skip to main content
10.1145/2857705.2857746acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
short-paper

On the Feasibility of Cryptography for a Wireless Insulin Pump System

Published: 09 March 2016 Publication History

Abstract

This paper analyses the security and privacy properties of a widely used insulin pump and its peripherals. We eavesdrop the wireless channel using Commercial Off-The-Shelf (COTS) software-based radios to intercept the messages sent between these devices; fully reverse-engineer the wireless communication protocol using a black-box approach; and document the message format and the protocol state-machine in use. The upshot is that no standard cryptographic mechanisms are applied and hence the system is shown to be completely vulnerable to replay and message injection attacks. Furthermore, sensitive patient health-related information is sent unencrypted over the wireless channel.
Motivated by the results of our attacks, we study the feasibility of applying cryptography to protect the data transmitted over the air and prevent unauthorized access to the insulin pump. We present a solution based on AES in combination with an updated message format optimized for energy consumption. We implement our solution on a 16-bit micro-controller and evaluate its security properties and energy requirements. Finally, we discuss potential strategies for further reducing the energy consumption.

References

[1]
Federal Communications Commission (FCC) ID. http://www.fcc.gov/encyclopedia/fcc-search-tools.
[2]
LabVIEW. http://www.ni.com/labview.
[3]
MSP430FRxx FRAM Ultra-low-power Microcontrollers. http://www.ti.com.
[4]
NI USRP-2920. http://www.ni.com.
[5]
OpenMSP430 Project. http://www.opencore.org/.
[6]
Random Number Generation Using the MSP430. http://www.ti.com/lit/an/slaa338/slaa338.pdf.
[7]
TX6001, RX6001 datasheets. http://www.rfm.com.
[8]
L. Chunxiao, A. Raghunathan, and N. Jha. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In e-Health Networking Applications and Services (Healthcom), 2011 13th IEEE International Conference on, pages 150--156, Jun 2011.
[9]
J. Daemen and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, 2002.
[10]
S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, and K. Fu. They Can Hear Your Heartbeats: Non-invasive Security for Implantable Medical Devices. SIGCOMM Comput. Commun. Rev., 41(4):2--13, Aug. 2011.
[11]
D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. Maisel. Security and Privacy for Implantable Medical Devices. IEEE Pervasive Computing, Special Issue on Implantable Electronics, 7(1):30--39, Jan. 2008.
[12]
D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, pages 129--142, May 2008.
[13]
X. Hei, X. Du, S. Lin, and I. Lee. PIPAC: Patient infusion pattern based access control scheme for wireless insulin pump system. In INFOCOM, 2013 Proceedings IEEE, pages 3030--3038, Apr 2013.
[14]
M. Rostami, A. Juels, and F. Koushanfar. Heart-to-heart (H2H): authentication for implanted medical devices. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4--8, 2013citeDBLP:conf/ccs/2013, pages 1099--1112.
[15]
F. Stajano and R. J. Anderson. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. In Proceedings of the 7th International Workshop on Security Protocols, pages 172--194, London, UK, 2000. Springer-Verlag.
[16]
A. Van Herrewege, V. van der Leest, A. Schaller, S. Katzenbeisser, and I. Verbauwhede. Secure PRNG Seeding on Commercial Off-the-shelf Microcontrollers. In Proceedings of the 3rd International Workshop on Trustworthy Embedded Devices, TrustED '13, pages 55--64, New York, NY, USA, 2013. ACM.

Cited By

View all
  • (2024)Implantable Medical Device SecurityCryptography10.3390/cryptography80400538:4(53)Online publication date: 15-Nov-2024
  • (2024)OOBKey: Key Exchange with Implantable Medical Devices Using Out-Of-Band ChannelsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670876(1-13)Online publication date: 30-Jul-2024
  • (2022)Refining Network Message Segmentation with Principal Component Analysis2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947242(281-289)Online publication date: 3-Oct-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy
March 2016
340 pages
ISBN:9781450339353
DOI:10.1145/2857705
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. cryptography
  2. proprietary wireless communication protocol
  3. software radio-based attacks

Qualifiers

  • Short-paper

Funding Sources

  • Research Council KU Leuven: C16/15/058

Conference

CODASPY'16
Sponsor:

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;
Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)10
Reflects downloads up to 28 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Implantable Medical Device SecurityCryptography10.3390/cryptography80400538:4(53)Online publication date: 15-Nov-2024
  • (2024)OOBKey: Key Exchange with Implantable Medical Devices Using Out-Of-Band ChannelsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670876(1-13)Online publication date: 30-Jul-2024
  • (2022)Refining Network Message Segmentation with Principal Component Analysis2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947242(281-289)Online publication date: 3-Oct-2022
  • (2022)FuzzyKey: Comparing Fuzzy Cryptographic Primitives on Resource-Constrained DevicesSmart Card Research and Advanced Applications10.1007/978-3-030-97348-3_16(289-309)Online publication date: 9-Mar-2022
  • (2021)A secure insulin infusion system using verification monitorsProceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3487212.3487342(56-65)Online publication date: 20-Nov-2021
  • (2021)Extreme Communication in 6G: Vision and Challenges for ‘in-X’ SubnetworksIEEE Open Journal of the Communications Society10.1109/OJCOMS.2021.31215302(2516-2535)Online publication date: 2021
  • (2019)Voice Liveness Detection for Medical DevicesDesign and Implementation of Healthcare Biometric Systems10.4018/978-1-5225-7525-2.ch005(109-136)Online publication date: 2019
  • (2019)On the Difficulty of Using Patient's Physiological Signals in Cryptographic ProtocolsProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325099(113-122)Online publication date: 28-May-2019
  • (2019)Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic AnalysisIEEE Communications Surveys & Tutorials10.1109/COMST.2018.286754421:1(526-561)Online publication date: Sep-2020
  • (2019)Feature Fusion and Voiceprint-Based Access Control for Wireless Insulin Pump SystemsIEEE Access10.1109/ACCESS.2019.29378057(121286-121302)Online publication date: 2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media