Hammond Pearce
ABSTRACT
In recent years we have seen numerous proof-of-concept attacks on implantable medical devices such as pacemakers. Attackers aim to breach the strict operational constraints that these devices operate within, with the end-goal of compromising patient safety and health. Most efforts to prevent these kinds of attacks are informal, and focus on application- and system-level security --- for instance, using encrypted communications and digital certificates for program verification. However, these approaches will struggle to prevent all classes of attacks. Runtime verification has been proposed as a formal methodology for monitoring the status of implantable medical devices. Here, if an attack is detected a warning is generated. This leaves open the risk that the attack can succeed before intervention can occur. In this paper, we propose a runtime-enforcement based approach for ensuring patient security. Custom hardware is constructed for individual patients to ensure a safe minimum quality of service at all times. To ensure correctness we formally verify the hardware using a model-checker. We present our approach through a pacemaker case study and demonstrate that it incurs minimal overhead in terms of execution time and power consumption.
- K. D. Atherton. 2013. How Dick Cheney Took His Heart Offline To Thwart Hackers. https://www.popsci.com/article/gadgets/how-dick-cheney-took-his-heart-offline-thwart-hackersGoogle Scholar
- S Serge Barold, Roland X Stroobandt, and Alfons F Sinnaeve. 2008. Cardiac Pacemakers step by step: An illustrated guide. John Wiley & Sons.Google Scholar
- Jan Olaf Blech, Yliès Falcone, and Klaus Becker. 2012. Towards Certified Runtime Verification. In Formal Methods and Software Engineering, Toshiaki Aoki and Kenji Taguchi (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 494--509.Google Scholar
- Roderick Bloem, Bettina Könighofer, Robert Könighofer, and Chao Wang. 2015. Shield Synthesis: Runtime Enforcement For Reactive Systems. In Tools and Algorithms for the Construction and Analysis of Systems, Christel Baier and Cesare Tinelli (Eds.). Springer, Berlin, Heidelberg, 533--548.Google ScholarDigital Library
- D Clery. 2015. Could your pacemaker be hackable? Science 347, 6221 (January 2015), 499--499. Google ScholarCross Ref
- Shyamnath Gollakota, Haitham Hassanieh, Benjamin Ransford, Dina Katabi, and Kevin Fu. 2011. They Can Hear Your Heartbeats: Non-invasive Security for Implantable Medical Devices. SIGCOMM Comput. Commun. Rev. 41, 4 (Aug. 2011), 2--13. Google ScholarDigital Library
- Zhihao Jiang, Miroslav Pajic, Salar Moarref, Rajeev Alur, and Rahul Mangharam. 2012. Modeling and Verification of a Dual Chamber Implantable Pacemaker. In Tools and Algorithms for the Construction and Analysis of Systems, Cormac Flanagan and Barbara König (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 188--203.Google Scholar
- J Kirk. 2012. Pacemaker hack can deliver deadly 830-volt jolt. Computerworld 17 (October 2012).Google Scholar
- I. Kuon and J. Rose. 2007. Measuring the Gap Between FPGAs and ASICs. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 26, 2 (Feb 2007), 203--215. Google ScholarDigital Library
- C. Li, A. Raghunathan, and N. K. Jha. 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services. 150--156. Google ScholarCross Ref
- Jay Ligatti, Lujo Bauer, and David Walker. 2005. Edit automata: enforcement mechanisms for run-time security policies. International Journal of Information Security 4, 1 (01 Feb 2005), 2--16. Google ScholarDigital Library
- Jay Ligatti and Srikar Reddy. 2010. A Theory of Runtime Enforcement, with Results.. In ESORICS. Springer, 87--100.Google Scholar
- Eduard Marin, Dave Singelée, Flavio D. Garcia, Tom Chothia, Rik Willems, and Bart Preneel. 2016. On the (in)Security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them. In Proceedings of the 32Nd Annual Conference on Computer Security Applications (ACSAC '16). ACM, New York, NY, USA, 226--236. Google ScholarDigital Library
- G. McGraw. 2004. Software security. IEEE Security Privacy 2, 2 (March 2004), 80--83. Google ScholarDigital Library
- Medtronic. 2017. Adapta DR pacing system UC200601057c. https://europe.medtronic.com/content/dam/medtronic-com/01_crhf/brady/pdfs/200601057cENp6_adapta_dr_pacing_system_spec%20Sheet.pdfGoogle Scholar
- S. Pinisetty, P. S. Roop, V. Sawant, and G. Schneider. 2018. Security of Pacemakers using Runtime Verification. In 2018 16th ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE). 1--11. Google ScholarCross Ref
- Srinivas Pinisetty, Partha S. Roop, Steven Smyth, Nathan Allen, Stavros Tripakis, and Reinhard Von Hanxleden. 2017. Runtime Enforcement of Cyber-Physical Systems. ACM Trans. Embed. Comput. Syst. 16, 5s, Article 178 (Sept. 2017), 25 pages. Google ScholarDigital Library
- Laurie Pycroft and Tipu Z. Aziz. 2018. Security of implantable medical devices with wireless connections: The dangers of cyber-attacks. Expert Review of Medical Devices 15, 6 (2018), 403--406. Google ScholarCross Ref
- Kasper Bonne Rasmussen, Claude Castelluccia, Thomas S. Heydt-Benjamin, and Srdjan Capkun. 2009. Proximity-based Access Control for Implantable Medical Devices. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS '09). ACM, New York, NY, USA, 410--419. Google ScholarDigital Library
- J. D. Rockoff. 2016. J&J Warns Insulin Pump Vulnerable to Cyber Hacking. Wall Street Journal (October 2016).Google Scholar
- Masoud Rostami, Ari Juels, and Farinaz Koushanfar. 2013. Heart-to-heart (H2H): authentication for implanted medical devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 1099--1112. Google ScholarDigital Library
- Johannes Sametinger, Jerzy Rozenblit, Roman Lysecky, and Peter Ott. 2015. Security Challenges for Medical Devices. Commun. ACM 58, 4 (March 2015), 74--82. Google ScholarDigital Library
- R Sekar, Thomas F Bowen, and Mark E Segal. 1999. On Preventing Intrusions by Process Behavior Monitoring.. In Workshop on Intrusion Detection and Network Monitoring, Vol. 1999. 29--40.Google Scholar
- Julien Signoles, Nikolai Kosmatov, and Kostyantyn Vorobyov. 2017. E-ACSL, a Runtime Verification Tool for Safety and Security of C Programs (tool paper). In RV-CuBES, Vol. 3. Kalpa Publications in Computing, 164--173.Google Scholar
- D Takahashi. 2011. Insulin pump hacker says vendor Medtronic is ignoring security risk. Venturebeat (August 2011). https://venturebeat.com/2011/08/25/insulin-pump-hacker-says-vendor-medtronic-is-ignoring-security-risk/Google Scholar
- M. Tehranipoor and F. Koushanfar. 2010. A Survey of Hardware Trojan Taxonomy and Detection. IEEE Design Test of Computers 27, 1 (Jan 2010), 10--25. Google ScholarDigital Library
- University of Oxford. 2019. EBMC. http://www.cprover.org/ebmcGoogle Scholar
- U.S. Food and Drug Administration. 2016. Postmarket Management of Cybersecurity in Medical Devices. Technical Report. Guidance for Industry and Food and Drug Administration Staff. https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdfGoogle Scholar
- C Weaver. 2013. Patients Put at Risk By Computer Viruses. Wall Street Journal (June 2013).Google Scholar
- F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. 2011. IMDGuard: Securing implantable medical devices with the external wearable guardian. In 2011 Proceedings IEEE INFOCOM. 1862--1870. Google ScholarCross Ref
- M. Zhang, A. Raghunathan, and N. K. Jha. 2013. MedMon: Securing Medical Devices Through Wireless Monitoring and Anomaly Detection. IEEE Transactions on Biomedical Circuits and Systems 7, 6 (Dec 2013), 871--881. Google ScholarCross Ref
Recommendations
Runtime verification of implantable medical devices using multiple physiological signals
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingThe modern technological advances allow IMDs to be accessed and controlled wirelessly, making them more vulnerable to a variety of security attacks. In this work, we propose a new approach of dual input channel to the runtime monitor that takes both ECG ...
Securing implantable cardiac medical devices: use of radio frequency energy harvesting
TrustED '13: Proceedings of the 3rd international workshop on Trustworthy embedded devicesImplantable Medical Devices (IMDs) are surgically implanted into a human body to collect physiological data and perform medical therapeutic functions. They are increasingly being used to improve the quality of life of patients by treating chronic ...
Comments on "Securing implantable cardiac medical devices": Use of radio frequency energy harvesting
ACM ICEA '20: Proceedings of the 2020 ACM International Conference on Intelligent Computing and its Emerging ApplicationsImplantable Medical Devices (IMDs) have evolved over the years to stretch their application areas to provide a range of services from health-care to public safety. In order to handle such information, the high strength security and the proper ...
Comments