Presentation is loading. Please wait.

Presentation is loading. Please wait.

M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M.

Published byHailie Piper Modified over 10 years ago

Similar presentations

Presentation on theme: "M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M."— Presentation transcript:

1 M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M. Rostami, A. Juels, and F. Koushanfar

2 What’s an IMD? Implanted Medical Devices (IMDs) are surgically implanted systems that monitor physiological conditions and (usually) apply therapies. Pacemakers Cardiac defibrillators Neurostimulators Drug-delivery devices 25 million people in U.S. alone fitted with IMDs 2

3 What’s an IMD? Medical devices branching into many areas; someday, most people may have one Example: Transcranial Direct Current Stimulation (tDCS) Improves cognitive performance (May also prevent migraines) 3

4 Why do we need to secure IMDs? IMDs are embedded systems Microprocessors Batteries Wireless interfaces Why wireless? In order to Update firmware, programming Provide telemetry Communicate with other IMDs (eventually) 4

5 Two big dangers to IMD users 1. IMD access is too easy Landmark attack by Halperin et al. in 2008 (UMass, UW, BI) The case of former U.S. VP Dick Cheney He has a heart He has a pacemaker (IMD) He was assassinated when his pacemaker was hacked over the air… In real life, revealed two weeks ago to have disabled pacemaker wireless in 2007 over concerns about hacking 5 thankfully only on TV

6 Two big dangers to IMD users 6 1. IMD access is too easy Landmark attack by Halperin et al. in 2008 (UMass, UW, BI) The case of former U.S. VP Dick Cheney He has a heart He has a pacemaker (IMD) He was assassinated when his pacemaker was hacked… In real life, revealed two weeks ago to have disabled pacemaker wireless in 2007 over concerns about hacking

7 Two big dangers to IMD users 7 1. IMD access is too easy 2. IMD access is too hard E.g., Patient collapses on sidewalk EMTs arrive and try to read diagnostics / reprogram IMD They can’t get access… (They can’t remember their first pets’ names) How do we address these conflicting challenges for emergency access to IMD?

8 Some previous work Conventional password / device key? 2010 U.S. Dept. of HHS report: medical errors may be third leading cause of death Password or key-based access to IMDs would be a key-distribution nightmare Physical processes, e.g., magnets [HKH-BF+08] Ultraviolet Micropigmentation Tattoos [S10] Clever and probably workable May not meet patient acceptance, may be hard to find, lacerations? Distance-bounding [RCH-BC09] Nice approach Power considerations, hardware modification, various attacks Wearing a shield or jammer around the neck [GHRK+11] Can violate FCC rules, inconvenient Transmitting key via Piezo device [HH-BRC+08] Our approach in H2H: Measurement of Physiological Values (PVs) (EKG) 8

9 Heart-to-Heart (H2H): setting and approach Two devices: IMD Programmer 9 IMD Programmer Access-control policy: Touch-to-access Protocol in H2H 1.Programmer sensor touches patient’s body 2.IMD reads PV A 3.Programmer reads PV B 4.Devices check that A ≈ B = ? A B

10 Authentication using physiological values Earliest mention of approach: Patent filed by RSA in 2008 Not implemented; few details Two published schemes (EKG): F. Xu, et. al., "Securing implantable medical devices with the external wearable guardian," INFOCOM 2011. C. Hu, et. al., "OPFKA: Secure and efficient ordered-physiological-feature-based key agreement for wireless body area networks," INFOCOM 2013 Slightly different settings than IMD emergency access Both schemes shown vulnerable to cryptanalytic attack: M. Rostami, W. Burleson, A. Juels, and F. Koushanfar, “Balancing security and utility in medical devices?” DAC, 2013. 10

11 Heart-to-Heart (H2H): What do EKG data look like? EKG measures electrical activity in body, reflecting activity of heart R peak is the most prominent EKG feature We examine R-R interval (heart-beat duration) 11

12 Heart-to-Heart (H2H): What do EKG data look like? R-R interval is also called the inter-pulse interval (IPI) Underlying processes have well-studied chaotic nature IPI is a good source of entropy (used in previous work) 12

13 How much entropy? We analyze some standard EKG databases (MIT-BIH, PTB, and MGH/MF) 13 We take error between left hand & right hand as surrogate for that between IMD and Programmer, i.e., between A and B… IPIs are normalized, quantized, and Gray-coded, yielding 8-bit value

14 Heart-to-Heart (H2H): entropy source Effectively have common, secret source of entropy for IMD and Programmer It outputs a 4-bit random value x 1 x 2 x 3 x 4 with every heartbeat IMD and (honest) Programmer tap this source over (slightly) noisy channel IMD reads A, Programmer reads B 14 IMD Programmer x 1 x 2 x 3 x 4

15 Heart-to-Heart (H2H): entropy source Of course, four bits aren’t a lot We can measure multiple IPIs to harvest more entropy Default in H2H: (n=15, 11-15 secs.) 15 IMD Programmer x 1 x 2 x 3 x 4

16 Challenge 1: How to compare A and B? 16 IMD should only give access to Programmer if A ≈ B But how close should A and B be? Previous schemes just look at Hamming distance between A and B But the error rates are non-uniform across bits E.g., x 1 has 8% error rate, while x 4 has error rate of 0.9%! This naïve approach throws away entropy! Our approach: Use Neyman-Pearson Lemma

17 Challenge 1: How to compare A and B? 17 Neyman-Pearson Lemma: For PV u: Let P(u) be probability adversary (no skin contact) makes guess u for true PV Let Q(u) be probability valid Programmer/IMD yields u for true PV There exists an threshold T such that an optimal classifier accepts a reading u as valid if log (P(u) / Q(u)) > T

18 Challenge 1: How to compare A and B? 18 Neyman-Pearson criterion: log (P(u) / Q(u)) > T Conveniently, bits x 1 x 2 x 3 x 4 are unbiased and independent Paper contains a number of tricks for implementing Neyman- Pearson Lemma efficiently in IMD We benefit from full entropy of source in comparing A ≈ B

19 Challenge 2: How to compare A and B securely? Idea 1: Have Programmer send B to the IMD and compare A and B on IMD An adversary can intercept and replay B How to compare A and B without exposing them on unauthenticated channel? Ideal 2: Use a Password-Based Key Agreement (PAKE) protocol (e.g., [KOY01]) to establish a secure channel between the IMD and Programmer PAKEs require A=B, and we have A≈B What we need is a fuzzy PAKE We could use fuzzy crypto (e.g., JW99, DORS04) Incurs entropy loss No clear way to integrate into PAKE General secure function evaluation too expensive for embedded devices 19

20 Challenge 2: How to compare A and B securely? Key observation: Entropy source changes continuously, so A and B treatable as one-time secrets! We can expose A and B at end of protocol We can use commit / decommit approach 20 Second observation: We can bootstrap protocol with unauthenticated secure channel SecChannel In practice, this means TLS without a certificate

21 H2H protocol overview SecChannel (TLS)  s Read A IMD Programmer Read B C A  Commit(A,w A ;s) C B  Commit(B,w B ;s) CACA CBCB wAwA wBwB A ≈ B ??? ✔

22 Prototype implementation: Design choices 22 Design objective 1: Minimal power consumption on IMD SecChannel: Low exponent RSA-based TLS (e = 2 16 +1) with IMD as client Design objective 2: Stronger security than ordinary 8-digit (e.g., SecurID) authentication token Read n = 15 IPIs (11 to 15 secs.) FAR, FRR < 3 x 10 -9 Design objective 3: No hardware modification to existing IMDs

23 Power-consumption profile 23 ARM-Cortex M-3 microprocessor

24 Do we really get touch-to-access policy? 24 I.e., is skin contact by Programmer required to read IPIs clearly? Photoplethysmography (PPG) Subtle changes in skin color due to heart Our experiments show it isn’t a viable attack Head movements? Capacitive sensing? Ripley’s-Believe-It-or-Not attack EKG can be read via EEG of someone you shake hands with [BBMG13]

25 A lot more work to do… 25 More detailed security analysis Remove idealized SecChannel? Extract more entropy from EKG for protocol? Using H2H with other PVs EEG? EMG? Sensing attacks against touch-to-access?

26 Conclusions 26 Heads of state shouldn’t have to deactivate IMD features Today, though, it’s perhaps prudent to do so H2H offers touch-to-access authentication policy using EKG Doesn’t require hardware modification to existing IMDs, e.g., pacemakers IMD authentication is an important and interesting problem at physical / logical security boundary

Download ppt "M. ROSTAMI A. JUELS F. KOUSHANFAR Heart-to-Heart (H2H): Authentication for Implanted Medical Devices 1 RICE UNIV. (VARIOUS CAFES) RICE UNIV. © 2013 M."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
PSKA: Usable and Secure Key Agreement Scheme for Body Area Networks Authors: Krishna K. Venkatasubramanian, Ayan Banerjee, Sandeep K.S. Gupta Presenter:Francis.

PSKA: Usable and Secure Key Agreement Scheme for Body Area Networks Authors: Krishna K. Venkatasubramanian, Ayan Banerjee, Sandeep K.S. Gupta Presenter:Francis.
Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.

Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.
Fuzzy Stuff 6.857 Lecture 24, 2006. Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.

Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks 0 Fall 2014 Presenter: Kun Sun, Ph.D. Michael Rushanan*, Denis Foo Kune,

SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks 0 Fall 2014 Presenter: Kun Sun, Ph.D. Michael Rushanan*, Denis Foo Kune,
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses Authors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin.

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses Authors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.

Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Multi-agents based wireless sensor telemedicine network for E-Health monitoring of HIV Aids Patients. By: Muturi Moses Kuria, SCI, University of Nairobi,

Multi-agents based wireless sensor telemedicine network for E-Health monitoring of HIV Aids Patients. By: Muturi Moses Kuria, SCI, University of Nairobi,
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google