Security Vulnerabilities On Implantable Medical Devices

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Security Vulnerabilities on Implantable Medical

Devices
Ana Longras Henrique Oliveira Sara Paiva
Instituto Politécnico de Viana do Castelo Instituto Politécnico de Viana do Castelo Instituto Politécnico de
Viana do Castelo, Portugal Viana do Castelo, Portugal Viana do Castelo, Portugal
[email protected] [email protected] [email protected]

Abstract — Implantable medical devices are used for critical


functions like diagnosis, prevention, control, treatment or life-
enhancing patients with chronic diseases, through diagnosing
and/or monitoring for better care and quality of patients' lives.
Communication between medical devices and healthcare
professionals is of utmost importance to treat health data and
critical functions without the need for patient surgery.
Increasingly, the development, implementation and use of
security mechanisms that can provide the availability of
information, the integrity of medical devices and the
confidentiality of data are needed. Alteration of data, theft,
improper access to this information, or even denial of service in a
healthcare system can lead to the death of patients on devices
such as these essential to life. This paper mainly contribution is a
research on implantable medical device vulnerabilities and attack Figure 1. Wireless implantable medical devices (adapted from [14])
mitigation strategies.
The end of wired devices eliminates restrictions on body
Keywords - Medical Devices; Security; Vulnerabilities; Attacks; positions, or on fragile structures such as the heart or spinal
Mitigation.
cord that would be damaged by moving wires, helps simplify
I. INTRODUCTION surgical procedures and help minimize common surgical
complications in implants when using wired connections [5].
The rapid aging of the world population is an undeniable fact. Hence devices are increasingly equipped with wireless,
It is estimated that in 20 years, 20% of the world population is Bluetooth or radio frequency telemetry (RF) communication
over 65 years old, according to the Population Reference capabilities. However, the evolution of medical device
Bureau [1]. For economic and public health reasons, ensuring communication technologies has not been accompanied by
quality and health care for the elderly is a priority. Wearables increased security. The number of health safety incidents has
and implantable medical devices (IMDs) are a way to achieve been increasing, as shown in Figure 2.
this goal and today, given the advances in technology, it is
perfectly possible to develop and make it accessible to
everyone. Nowadays, there are several implantable medical
devices, from hearing aids, pacemakers, neurostimulators,
insulin pumps to retinal implants [2], as shown in Figure 1.
They provide healthcare and quality services such as
monitoring, memory enhancement, managing of home
appliances, access to medical access and communication in
emergency situations. The way these devices communicate
between themselves and central servers and/or databases is
something to have in mind as it is an aspect over which attacks
can occur. The concept of telemetry arises in this context [3]
as it refers to the communication process where measurement
data is collected from remote or inaccessible locations and
then made available at a receiving monitor [4]. Wireless
Figure 2 - Number of healthcare hacking incidents
communications are present on most devices nowadays.

2020 15th Iberian Conference on Information Systems and Technologies (CISTI)


24 – 27 June 2020, Seville, Spain
ISBN: 978-989-54659-0-3
Authorized licensed use limited to: Concordia University Library. Downloaded on October 31,2024 at 15:22:11 UTC from IEEE Xplore. Restrictions apply.
The most widely used wireless communication is now Wi-Fi, frequency communication, Wi-Fi connections and the lack of
a mechanism that is widely exposed to vulnerabilities and a authentication validation.
mean to conduct security attacks. This paper describes the
results of research on implantable medical device
A. Radio Frequency Communication
vulnerabilities, highlighting the radio frequency and wi-fi
communications used to send packets between the device and Devices that use radio frequency (RF) to communicate has a
the monitoring system. Introducing key security concerns low probability that attacks are successful as the attack needs
associated with device architecture and deployment and usage, to be done at close range from the patient. Radiofrequency
listing possible system failures, threats, attacks, and mitigation function is activated in the hospital during follow-up
measures for device vulnerabilities. appointments [8]. There is a need for short-range patient
access with active RF functionality for an attach to be
This paper is structured as follows. Section II consists of a executed. The frequency of any wireless device is publicly
brief introduction to the topic of medical and implantable available online and is easily obtained from the Federal
devices. The most common vulnerabilities of these devices are Communications Commission ID (FCC ID). On some devices,
presented in section III, while Section IV presents models of it is also available on the back of the device [9]. The result of
possible attacks that affect systems where medical devices are successful radio frequency scanning may include the ability to
used. Section V is based on presenting measures to mitigate read and write any valid memory location on the device [10].
vulnerabilities by preventing the success or at least decreasing
the severity of potential attacks. Finally, we present B. Wi-Fi Connection
conclusions of this work.
In addition to radio frequency communication, attacks can
occur during a period when the device is connected to the
II. MEDICAL DEVICES OVERVIEW internet, over Wi-Fi communication to send or receive data.
Packet exchange is through clear text, so an attacker could
capture data exchange packets and extract sensitive
As afore mentioned, many IMDs use telemetry which consists
information such as device serial numbers. There are several
of measuring medical devices data and remotely transmitting
models of medical devices with this vulnerability, such as the
this data to a central monitoring point to track the control,
example identified in CVE-2018-10634 [11]. This
maintenance and performance of medical devices. In this
vulnerability undermines the integrity and confidentiality of
scenario, there are two main aspects concerning security and
data obtained from insulin pumps and most devices that use
safety in the architecture of solutions of IMDs: the medical
Wi-Fi communications [12].
device and the monitoring system. Regarding the medical
device, it contains confidential patient data and information,
and also provides access to sensitive medical information C. Lack of authentication validation
[6][7], facts that require big security concerns. IMDs are also Pacemakers and Implantable cardioverter defibrillator (ICDs)
deployed to control substances in the body, insert treatments, devices that transmit heartbeat load data or heart failure
and other vital functionalities so assuring they are not attacked metrics, contain a magnetic switch (or sensor) that is activated
can be a matter of serious health conditions or even life or by strong magnetic fields [13]. Current magnetic key-based
dead situations. On another hand, insurance companies are a access does not require any authentication system and is
major stakeholder in accessing IMD data. If, on the one hand, therefore insecure. Table 1 presents a summary of what was
they are interested in having access to the information in order previously explained in relation to the severity of the risk, the
to refuse to make or renew or increase the insurance amount description of the risk as well as examples of how the attack
based on the patient's risk; on the other hand, they are the can be carried out.
providers of equipment to patients, when they are aware of the
vulnerabilities, they can claim compensation. Regarding TABLE 1 – Level of vulnerability of medical devices.
monitoring systems, they keep a history of transmissions, vital
signs, device battery longevity, a symptom diary, device Security Description Examples
information and other useful information depending on the Low - 0
Neither vulnerabilities Device with upgraded
type of the device. Many of them run on operating systems nor malware on device software version
like windows XP, with several known vulnerabilities which Vulnerabilities on
Weakness in protocol
compromise the monitoring system of these solutions and Moderate - 1 Potential buffer
device, no exploits yet
overflow
hence the entire solution.
Protocol weakness or
Vulnerabilities on
buffer overflow can be
High - 2 device with known
used for unauthorized
III. VULNERABILITIES exploits
access
There are several vulnerabilities associated to the usage of Hardware Trojan or
IMDs that will be described in this section, namely radio Very High - 3 Malware on device software backdoor on
device

2020 15th Iberian Conference on Information Systems and Technologies (CISTI)


24 – 27 June 2020, Seville, Spain
ISBN: 978-989-54659-0-3
Authorized licensed use limited to: Concordia University Library. Downloaded on October 31,2024 at 15:22:11 UTC from IEEE Xplore. Restrictions apply.
it will cause the IMD to perform multiple authentications and
IV. ATTACKS ON IMPLANTABLE MEDICAL DEVICES thus expend a lot of the required battery power. In addition,
this type of attack generates a large amount of security logs,
Until now, security attacks on medical devices have been
overloading IMD storage. By reducing battery life, damage
relatively rare, but IMDs are being increasingly common,
can render the device inefficient. Next we summarize some
thereby increasing the incentives to attack them for profit. A
types of attacks to medical devices, such as radio jamming,
modern pacemaker has the capability to collect information
main-in-the-middle attack, replay attack and code injection.
about patient and transmit it via Wi-Fi to an access point or
medical devices used during hospital checkups. The access
Radio Jamming: this type of DoS occurs when
point devices, which collect information about the patient’s
communication is blocked, and interference is created. The
health while at home, sends the data to remote servers.
attacker abuses system resources by repeatedly sending valid
Pacemakers that can send data via the internet can help
or invalid messages [17].
patients with mobility issues. However, the communications
protocols used when sending the data to remote servers is very
Man-in-the-middle attack: The attacker listens to gain access
trivial and is susceptible of being hacked [14]. Concern about
to sensitive health information, neither interrupting nor
the vulnerability of medical devices like as pacemakers, ICDs,
altering communications. Another situation will be that the
insulin pumps, defibrillators, fetal monitors and scanners is
attacker may choose to intercept data or code from a medical
growing as healthcare facilities increasingly rely on devices
device while radio frequencies are active, to relay altered data
that connect with each other, with hospital medical record
to the monitor or alarm system [17].
systems and with the internet. Already in 2015, two security
researchers discovered over 68,000 medical systems that were
Replay attack: this attack also consists of the intersection and
exposed online, and 12,000 of them belonged to one
representation of the medical device or a monitoring system,
healthcare organization [15]. The major concern with this
represented by a network attack in which valid data is
discovery was that these devices were connected to the
manipulated. Such an attack can be used not to receive
Internet through computers running very old versions of
treatment, for example, by mixing the order of packets
Windows XP, a version of the OS which is known to have lots
arriving at IMD or worse, continuously sending the same
of exploitable vulnerabilities. These devices were discovered
message to medical devices to the monitoring system.
by using Shodan, a search engine that can find IoT devices
online that are connected to the Internet. These are easy to
Code injection: occurs when the attacker modifies the source
hack via brute-force attacks and using hard-coded logins.
code on a medical device, monitor or even a possible alarm
Attacks can cause failures such as exposing confidential
system to perform an undefined operation, for example,
patient information, mishandling, poor monitoring, access to
modifying the pacemaker software to constantly provide
the equipment system, changing device scheduled tasks,
electric shocks.
creating battery swings or even administering inappropriate
stimuli or disabling alarms. As afore mentioned,
Table 2 summarizes potential vulnerabilities with their attacks,
implantable medical devices (IMDs) have very limited power
likelihood of attack, and system impact.
resources, are powered by a non-rechargeable battery, and
replacing the battery requires surgery, processing, and
information storage. Due to limited resources, they are very TABLE 2 – List of vulnerabilities.
vulnerable to resource exhaustion attacks.
The exploitation of Wi-Fi communication for not Threats Attack Probability Impact
demanding proximity to the victim is the most used for -Read and write
attacks. The ease of deploying backdoors in hospital networks, Low – need to be any valid
Radio Frequency
and with medical devices connected to the same hospital Communication
Scanning done at close memory location
network, multiple systems can be infected with malware, range on the device;
- Data corruption.
including the possibility of twenty-four insulin pump and
pacemaker failures allowing remote control [16]. Medium – need
-Undermines the
Attacks such as a resource exhaustion attack, known as a Capture/
the device connect
integrity and
forced authentication attack, is a type of denial of service Wi-Fi Connection to the internet. But
Sniffing confidentiality of
packets are in
attack (DoS). This attack applies to IMDs that communicate clear text
data obtained
wirelessly with external readers or monitors. When an external
reader attempts to connect to an IMD, the first step is the
Lack of
authentication between the IMD and the reader. If the authentication DoS
Low – need strong -System
authentication is not successful, the IMD will discontinue the magnetic fields Availability
validation
communication with the reader. However, the authentication
process itself requires IMD to make some communications,
which consume a considerable amount of power and if an
unauthorized reader repeatedly attempts to connect to an IMD,

2020 15th Iberian Conference on Information Systems and Technologies (CISTI)


24 – 27 June 2020, Seville, Spain
ISBN: 978-989-54659-0-3
Authorized licensed use limited to: Concordia University Library. Downloaded on October 31,2024 at 15:22:11 UTC from IEEE Xplore. Restrictions apply.
V. ATTACK MITIGATION [3] Moravejosharieh A, Lioret J. Performance evaluation of collocated ieee
802.15.4-based wireless body sensor networks. Annals of
A successful attack can alter the behavior of a medical Telecommunications. 2016; 71(9/10):425-40.
device. One thing to be done is to validate the security of the
[4] R. Ritter, J. Handwerker, T. Liu and M. Ortmanns, "Telemetry for
device firmware implementation as sources cannot be Implantable Medical Devices: Part 1 - Media Properties and Standards," in
modified without authorization. It is also important to encrypt IEEE Solid-State Circuits Magazine, vol. 6, no. 2, pp. 47-51, Spring 2014.
the firmware installed on medical devices to prevent
decryption of content. Another measure will be to [5] Ferguson JE, Redish AD. Wireless communication with implanted
medical devices using the conductive properties of the body. Expert Rev Med
improve the authentication process by limiting the number of Devices. 2011;8(4):427–433. doi:10.1586/erd.11.16.
requests to the system to prevent system overloading and
therefore to prevent denial of service. Another way to [6] Hei Xiali, Du Xiaojiang. Security for wireless Implantable Medical
mitigate attacks is to encrypt all communication packets, make Devices, 2013. doi:10.10077978-1-4614-7153-0.
data integrity checking, anti-replay features and usage [7] K. Fu, “Inside risks: reducing risks of implantable medical devices”,
restrictions. Also, implementing a smart device traffic Communications of the ACM, vol. 52, pp: 25-27, Jun. 2009.
monitoring system to control system logs, monitor power
variations and process, prevent anyone from listening on the [8] D. Panescu, “Emerging technologies: wireless communication systems for
implantable medical devices,” Engineering in Medicine and Biology
network to "play back" data and then modify for malicious Magazine, vol. 27, pp: 96-101, Mar.-Apr. 2008.
purposes. Finally, have the entire monitoring system in high
availability to ensure availability and access control to validate [9] “FCC ID Search.” Federal Communications Commission, 2 Nov. 2017,
the entity to access. https://www.fcc.gov/oet/ea/fccid.

[10] “Medtronic Conexus Radio Frequency Telemetry Protocol:


VII. CONCLUSION CISA.” Medtronic Conexus Radio Frequency Telemetry Protocol | CISA,
https://www.us-cert.gov/ics/advisories/ICSMA-19-080-01.
Medical devices increasingly use wireless communication
and internet connections. In this paper, we discussed the [11] National Vulnerability Database. NVD,
security of communications of medical devices, centered on https://nvd.nist.gov/vuln/detail/CVE-2018-10634.
the security of communications with other systems, such as [12] “Insulin pumps - global pipeline analysis, opportunity assessment and
the monitoring system, very important because it interferes market forecasts to 2016, GlobalData.” [Online]. Available:
with people's health, namely with life itself. Therefore, it is http://www.globaldata.com.
essential to prioritize “safety”. We analyzed several
[13] Medtronic, Inc., “Implantable pacemaker and defibrillator information:
vulnerabilities in these systems, possible forms of attacks and magnets,”
how to mitigate them. The analysis revealed potential security www.medtronic.com/rhythms/downloads/3215ENp7magnetsonline.pdf.
risks arising primarily from unencrypted communications and
the limited resources on devices. As we mentioned, it is a [14] Chacko, Anil & Hayajneh, Thaier. (2018). Security and Privacy Issues
with IoT in Healthcare. EAI Endorsed Transactions on Pervasive Health and
system that endangers human life. Thus, there is no margin for Technology. 4. 155079. 10.4108/eai.13-7-2018.155079.
failures or errors. These systems will continue to have new
challenges in the coming years and new solutions and [15] C. Catalin, “Thousands of IoT Medical Devices Found Vulnerable to
proposals will have to be made. Future work we intend to do Online Attacks,” 29 September 2015;
http://news.softpedia.com/news/thousands-of-iot-medical-devices-found-
includes the proposal of a secure architecture that includes vulnerable-to-online-attacks-493144.shtml.
medical devices and monitoring systems.
[16] Storm, Darlene, and Darlene Storm. “MEDJACK: Hackers Hijacking
Medical Devices to Create Backdoors in Hospital Networks.” Computerworld,
REFERENCES Computerworld, 8 June 2015,
https://www.computerworld.com/article/2932371/medjack-hackers-hijacking-
[1] Kinsella, K.; Phillips, D.R. Global aging: The challenge of success. Pop. medical-devices-to-create-backdoors-in-hospital-networks.html.
Bull. 2005, 60, 1-42.
[17] D. Raymond and S. Midkiff, “Denial-of-service in wireless sensor
[2] Darwish A, Hassanien A. Wearable and implantable wireless sensor networks: attacks and defenses,” IEEE Pervasive Computing, vol.7, pp: 74-81,
network solutions for healthcare monitoring. Sensors (Basel). Jan.-Mar. 2008.
2001;11(6):5561-95.

2020 15th Iberian Conference on Information Systems and Technologies (CISTI)


24 – 27 June 2020, Seville, Spain
ISBN: 978-989-54659-0-3
Authorized licensed use limited to: Concordia University Library. Downloaded on October 31,2024 at 15:22:11 UTC from IEEE Xplore. Restrictions apply.

You might also like