Physical proof-based
protocols for the IoT era:
Securing medical devices case study
Farinaz Koushanfar Professor and Henry Booker Faculty Scholar Electrical and Computer Engineering University of California, San Diego IoT security challenges…
•  Device form-­‐factors, resources, constraints •  Energy supply, Cming, memory •  Naturally avoids security/crypto algorithms •  Cyber/physical aGack surface •  Remote aGacks on the wireless interface, side-­‐channels, and physical aGacks •  Physical insecurity -­‐-­‐ new, sensor-­‐based vulnerabiliCes •  Handling keys, keys, and keys •  GeneraCon •  Storage •  DistribuCon/agreement Suggested solution path: physical proofs
•  Sensor-­‐based vulnerabiliCes •  Need physical tamper-­‐proofing •  Sensor/based physical aGestaCon •  Keys… •  Physical unclonability needed for key storage •  Key generaCon and distribuCon in transient seMngs by bootstrapping the physical parameters, e.g., temporal, spaCal relaConships •  E.g., locaCon-­‐based proofs, simultaneous access to random transient events, etc. Case study: Implanted medical devices
•  Implanted Medical Devices (IMDs) are surgically implanted systems that monitor physiological condiCons and (usually) apply therapies • Pacemakers • Cardiac defibrillators • NeurosCmulators • Drug-­‐delivery devices •  25 million people in U.S. alone fiGed with IMDs •  Medical devices branching into many areas; someday, most people may have one •  Example: Transcranial Direct Current SCmulaCon (tDCS) • Improves cogniCve performance • (May also prevent migraines) Why do we need to secure IMDs?
• IMDs are embedded systems • Microprocessors • BaGeries • Wireless interfaces • Why wireless? In order to • Update firmware, programming • Provide telemetry • Communicate with other IMDs (eventually) IMD Programmer Two big challenges for IMDs
1.  IMD access is too easy 2. IMD access is too hard • 
• 
• 
E.g., PaCent collapses on sidewalk EMTs arrive and try to read diagnosCcs/reprogram They can’t get access… What did you say was your first pet’s name? IMD How do we address these conflic0ng challenges for emergency access to IMD[1]? ostami (Koushanfar) et al. DAC‘13 Heart-to-Heart (H2H) example: setting and
approach
Two devices: • IMD • Programmer Access-­‐control policy: Touch-­‐to-­‐access rotocol in H2H 1.  Programmer sensor touches paCent’s body 2.  IMD reads PV A 3.  Programmer reads PV B 4.  Devices check that A ≈ B ?
A = B IMD Programmer 7 H2H contributions[1][2][3]
•  StaCsCcal characterizaCon of ECG randomness •  Algorithms for opCmally using the randomness •  Cryptographic pairing protocol •  Lightweight protocol not to burden the IMD •  ImplementaCon •  End-­‐to-­‐end implementaCon shows it is low power and can be retrofiGed by SW updates (no surgery needed!) [1] Rostami, Juels, Koushanfar, ACM Computer CommunicaBon Security (CCS) ’13 [2] Best pracBcal paper, Embedded Systems Week’14 [3] Cyber Security Awareness Week (CSAW) Best Applied Security Award IMD