et al. The case for Software Security Evaluations of Medical Devices AEDsICDs X

4 Wisconsin requires daycare providers to be AED proficient Global Automated External Defibrillators (AED) Market: Demand to Drive Growth; June 2009 U.S., European and Japanese External Defibrillation (PAD) Market Report. Frost & Sullivan. 2000. Valenzuela TD, et al. N Engl J Med. 2000;343:1206-1209. Caffrey S, et al. N Engl J Med. 2002;347:1242-1247. The Population of AEDs Has Increased Significantly Over the Past 5 Years Automated External Defibrillator Milestones AEDs Worldwide 4Hanna, et al. The case for Software Security Evaluations of Medical Devices 1,582,691 1996199820002002200420062008 First AED with biphasic waveformFirst save on US airline74% survival rate in casinos75% survival rate in OHare Airport PAD Trial Published New York requires AEDs in public places

5 Our Objectives Explore state of AED software security Examine for standard software security flaws – Data handling, coding practices, developer assumptions Give insight into state of medical device software and potential for future abuse 5Hanna, et al. The case for Software Security Evaluations of Medical Devices

6 Desirable Medical Device Properties The device should: – Ensure that software running on a system is the image that was verified – Detect compromise – Verify and authenticate device telemetry – Be robust: defenses and updates weighed with risks to patient 6Hanna, et al. The case for Software Security Evaluations of Medical Devices

7 Case Study Analyzed Cardiac Science G3 Plus model 9390A Performed static reverse engineering using IDA Pro – Analyzed: MDLink, AEDUpdate and device firmware Analysis using BitBlaze architecture – BitFuzz, the dynamic symbolic path exploration tool Remarks – Problems likely not isolated to the G3 Plus – Potential for abuse as devices become more connected 7Hanna, et al. The case for Software Security Evaluations of Medical Devices

8 Vulnerabilities Discovered 1.AED Firmware - Replacement 2.AEDUpdate - Buffer overflow 3.AEDUpdate - Plain text user credentials 4.MDLink - Weak password scheme Vulnerabilities were verified on Windows XP SP2. 8Hanna, et al. The case for Software Security Evaluations of Medical Devices

9 Firmware Replacement Firmware update uses custom CRC to verify firmware Modified firmware, with proper CRC, is accepted by AED and update software Impact: Arbitrary firmware DEVICE COMPROMISED 9Hanna, et al. The case for Software Security Evaluations of Medical Devices

10 AEDUpdate Buffer Overflow During update device handshake, device version number exchanged AEDUpdate improperly assumes valid input Enables arbitrary code execution – Data sent from AED can be executed as code on the host PC 10Hanna, et al. The case for Software Security Evaluations of Medical Devices

11 11Hanna, et al. The case for Software Security Evaluations of Medical Devices

12 Improving Medical Device Security for Developers Lessons and open problems from the CS G3 Plus – Cryptographically secure device updates No security through obscurity, ensures firmware authenticity – Device telemetry verified for integrity and authenticity Defensively assume that data is not trusted – Passwords cryptographically secure and easily managed Private data and life critical functionality should be protected by well-established cryptographic algorithms – Defenses and updates weighed with risks to patient Medical devices should fail open 12Hanna, et al. The case for Software Security Evaluations of Medical Devices

13 Recommendations Ensure the update machine is secure – Physical isolation, virtual machine for fresh install Follow FDA guidelines and advisories Remain vigilant – Monitoring physical access, routinely updating afflicted devices, and monitoring advisories released about the device 13Hanna, et al. The case for Software Security Evaluations of Medical Devices

14 Final Recommendation We recommend continued use of AEDs because of their potential to perform lifesaving functions. The attack potential is currently unmeasured and currently, these devices overwhelmingly save more lives than they imperil. 14Hanna, et al. The case for Software Security Evaluations of Medical Devices

15 Thank You Questions? – Contact: Steve Hanna (sch@eecs.berkeley.edu) Dawn Song (dawnsong@cs.berkeley.edu) Kevin Fu (kevinfu@cs.umass.edu) secure-medicine.org 15Hanna, et al. The case for Software Security Evaluations of Medical Devices

Download ppt "Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices Steve Hanna 1, Rolf Rolles 4, Andres."

Similar presentations

Chapter 24 Quality Management.

Chapter 24 Quality Management.
Autotuning in Web100 John W. Heffner August 1, 2002 Boulder, CO.

Autotuning in Web100 John W. Heffner August 1, 2002 Boulder, CO.
For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.

For SIGAda Conference, 2005 November, Atlanta 1 A New Standards Project on Avoiding Programming Language Vulnerabilities Jim Moore Liaison Representative.
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.

Implementation of a Validated Statistical Computing Environment Presented by Jeff Schumack, Associate Director – Drug Development Information September.
The creation of Yaolan.com A Site for Pre-natal and Parenting Education in Chinese by James Caldwell DAE Interactive Marketing a Web Connection Company.

The creation of "Yaolan.com" A Site for Pre-natal and Parenting Education in Chinese by James Caldwell DAE Interactive Marketing a Web Connection Company.
Making the System Operational

Making the System Operational
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Insert image here © SPEC-Soft - 1 - 02-06-02 - SAVINGS AND EXPERTISE FOR YOUR PLANT PFS-Suite Life-cycle Tools For Process Automation PFS-Suite TM.

Insert image here © SPEC-Soft SAVINGS AND EXPERTISE FOR YOUR PLANT PFS-Suite Life-cycle Tools For Process Automation PFS-Suite TM.
Configuration management

Configuration management
Working with Disks and Devices

Working with Disks and Devices
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Testing Workflow Purpose

Testing Workflow Purpose
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
1 | © 2012 V-Key.com – Proprietary and Confidential Bugatti Veyron Super SportBugatti Veyron Super Sport: 267 mph (429 km/h), 0-60 in 2.4 secs.

1 | © 2012 V-Key.com – Proprietary and Confidential Bugatti Veyron Super SportBugatti Veyron Super Sport: 267 mph (429 km/h), 0-60 in 2.4 secs.
“The Honeywell Web-based Corrective Action Solution”

“The Honeywell Web-based Corrective Action Solution”
Security Self-Help Program Summary. Purpose To provide a way to automate the “hardening” of computer systems by applying security settings and configuration.

Security Self-Help Program Summary. Purpose To provide a way to automate the “hardening” of computer systems by applying security settings and configuration.
Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.

Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.
Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.

Similar presentations

Ads by Google