A Non-Key Based Security Scheme Supporting ... - IEEE Xplore

0 downloads 0 Views 241KB Size Report
this paper, we present a non-key based security scheme for the emergency treatment of IMDs, named the BodyDouble. This scheme employs an external ...
IEEE ICC 2014 - Communication and Information Systems Security Symposium

A Non-Key Based Security Scheme Supporting Emergency Treatment of Wireless Implants Guanglou Zheng, Gengfa Fang

Mehmet A. Orgun, Rajan Shankaran

Department of Engineering Macquarie University Sydney, Australia [email protected] [email protected]

Department of Computing Macquarie University Sydney, Australia [email protected] [email protected]

Abstract—The security of wireless communication module for Implantable Medical Devices (IMDs) poses a unique challenge that doctors in any qualified hospital should have the access to the IMDs for an emergency treatment while the IMD should be protected from adversaries during a patient’s daily life. In this paper, we present a non-key based security scheme for the emergency treatment of IMDs, named the BodyDouble. This scheme employs an external authentication proxy embedded in a gateway to authenticate the identity of a programmer. The gateway here employs a transmitting antenna to send data and jamming signals. When an adversary launches attacks, the gateway jams the request signal to the IMD and authenticates its identity. The gateway will also pretend to be the wireless module of the IMD by establishing a communication link with the adversary so that the adversary is spoofed to communicate with the gateway instead of the IMD. For the emergency situation, the IMD can be accessed without using any cryptographic keys by simply powering off or removing the gateway. Simulation results show that this security scheme can protect the IMD from the adversary’s attacks successfully, and resist the potential repeated attacks to prevent the battery depletion of the IMD.

I. I NTRODUCTION Implantable Medical Devices (IMDs), such as pacemakers, implantable cardiac defibrillators (ICDs), neuro-stimulators and drug delivery systems, can be used to treat a broad range of ailments, e.g., cardiac arrhythmia, Parkinson’s disease and diabetes[1]. Currently, the wireless communication technology has been employed as an intrinsic part of a modern IMD. Therefore, as shown in Fig. 1, a health care practitioner can use a device programmer with wireless support to extract data from an IMD or reset the IMD’s parameters without surgery. By using wireless communication channels, IMDs can transfer telemetry medical data to clinics via at-home monitors, thereby facilitating remote monitoring services to chronic patients[2].

Fig. 1. Wireless Communications between an IMD and a programmer, with partial images from [3]

Despite these advantages, recent studies have revealed

978-1-4799-2003-7/14/$31.00 ©2014 IEEE

647

that there are inherent security vulnerabilities on an IMD wireless module which can be exploited by an adversary to retrieve data or reprogram an IMD with off-the-shelf radio and computer equipment [4] or by a commercial programmer [5]. These devices can be easily purchased from the eBay online store (www.ebay.com) or other companies. The security threats could potentially cause life-threatening consequences [6]. Furthermore, patients cannot simply remove an implanted device to protect themselves from adversaries when under attack [7]. Therefore, the security issue of an IMD has recently attracted a particular attention of the research community in academia and industry. Unlike other traditional security issues in wireless sensor networks, the security design of an IMD faces a unique challenge that health care professionals in a different hospital can have access to an IMD immediately for emergent treatment. More specifically, the IMD can be freely accessed in any hospital, not only in the hospital where the patient normally receives treatment. In such a situation, the use of conventional keys or credentials may not be viable, as neither the visited hospital can cache or gain access to the necessary security related credentials, nor may the patients be trusted to provide keys in a timely fashion. Although remote servers can be used to store these keys, the access to these servers cannot be guaranteed from any hospital in any country at any time. Consequently, an ideal security solution in an emergency situation would be to use a scheme that makes no use of keys when accessing an IMD. In this paper, we propose a non-key based security scheme, named BodyDouble, for the emergency treatment of IMDs. This scheme employs a gateway as an authentication proxy to control access to an IMD so that access by a malicious party would be prevented from compromising the IMD. Here the gateway is an external device where an authentication proxy is embedded. The gateway can take, for instance, the form of a watch and be worn on the patient’s wrist. For the emergency treatment, doctors will simply power off or remove the gateway and gain access to the IMD by using a programmer directly without any requirements of keys or credentials. We also propose a spoofing mechanism that the gateway pretends to be the IMD wireless module when in the presence of an adversary. In this way, a communication session is established between the adversary and the gateway in place of the IMD, so that the adversary is spoofed to communicate with it, protecting the IMD from attacks.

IEEE ICC 2014 - Communication and Information Systems Security Symposium

be initialized and paired with the IMD in the patients’ regular clinics where most of their health materials are kept. Thus, we do not assume that the IMD must exclusively associate with a particular gateway, as another one can be paired with the IMD according to previous settings.

The security scheme that is embedded into an external device, such as a gateway, instead of the IMD has other benefits. It firstly requires limited changes to the current IMD products, and can reduce engineering bugs for manufacturers. Secondly, executing the main task of security of an external device can help conserve energy in the IMD. This is crucial to maintain the lifetime of the IMD and the well-being of patients, because the battery depletion of an implanted device normally requires a surgical operation to replace the IMD. Our main contributions of the paper are as follows: • We analyzed the adversary mode of wireless IMD and designed a non-key security scheme that where doctors can access IMDs without keys or credentials in an emergency while the IMDs are protected in the circumstance of patients’ daily life. • We also designed a spoofing mechanism to shield IMDs from adversaries, which can help prevent adversaries from launching repeated attacks. • We conducted simulations and demonstrated that this security scheme can protect the IMD from the adversary’s attacks, and resist the potential repeated attacks to save the battery lifetime of the IMD. The rest of this paper is organized as follows: Section II analyzes adversary models, assumptions and related solutions for the IMD security; Section III presents the detailed description of the BodyDouble security scheme and its protocols; Section IV evaluates this scheme via a simulation study, and Section V are the conclusions.

B. Related Work As existing commercial products of IMDs lack security mechanisms, this research topic has recently attracted attention of researchers from a wide range of communities [5, 6, 8, 9]. Traditional security solutions employ security keys or credentials within IMDs to authenticate programmers, as discussed in[10]. However, the problem of how to obtain keys or credentials immediately in an emergency treatment is quite challenging. The suggestion of storing keys in a server and obtaining them via Internet is not viable as we cannot make sure that medical personnel in all hospitals, especially those in developing countries, have the capability of accessing servers [1]. Some papers have proposed biometric-based authentication methods, e.g., fingerprints, iris image [9], and Electrocardiography [6]. With the use of biometrics, although clinical personnel do not need to know keys or credentials in advance, the key extraction from biometrics needs special equipment and time. Sometimes the extracted keys may even not match those stored in IMDs. As emergency treatment may be timesensitive, these schemes have a potential disadvantage of missing critical time for treatment. The BodyDouble security scheme does not require keys when in emergency treatment, helping doctors access IMDs freely. The work by [5] exploited a jammer-cum-receiver to jam all the signals from and to an IMD, regardless of the signals from adversaries or legal programmers. This scheme adds random jamming signals to channels even in regular working conditions, and generates antidote signals to cancel the jamming for the IMD. Nonetheless, considering the fact that the IMD works in no-attack circumstances most of the time [11], this scheme is not viable due to unnecessary jamming overheads. The work by [6] developed a guardian to perform the authentication on behalf of the IMD. With this scheme, it is possible that, when the adversary receives the failure result of its attack, it would launch another attack to deplete the battery of the IMD. However, the proposed BodyDouble can spoof the adversary to diminish attacks by sending spurious data.

II. P ROBLEM F ORMULATION In this section, we discuss adversary models and related security solutions. A. Adversary Models There are two common kinds of radio-equipped adversaries: passive eavesdroppers and active attackers: (a) Passive eavesdroppers: A passive adversary tries to capture and decode data transmissions on the communication channel with off-the-shelf or custom-built radio equipment. (b) Active attackers: An active adversary directly sends illegal commands to an IMD, aiming at modifying IMD’s settings, triggering data transmission from the IMD and/or depleting its battery. It succeeds if it can pass the authentication process of the IMD, and implement commands in the IMD. For the IMD system, active attackers are more harmful than passive eavesdroppers. The reason is that the wireless function of most IMDs, such as pacemakers, usually does not send messages actively but rely on programmers to initiate the communication first. However, an active attacker can trigger the IMDs to send messages, even modify the settings, or depleting batteries maliciously which would cause fatal consequences. Therefore, the identity of a programmer should be authenticated before any communications of parameter setting or data exchange. In our proposed scheme, the gateway will always be powered on and located on a patient’s body near the IMD. This is reasonable as the gateway can be worn on the wrist as a watch. We assume that the circumstance where the genuine programmers are present and can be identified safely, in secure settings such as clinics and hospitals, and that medical personnel are trustable. The regulatory rules and laws would apply if hospitals or doctors commit an offence. The gateway can

III. B ODY D OUBLE S YSTEM A ND P ROTOCOL D ESIGN This section presents the mechanism of the BodyDouble to authenticate the identity of programmers. The underlying system architecture is described first, followed by the high level protocol design. We finally present algorithms of this protocol in details. A. BodyDouble Scheme Architecture The design goal of the BodyDouble security scheme is that an IMD can be protected in the environment of patients’ daily life while it can be accessed immediately for the emergency treatment by doctors in any qualified hospital with no keys or credentials. The BodyDouble security scheme, as shown in Fig. 2, consists of three parts, an IMD, the attacker, and an external gateway which works as an authentication proxy for the IMD. Here the gateway adopts a structure as the jammer-cumreceiver described in [5] where two antennas are used: a 2

648

IEEE ICC 2014 - Communication and Information Systems Security Symposium

transmitting antenna and a receiving antenna. The transmitting antenna sends jamming signals and data messages, while the receiving antenna receives signals from the attacker and the IMD. Antidote signals are generated within the gateway to cancel the jamming signals at the receiving endpoint. Thus the receiving antenna can receive and decode signals successfully from the IMD and the programmer or the attacker. Within the BodyDouble security scheme, the IMD is designed to work in two modes: a regular mode and an emergency mode. In the regular mode, the IMD is protected by a gateway. In the emergency mode, the gateway is to be turned off or simply removed, so the IMD can be accessed by a programmer directly. Therefore, no keys are required for emergency access, letting the clinic practitioner focus on the required treatment. The security scheme for protecting the IMD, as shown in Fig. 2, is described as follows. If the attacker sends request to access the IMD, the gateway will receive the request at the same time. Right at the beginning of receiving the request signal, the gateway will generate a jamming signal and an antidote signal and transmit the jamming signal to the IMD. In this way, the IMD cannot decode the request from the attacker, but the receiving antenna can as the antidote signal at the receiving antenna endpoint cancels the jamming signal, as shown in [5]. Then the gateway conducts the authentication for the IMD. If it detects that there is an attacker, it would transmit a response message to establish a spoofing connection with the attacker. This mechanism makes the attacker not realize the failure of its attack, which will help to thwart repeated attacks from the same attacker. The authentication process is done with a digital signature which is appended to the rear of the request message. Here the digital signature is a bit string which is based on the unique characteristics of each IMD and can be used to identify packets destined to the IMD. This is feasible as the IMD already has unique characteristics, such as a device ID and an FCC ID [5]. One can choose a proper identifying sequence from these characteristics. Here we assume that the environment where the communication between the legal programmer and the IMD occurs is safe, so their digital ID will not be eavesdropped by the adversaries. The gateway is paired with the IMD initially. This pairing process can be established by in-band wireless pairing protocol with no pre-shared keys, as described in [12]. If a gateway is broken or lost, another one can be re-paired with the IMD at the patient’s regular hospital or clinics.

Fig. 2. BodyDouble security scheme, with partial images from [3]. The gateway uses two antennas. The receiving antenna receives request messages from the attacker, while the jamming antenna sends jamming signals and response messages to establish a spoofing connection with the attacker.

Fig. 3. The BodyDouble security protection diagram: the gateway jams the signal at the IMD antenna endpoint and does authentication on behalf of the IMD. If the authentication fails, it sends Ack(connection ID) to the attacker, which will establish a spoofing connection.

sends an acknowledgement frame with a Connected ID to the attacker to establish a spoofed connection with it. In order to avoid that a connection is established between the attacker and the IMD, a Disconnection Request is sent to the IMD from the gateway periodically until it receives a Disconnection acknowledgement frame. Then the IMD changes into the sleep state and is powered off. At this stage, the attacker is connected with the gateway, and data frames are to be exchanged via the spoofed connection. If the attacker repeats its attack, the gateway responds to it directly. Therefore, repeated attacks do not cause any damage to the IMD. As the adversary may believe that its earlier attacks were successful, it may stop launching further attacks. If the programmer is a genuine entity and not an attacker, then the authentication result is TRUE, and the gateway transmits an authentication message to the IMD via the covert encryption channel. As the IMD considers that it is in a secure or emergency environment, it sends an acknowledgement frame with a Connected ID to the programmer directly. At this stage, a connection between the programmer and the IMD is established, and data frames are to be exchanged via this connection. The protocol of this scenario is shown in Fig. 4.

B. BodyDouble Protocol Design A secure and robust protocol is presented in this subsection as mandated by the BodyDouble design. Fig. 3 shows the security protection diagram of the case when an adversary (attacker) appears. When the attacker sends a Connection Request to the IMD, the gateway receives it at the same time, as we assume that the IMD and the gateway are co-located or located close to each other. Right at the beginning of the reception of the request, the gateway transmitting antenna sends jamming signals to block the decoding process at the IMD antenna end, so that the IMD cannot successfully decode the Connection request from the attacker. Then the gateway performs authentication on behalf of the IMD. If the authentication result is FALSE, the gateway 3

649

IEEE ICC 2014 - Communication and Information Systems Security Symposium

Algorithm 1 The algorithm in the IMD Input: Connection Request from a programmer Output: Acknowledgement to programmer or gateway 1: Decode the request (the gateway, if present, transmits jamming signals to the IMD) 2: if decoding fails then 3: if IMD receives Security frame from gateway then 4: Decrypt the Security frame 5: end if 6: end if 7: if Security frame is FALSE or a Disconnection frame then 8: if the IMD is connected to the attacker then 9: Disconnect the link 10: end if 11: Send an Ack(Disconnection) to the gateway 12: Change into the sleep state 13: Power off 14: end if 15: if decoding succeeds and the Security frame is NULL then 16: Send Ack (Connected ID, Session ID) to programmer 17: Exchange data frames 18: end if

Fig. 4. The normal nommunication diagram: the gateway authenticates the identity of the programmer. If the authentication result is TRUE, the gateway informs the IMD and the IMD is to establish a communication link with the programmer.

C. The Algorithms for the BodyDouble Protocol We first describe the algorithm within the IMD. When an IMD receives a Connection Request from a programmer, it tries to decode the signals. If the decoding process succeeds, the IMD believes that the gateway is removed or powered off, and therefore it will establish a connection with the programmer directly. Otherwise, it waits for authentication results from the gateway. After receiving a Security frame, it decrypts it. If the decryption result is ”FALSE” or it receives a Disconnection frame, the IMD disconnects the connection with the attacker when it exists, sends an Ack (Disconnection) frame to the gateway, changes into the sleep state, and powers off. If the Security frame is NULL when T1 times out, the IMD sends an acknowledgement frame with a Connected ID and a Session ID to the programmer, and exchanges data frames thereafter. Here the Session ID is used to resist replay attacks and is included in all communication messages. It can be generated by a unique counter stored in the IMD’s memory and initialized to 0. Every time the counter is used, the value is incremented by 1. The details of this process are shown in Algorithm 1. If in an emergency when the gateway is removed or powered off, there is no authentication result received by the IMD. Then the process in the IMD jumps into step 16 of Algorithm 1. The IMD sends an Ack (Connected ID, Session ID) frame directly to the programmer to establish a connection. This mechanism lets the IMD to be accessed by any programmer without the use of keys or credentials, so that patients can receive treatment without any further delay in any hospital. Consequently, our design goal of accessing the IMD in emergency without keys or credentials is achieved. We next describe the algorithm in the gateway. When the gateway receives a Connection Request from a programmer, it performs an authentication process. If the result is ”TRUE”, it changes into the ”listen” state to monitor future potential attacks from other adversaries. When it receives a Connection Request message, it performs the authentication process again. Otherwise, it sends a Security (FALSE) frame to the IMD, and an Ack (Connected ID, Session ID) frame to the attacker to establish a spoofed connection. In order to avoid a connection being established between the IMD and the adversary, a Disconnection frame is sent to the IMD periodically until an Ack (Disconnection) is received. The gateway pretends to exchange data frames with the attacker. This process is shown in Algorithm 2. Here, we use an identifying sequence called identifier ID, that is, a sequence of m bits to identify a

legitimate programmer. As discussed in [5], the IMD’s unique set of identifiers, e.g., its serial number, FCC ID, can be used as the identifier ID. After decoding the Connection Request from the programmer, the gateway checks the last m bits against the defined sequence of the identifier ID. If the difference of these two sequences is more than a defined threshold number of bits, the authentication result is FALSE; otherwise it is TRUE. If the adversary attempts to selectively jam the channel between the IMD and the gateway, the IMD could not receive the Security (FALSE) frame from the gateway, and could be spoofed to change into the emergency mode. In this situation, as the gateway already knows the identity of the adversary, it keeps on sending a Disconnection frame to the IMD until it receives an acknowledgement (Disconnection) frame from it, as shown in the step 7 of the Algorithm 2. This makes sure that there is no connection between the IMD and the adversary. IV. S IMULATION A proof-of-concept simulation is run to verify the timing behavior of this security scheme. The simulation scenario consists of three nodes. One node is used as an attacker, and other two are for the IMD and the gateway security device. The gateway node is close to the IMD, at a distance of 20 centimeters approximately. The attacker node is located at a distance of about 20 meters from the IMD at the beginning, and gradually approaches the IMD at a speed of 0.5 meters per second until it is at a distance of 5 meters from the IMD before coming to a halt. Here we test the active attacks to the IMD, and consider that the adversary launches three attacks at 20s, 70s and 120s respectively. The timer T1 is set as 3s, as it is proper for a contemporary microchip to perform an authentication process within this time limit. We monitor the working state of the IMD node and the gateway node. First, we monitor the working state of the IMD when it is not protected by the gateway, as shown in Fig. 5. The state is set as 1 if the IMD node works or 0 if it does not. We can see from the figure that, when an adversary appears, a connection is 4

650

IEEE ICC 2014 - Communication and Information Systems Security Symposium

Algorithm 2 The algorithm in the gateway security device Input: Connection Request from a programmer Output: Send an Ack (Connected ID) to the attacker and a Security frame and a Disconnection frame to the IMD 1: The receiving antenna receives the request signal 2: The transmitting antenna transmits the jamming signal to the IMD 3: Decode the received request 4: Do the authentication process 5: if the result is TRUE then 6: The gateway changes into the ”listen” state 7: else If the result is FALSE 8: Transmitting antenna sends a Security (FALSE) frame to the IMD 9: Transmitting antenna sends an Ack (Connnected ID, Session ID) to the attacker 10: while Do not receive an Ack(Disconnection) do 11: Send a Disconnection frame to the IMD 12: end while 13: The transmitting antenna sends a Disconnection frame to the IMD 14: end if

Fig. 5. The Working State of the IMD Without the BodyDouble Device

Fig. 6. The Working State of the IMD Security System (IMD goes into ”sleep”)

established between the IMD node and the adversary node. The IMD node starts working with the adversary node till the attack finishes. So, in this scenario, the IMD is vulnerable to attacks throughout the session by the adversary. In the second scenario, the IMD is coupled with the gateway security device. Then we monitor the working state of the IMD node and the gateway node, as shown in Fig. 6. From this figure, we find that, when an attack appears, the IMD is activated to work for a short interval; then the IMD changes into ”sleep” state (as shown in the first part of Fig. 6). At the point of IMD changing state, the state of the gateway node changes into ”1”, which means that the gateway starts working with the adversary. Therefore, the IMD is protected by the gateway device. In Fig. 6, the IMD node changes into the ”sleep” state when detecting an adversary, but not powered off. In this scenario, we find that the IMD is activated to work every time when the adversary continues to launch further attacks. We can envision that the adversary keeps on repeating its attack, in which case, even though it does not gain access to the IMD, the battery of the IMD would still be depleted, causing fatal results to the patient. Thus, in this scheme, we choose to power off the IMD when an adversary appears; then we get the IMD working state as in Fig. 7. From this figure, we find that, even though the adversary repeats its attack, the IMD acts just once, and then switches off automatically. So, the subsequent attacks cause no damage to the IMD. Consequently, this gateway security scheme can help the IMD to resist the repeated attacks. Overall, the simulation demonstrates that, the gateway security device can protect the IMD via a spoofed communication link, and this spoofed link entices the adversary to finish its attack on the gateway, thereby conserving the resources of the IMD. The jamming function of the gateway is not verified in this simulation, and will be done in future work.

Fig. 7. The Working State of the IMD Security System (IMD powered off)

can immediately access an IMD for the emergent treatment while protecting it from adversaries in the normal circumstance. Our aim was to design a non-key based security scheme for the IMD. In this paper, the proposed BodyDouble scheme employs an external device as an authentication proxy to identify the programmers and pretends to be the IMD to establish a connection with the malicious programmer when an attack occurs. This scheme allows doctors to access the IMD without any keys in emergency by simply powering off or removing the gateway. This mechanism makes sure that patients can be treated as quickly as possible. Simulation results show that this security scheme can protect the IMD successfully in the presence of an attack by an adversary. The gateway, using an external proxy to authenticate the programmer, helps save the energy consumption for the IMD. The energy consumption of this scheme will be analyzed in our future work.

V. C ONCLUSION The security issue of the IMD wireless communication creates a unique challenge that doctors in any qualified hospital 5

651

IEEE ICC 2014 - Communication and Information Systems Security Symposium

ACKNOWLEDGMENT The authors would like to thank the reviewers for their comments that help us improve this paper. This research is supported by the International Macquarie University Research Excellence Scholarships (iMQRES). R EFERENCES D. Halperin, T. Kohno, T. S. Heydt-Benjamin, K. Fu, and W. H. Maisel, ”Security and privacy for implantable medical devices,” IEEE Pervasive Computing, vol. 7, pp. 30-39, Jan-Mar 2008. [2] D. Panescu, ”Wireless communication systems for implantable medical devices,” IEEE Engineering in Medicine and Biology Magazine, vol. 27, pp. 96-101, Mar-Apr 2008. [3] Medtronic Company Website. http://www.medtronic.com/index.htm,” 15 March 2013. [4] D. Halperin, S. S. Clark, K. Fu, T. S. Heydt-Benjamin, B. Defend, T. Kohno, B. Ransford, W. Morgan, and W. H. Maisel, ”Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses,” Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 129-142, 2008. [5] S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, and K. Fu, ”They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices,” Proceedings of the ACM SIGCOMM 2011 conference pp. 2-13, Aug 2011. [6] F. Y. Xu, Z. R. Qin, C. C. Tan, B. S. Wang, and Q. Li, ”IMDGuard: Securing Implantable Medical Devices with the External Wearable Guardian,” Proceedings of the 2011 IEEE INFOCOM, pp. 1862-1870, 2011. [7] K. Malasri and L. Wang, ”Securing Wireless Implantable Devices for Healthcare: Ideas and Challenges,” IEEE Communications Magazine, vol. 47, pp. 74-80, Jul 2009. [8] X. L. Hei and X. J. Du, ”Biometric-based Two-level Secure Access Control for Implantable Medical Devices during Emergencies,” Proceedings of the 2011 IEEE INFOCOM, pp. 346-350, 2011. [9] N. Leavitt, ”Researchers Fight to Keep Implanted Medical Devices Safe from Hackers,” Computer, vol. 43, pp. 11-14, Aug 2010. [10] H. H. R. A. Kaadan, ”Securing wireless medical devices: a novel highly secure and lightweight cryptosystem.,” 2012 IEEE Global Telecommunications Conference, GLOBECOM 2012, pp. 960-966, Dec. 2012. [11] D. B. Kramer, M. Baker, B. Ransford, A. Molina-Markham, Q. Stewart, K. Fu, and M. R. Reynolds, ”Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance,” Plos One, vol. 7, Jul 19 2012. [12] S. G. N. A. N. Z. D. Katabi, ”Secure in-band wireless pairing,” SEC’11 Proceedings of the 20th USENIX conference on Security, pp. 16-16, 2011. [1]

6

652