Outline Introduction Methodology Evaluation Conclusion

Computer Science, College of William and Mary

IMDGuardSecuring Implantable Medical Devices with the External

Wearable Guardian

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

April 13, 2011

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Outline

1 IntroductionSecurity ProblemNew InfrastructureChallenges

2 MethodologyAdversary ModelDescriptionImplementation

3 Evaluation

4 Conclusion

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Outline

1 IntroductionSecurity ProblemNew InfrastructureChallenges

2 MethodologyAdversary ModelDescriptionImplementation

3 Evaluation

4 Conclusion

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

What is Implantable Medical Devices (IMDs))

IMDs are a group of medical devices implanted inside patients’bodies to provide daily monitoring or treatments, such asmeasuring insulin level, regulating heart rhythm, and providingvisual sight.

Intracranial Sensor Cardiac Defibrillator Pacemaker X-ray Image ofInstalled Pacemaker

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Trend of Modern IMDs

Multifarious function. It has been integrated into manyIMDs that the flexible therapy configuration, physicalcondition monitoring, and diagnostic data stage.

Wireless capability. It is common to find out current IMDsshipped with wireless communication interface. The frequencyband used by IMDs has been approved by U.S. FederalCommunications Commission and EuropeanTelecommunications Standards Institute.

Large demands. 25 million US citizens depend upon IMDs,reported in 2001. This demand is excepted to continueincreasing 8.3 percent annually through 2014.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Security Problem

Current Communication Model

IMD Programmer

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Security Problem

Potential Attacks

All wireless interactions occurred daily on patients’ IMDs currentlyare not protected, which can be leveraged by vandals.

A recent study demonstrated that, by using equipments availableon the markets, an IMD is able to be reprogrammed, putting thepatient’s life in danger.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Security Problem

Motivation

tension between security and safety

accessible only to authorized identities(keys)

renewing key requires previous authorized keys

key lost or damaged

unauthorized access in emergency

mulfunctioning

Outline Introduction Methodology Evaluation Conclusion

Security Problem

Motivation

tension between security and safety

accessible only to authorized identities(keys)

renewing key requires previous authorized keys

key lost or damaged

unauthorized access in emergency

mulfunctioning

How to design a security schemefor IMDs that protects IMDs inregular situations,but safely allowaccess in any emergency withoutassistance from the patient?

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

New Infrastructure

New Infrastructure

IMDProgrammer

authorized

unauthorized

unauthorized in emergency

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

New Infrastructure

New Infrastructure

IMDProgrammer

authorized

unauthorized

unauthorized in emergency

Guardian

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

New Infrastructure

New Infrastructure

IMDProgrammer

authorized

unauthorized

unauthorized in emergency

Guardian

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

New Infrastructure

New Infrastructure

IMDProgrammer

authorized

unauthorized

unauthorized in emergency

Guardian

authorized

unauthorized

unauthorized in emergency

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Challenges

First Challenge

IMDProgrammer

Guardian

key establishmentor renewal

requirements:

do not require prior sharedsecrets

secure in any circumstance

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Challenges

Second Challenge

IMDProgrammer

authorized

unauthorized

unauthorized in emergency

Guardian

spoofing attack

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Outline

1 IntroductionSecurity ProblemNew InfrastructureChallenges

2 MethodologyAdversary ModelDescriptionImplementation

3 Evaluation

4 Conclusion

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Adversary Model

Adversary Model

Consider an adversary whose goal is trying to program to orretrieve data from the IMD without being caught.

Assume the adversary cannot physically measure the patient’sreal-time ECG signals without being detected.

Assume there is no adversary in an emergency situation.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Overview

IMDGuard is a novel security scheme forIMD-Guardian-Programmer infrastructure.

IMDGuard incorporates two techniques tailored to providedesirable protections for IMDs.

1 ECG-based secure key extraction. It allows the IMDsecurely pairs to an legitimate Guardian without any priorshared secrets.

2 Spoofing-resistant access control. It provides security tothe IMD in normal cases, and only grants accessibility to anyprogrammer in real emergency.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Secure Key Establishment Scheme Based on ECG Signals

ECG Delineation

100 200 300 400 500 600275

280

285

290

295

300

305

310

315

IPI (in u

nit o

f 4 m

illiseconds)

IPI index

Average of IPIs

IPI fluctuation

00101010101010101001010011010110110101011011

Secret Key

i quantization

ii reconciliation

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Secure Key Establishment Scheme Based on ECG Signals

ECG Delineation

100 200 300 400 500 600275

280

285

290

295

300

305

310

315

IPI (in u

nit o

f 4 m

illiseconds)

IPI index

Average of IPIs

IPI fluctuation

00101010101010101001010011010110110101011011

Secret Key

i quantization

ii reconciliation

Quantization:

We map each IPI fluctuation into a n-bitbinary string.

Occurrences of different n-bit binary stringmappings are equally likely.

In order to reduce the mismatched bits oftwo sides, we pick proper n and apply graycode.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Secure Key Establishment Scheme Based on ECG Signals

ECG Delineation

100 200 300 400 500 600275

280

285

290

295

300

305

310

315

IPI (in u

nit o

f 4 m

illiseconds)

IPI index

Average of IPIs

IPI fluctuation

00101010101010101001010011010110110101011011

Secret Key

i quantization

ii reconciliation

Quantization:

We map each IPI fluctuation into a n-bitbinary string.

Occurrences of different n-bit binary stringmappings are equally likely.

In order to reduce the mismatched bits oftwo sides, we pick proper n and apply graycode.

Reconciliation:

Exchange a bit information so that bothsides can agree on a secret composed ofidentical binary strings.

Remove the leaked information to condensethe entropy of generated secret.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Secure Key Establishment Scheme Based on ECG Signals

ECG Delineation

100 200 300 400 500 600275

280

285

290

295

300

305

310

315

IPI (in u

nit o

f 4 m

illiseconds)

IPI index

Average of IPIs

IPI fluctuation

00101010101010101001010011010110110101011011

Secret Key

i quantization

ii reconciliation

Quantization:

We map each IPI fluctuation into a n-bitbinary string.

Occurrences of different n-bit binary stringmappings are equally likely.

In order to reduce the mismatched bits oftwo sides, we pick proper n and apply graycode.

Reconciliation:

Exchange a bit information so that bothsides can agree on a secret composed ofidentical binary strings.

Remove the leaked information to condensethe entropy of generated secret.

Features:

No need to change IMDs’ hardware design.

Ensured information-theoretic security.

Robust against man-in-the-middle attacks.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Spoofing-resistant Access Control

Motivation

It is unknown how powerful the adversary is.

Collaboration is possible between the IMD and Guardian.

Strategy

Guardian jams IMD’s message to block illegal interactions whenencountering spoofing attacks.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

When There is no Spoofing Attacks

IMD Programmer Guardian

access attempt overhear

notification

Public-key authentication

legitimate one

session key

secure comm.

notification

session key

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Description

Defensive Jamming against Spoofing Attacks

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Implementation

Prototype Implementation

Total code size of IMDGuard prototypeModule ROM(bytes) RAM (bytes)IMD 20656 1056

Programmer 20754 1060Guardian 20614 1050

ECC 42190 1931Key Extraction 10078 887

ECG Delineation 18720 9652

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Outline

1 IntroductionSecurity ProblemNew InfrastructureChallenges

2 MethodologyAdversary ModelDescriptionImplementation

3 Evaluation

4 Conclusion

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Key Establishment

1 Variance. The historic records of the same person do nothelp adversary to guess the generated key, neither do that ofother people.

2 Efficiency. On average a secret key can be extracted in 45seconds.

3 Randomness. Generated keys can pass National Institute ofStandards and Technology (NIST) Randomness testing suite.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Access Control Protocol

Defensive JammingEffectiveness

1 2 3 4 5 6 70

0.2

0.4

0.6

0.8

1jammer power level 0dBm

1 2 3 4 5 6 70

0.2

0.4

0.6

0.8

1jammer power level −10dBm

1 2 3 4 5 6 70

0.2

0.4

0.6

0.8

1jammer power level −15dBm

1 2 3 4 5 6 70

0.2

0.4

0.6

0.8

1jammer power level −25dBm

Prototype Timing Information

Overhead in Time (ms)Situation Operation Overhead

AuthenticationSigning(20bytes) 1550Verification(20bytes) 2221Others 50

Guardian RemovedChallenge Transfer 512Others 14

Guardian Jamming Session Deny 1501

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Outline

1 IntroductionSecurity ProblemNew InfrastructureChallenges

2 MethodologyAdversary ModelDescriptionImplementation

3 Evaluation

4 Conclusion

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Conclusion

1 We are the first to propose a rigorously information-theoreticsecure extraction scheme, and evaluate its performance onresource constrained embedded systems.

2 We are the first to finalize and implement a comprehensivesecure protocol for the IMD-Guardian-Programmerinfrastructure.

3 We perform extensive experiments on our prototype toevaluate the validity and performance of IMDGuard.

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard

Outline Introduction Methodology Evaluation Conclusion

Thank You

Any question

Fengyuan Xu, Zhengrui Qin, Chiu C Tan, and Qun Li

IMDGuard