short-paper

On the Feasibility of Cryptography for a Wireless Insulin Pump System

Authors:

Dave Singelée,

Ingrid Verbauwhede,

Bart PreneelAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 113 - 120

https://doi.org/10.1145/2857705.2857746

Published: 09 March 2016 Publication History

Abstract

This paper analyses the security and privacy properties of a widely used insulin pump and its peripherals. We eavesdrop the wireless channel using Commercial Off-The-Shelf (COTS) software-based radios to intercept the messages sent between these devices; fully reverse-engineer the wireless communication protocol using a black-box approach; and document the message format and the protocol state-machine in use. The upshot is that no standard cryptographic mechanisms are applied and hence the system is shown to be completely vulnerable to replay and message injection attacks. Furthermore, sensitive patient health-related information is sent unencrypted over the wireless channel.

Motivated by the results of our attacks, we study the feasibility of applying cryptography to protect the data transmitted over the air and prevent unauthorized access to the insulin pump. We present a solution based on AES in combination with an updated message format optimized for energy consumption. We implement our solution on a 16-bit micro-controller and evaluate its security properties and energy requirements. Finally, we discuss potential strategies for further reducing the energy consumption.

References

[1]

Federal Communications Commission (FCC) ID. http://www.fcc.gov/encyclopedia/fcc-search-tools.

[2]

LabVIEW. http://www.ni.com/labview.

[3]

MSP430FRxx FRAM Ultra-low-power Microcontrollers. http://www.ti.com.

[4]

NI USRP-2920. http://www.ni.com.

[5]

OpenMSP430 Project. http://www.opencore.org/.

[6]

Random Number Generation Using the MSP430. http://www.ti.com/lit/an/slaa338/slaa338.pdf.

[7]

TX6001, RX6001 datasheets. http://www.rfm.com.

[8]

L. Chunxiao, A. Raghunathan, and N. Jha. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In e-Health Networking Applications and Services (Healthcom), 2011 13th IEEE International Conference on, pages 150--156, Jun 2011.

[9]

J. Daemen and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, 2002.

Digital Library

[10]

S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, and K. Fu. They Can Hear Your Heartbeats: Non-invasive Security for Implantable Medical Devices. SIGCOMM Comput. Commun. Rev., 41(4):2--13, Aug. 2011.

Digital Library

[11]

D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. Maisel. Security and Privacy for Implantable Medical Devices. IEEE Pervasive Computing, Special Issue on Implantable Electronics, 7(1):30--39, Jan. 2008.

Digital Library

[12]

D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, pages 129--142, May 2008.

Digital Library

[13]

X. Hei, X. Du, S. Lin, and I. Lee. PIPAC: Patient infusion pattern based access control scheme for wireless insulin pump system. In INFOCOM, 2013 Proceedings IEEE, pages 3030--3038, Apr 2013.

[14]

M. Rostami, A. Juels, and F. Koushanfar. Heart-to-heart (H2H): authentication for implanted medical devices. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4--8, 2013citeDBLP:conf/ccs/2013, pages 1099--1112.

Digital Library

[15]

F. Stajano and R. J. Anderson. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. In Proceedings of the 7th International Workshop on Security Protocols, pages 172--194, London, UK, 2000. Springer-Verlag.

Digital Library

[16]

A. Van Herrewege, V. van der Leest, A. Schaller, S. Katzenbeisser, and I. Verbauwhede. Secure PRNG Seeding on Commercial Off-the-shelf Microcontrollers. In Proceedings of the 3rd International Workshop on Trustworthy Embedded Devices, TrustED '13, pages 55--64, New York, NY, USA, 2013. ACM.

Digital Library

Cited By

Catuogno LGaldi C(2024)Implantable Medical Device SecurityCryptography10.3390/cryptography80400538:4(53)Online publication date: 15-Nov-2024
https://doi.org/10.3390/cryptography8040053
Zhang MMarin ERyan MKostakos VMurray TTag BOswald D(2024)OOBKey: Key Exchange with Implantable Medical Devices Using Out-Of-Band ChannelsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670876(1-13)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670876
Kleber SKargl F(2022)Refining Network Message Segmentation with Principal Component Analysis2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947242(281-289)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947242
Show More Cited By

Index Terms

On the Feasibility of Cryptography for a Wireless Insulin Pump System
1. Security and privacy
  1. Cryptography
  2. Network security
    1. Mobile and wireless security
2. Social and professional topics
  1. Computing / technology policy
    1. Intellectual property
      1. Software reverse engineering

Recommendations

Nonmalleable Cryptography

The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext ...
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
SP '11: Proceedings of the 2011 IEEE Symposium on Security and Privacy

This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse ...
A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography
Invited Tutorial

Side-channel attacks have become a severe threat to the confidentiality of computer applications and systems. One popular type of such attacks is the microarchitectural attack, where the adversary exploits the hardware features to break the protection ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Research Council KU Leuven: C16/15/058

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
411
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)10

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Catuogno LGaldi C(2024)Implantable Medical Device SecurityCryptography10.3390/cryptography80400538:4(53)Online publication date: 15-Nov-2024
https://doi.org/10.3390/cryptography8040053
Zhang MMarin ERyan MKostakos VMurray TTag BOswald D(2024)OOBKey: Key Exchange with Implantable Medical Devices Using Out-Of-Band ChannelsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670876(1-13)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670876
Kleber SKargl F(2022)Refining Network Message Segmentation with Principal Component Analysis2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947242(281-289)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947242
Zhang MMarin EOswald DSingelée D(2022)FuzzyKey: Comparing Fuzzy Cryptographic Primitives on Resource-Constrained DevicesSmart Card Research and Advanced Applications10.1007/978-3-030-97348-3_16(289-309)Online publication date: 9-Mar-2022
https://doi.org/10.1007/978-3-030-97348-3_16
panda APinisetty SRoop PArun-Kumar SMery DSaha IZhang L(2021)A secure insulin infusion system using verification monitorsProceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3487212.3487342(56-65)Online publication date: 20-Nov-2021
https://dl.acm.org/doi/10.1145/3487212.3487342
Berardinelli GBaracca PAdeogun RKhosravirad SSchaich FUpadhya KLi DTao TViswanathan HMogensen P(2021)Extreme Communication in 6G: Vision and Challenges for ‘in-X’ SubnetworksIEEE Open Journal of the Communications Society10.1109/OJCOMS.2021.31215302(2516-2535)Online publication date: 2021
https://doi.org/10.1109/OJCOMS.2021.3121530
Hao BHei X(2019)Voice Liveness Detection for Medical DevicesDesign and Implementation of Healthcare Biometric Systems10.4018/978-1-5225-7525-2.ch005(109-136)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-7525-2.ch005
Marin EArgones Rúa ESingelée DPreneel BKerschbaum FMashatan ANiu JLee A(2019)On the Difficulty of Using Patient's Physiological Signals in Cryptographic ProtocolsProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325099(113-122)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3325099
Kleber SMaile LKargl F(2019)Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic AnalysisIEEE Communications Surveys & Tutorials10.1109/COMST.2018.286754421:1(526-561)Online publication date: Sep-2020
https://doi.org/10.1109/COMST.2018.2867544
Ping YHao BHei XTu YDu XWu J(2019)Feature Fusion and Voiceprint-Based Access Control for Wireless Insulin Pump SystemsIEEE Access10.1109/ACCESS.2019.29378057(121286-121302)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2937805
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten