ICACT-2011 Half-day Tutorial on Wireless Security in Medical Devices

1

Dr G V Rangaraj, IEEE Senior MemberMedical Devices Practice Team

HCL Technologies, Chennai, INDIA

Motivation & Objective Scope

Generally in telecommunications, the security design is complex and requires a deep study of the cryptography theory. However due the time constraint in the production cycle it is necessary to come with an elegant design that also meets the standard constraints in a relatively short duration. This tutorial would help to overcome this issue by providing brief and precise security algorithm concepts necessary for the design of such pragmatic WPAN/WBAN sensor based medical device receiver.

Abstract

Wireless communication is playing a key role in connecting medical devices to the outside world and has various advantages over the wired-connections. However it still has only a slow acceptance in the medical equipment market due to its vulnerable nature of security attacks in such environments compared to its wired counterpart. In this tutorial we would be providing a comprehensive overview of the security attacks possible in the various layers of the wireless embedded medical devices network and the corresponding counter-measures. We would then provide an overview of the wireless security issues in a Zigbee healthcare network, which, is being projected as the most common wireless technology for next generation embedded medical devices. The main challenge in the embedded medical device community is the wireless body area network (WBAN) which typically deals with implantable medical devices like implantable cardioverter-defibrillator (ICD). In this tutorial, we would also discuss some of the wireless security solutions proposed in the currently evolving IEEE 802.15 TG 6 WBAN initiatives in an implant environment.

Tutorial Outline: (Duration: 3 hours)

Introduction – 15 minutes Typical Wireless Medical Devices Network - 15 minutes Security Threats in a Wireless Medical Devices Network

PHY Layer- 10 minutes Data Link/MAC Layer - 10 minutes Higher Layer - 10 minutes

Security Solutions Data Confidentiality and Privacy - 15 minutes Data Integrity and Authenticity - 15 minutes Freshness and Availability - 15 minutes Secure Management - 15 minutes

 Case Studies WPAN (Zigbee) – 20 minutes WBAN (IEEE 802.15. TG 6) – 20 minutes

Conclusions - 5 minutes Question and Answers – 15 minutes

INTRODUCTION

• FDA’s draft guidance for industry on RF wireless technology in medical devices specifies:• Wireless coexistence• Performance• Data Integrity• Security• Electromagnetic Compatibility (EMC)

• FDA has left the Software Engineering Community’s to develop medical devices.

• Quote from FDA Guidelines : “Appropriate security of medical devices which should ensure reliable, secure communication and continued functionality while preserving patient’s safety, confidentiality and data integrity”

FDA Guidelines

• EMC is “the ability of a device to function properly in its intended Electromagnetic environment, without introducing excessive Electromagnetic energy that may interfere with other devices”

• FDA recommends EMC be an integral part of the design, testing and performance for RF medical devices

• FDA recommends that elaborate testing be performed to demonstrate the wireless function will operate as intended in the expected environment of use

EMC (Electromagnetic Compatibility)

TYPICAL WIRELESS MEDICAL DEVICES NETWORK

Medical Devices Network

• Wireless Bands are allocated by FCC

• Medical Implant Communication Service (MICS);

• Spectrum: 402-405 MHz; • Technologies: WBAN like IEEE 802.15 TG 6

• Unlicensed Industrial, Scientific & Medical (ISM);

• Spectrum: 902-928; 2400-2483.5; 5725-5850 MHz;• Technologies: WBAN, WPAN like Zigbee, Bluetooth &

WLAN like Wi-Fi (802.11 a,b,g. & n)

MD Network Components

SECURITY THREATS IN A WIRELESS MEDICAL DEVICES NETWORK

Physical Layer

• Jamming the radio signal using another radio source

• Similar to military applications pose a serious threat

• The jammer could make the medical device node not to function as expected

• Can block part or the complete network

• Physical layer threats could be broadly classified as Denial of Service (DoS) attacks

Data Link/MAC Layer

• The threats in this layer requires more intelligent hacking device to identify at least the frame boundaries

• With the frame boundaries identified the hacker could potentially corrupt the checksum portion of the frame

• The received frames are always in errors which is referred to as link-layer jammer

• Increase in collisions and congestion in the network or entirely block the network

Data Link/MAC Layer

• A more intelligent hacker could potentially create an unfairness in the scheduling mechanism

• Disturb the smooth functioning of the scheduler which is the main functional unit in the MAC layer

• An extreme case of the unfairness attack• Hacker acts itself acts like a self-sacrificing node and

cause exhaustion of the battery • Noting but draining of the power source by keeping

the channel busy always

• Thus data link layer threats could be broadly classified as DoS attacks only

Higher Layer

• DoS attack in these layers is also possible

• Typically where either same data is sent repeatedly as in “hello” flooding attack in the network layer

• The control information is sent repeatedly in the transport layer in the normal flooding attacks.

• A large number of possible attacks other than denial of service are also possible

• Such attacks should be able to identify the packet boundaries

Higher Layer

• Such attacks other than DoS needs to be very intelligent and complex than the physical/link layer hackers

• This includes the unauthorized and unauthenticated access of data

• Can lead to the threat of message disclosure

• Can further lead to the threat of message modification.

• Typical routing attacks possible in any network connected to the Internet is also a threat in medical devices network

Security threats - Summary

Layers DoS Attacks Defenses

Physical Jamming Spread-Spectrum, priority messages, lower duty cycle, region mapping, mode changes

LinkTampering Tamper proof, hiding

Collision Error Correction Code

Unfairness Small frames

Network

Exhaustion Rate limitation

Neglect and greed Redundancy, probing

Homing Encryption

Misdirection Egress filtering, authorization monitoring

Black holes Authorization monitoring, redundancy

Transport Flooding Client Puzzles

Desynchronisation Authentication

SECURITY SOLUTIONS

Security Requirements & Solutions

Security Requirements Possible Security Solutions

Data Confidentiality and Privacy

Symmetric Key Encryption/Decryption

Data Integrity and Authenticity

Secure Symmetric Key HashingDigital signature

Freshness and Availability

Encrypted counterRedundancy

Secure ManagementRandom Key Distribution,

Public Key Cryptography, Secure Group Communication, Intrusion

detection

× It is possible for an eavesdropper to just tap the bits sent over the wireless medical device personal area network

× Decipher the information to get out secret personal and medical information of the patient

× Violates his/her privacy

Encrypting the patient’s data with a secret symmetric private key

The key is shared on a secure communications channel between sender and the receiver The key is used for both encryption and decryption

Data Confidentiality and Privacy

× An intruder can possibly send fake messages in medical devices wireless network which might look like the original

In order to protect this threat, messages have to be authenticatedA possible solution to this issue is to use a secure hashing method based on a symmetric key cryptography

The transmitter computes a message authentication code (MAC) based on a known hashing functionHashing function derived from the this symmetric private keyMAC is transmitted along with the messageThe receiver authenticates it by computing the MAC and checking if it is same as the one that was sent. This can also help to protect against flooding attacks.

Data Integrity and Authenticity

× An intruder can capture the data and replay it even if data confidentiality and authenticity is taken care already Data freshness needs to be provided which is basically ensuing the data frames are in orderA simple mechanism is to use an encrypted counterEnsure the ordering by checking the counter value at the receiver

× The intruder can cause unavailability of the embedded medical device × Results in absence of life critical information for diagnosis

Ensuring redundancy i.e. having a provision for substitute nodes in the network to gather life-critical information.

Freshness and Availability

× An intruder can get access to secure keys in some situations

Secure management is required to ensure secure key exchanges happen and ensure

This could be done using random key distribution using public key cryptography

Secure group communication

Ensures intruder does not get access to the secure keys in any situation

Secure Management

Data ConfidentialityEncrypting the patient’s data with a secret keyThe key is shared on a secure communications channel

Data Authentication and IntegrityAuthentication using symmetric techniques, node and controller share a secret keyThis secret key is used to find the Message Authentication Code (MAC)

Data FreshnessWeak Freshness : Guarantees partial data frame ordering but no guaranteed delay, low duty cycle like BPStrong Freshness : Guarantees data frame ordering and delay, synchronization when a beacon is transmitted by controller

Secure ManagementIt is required at the controller since it provides key distribution to the nodes in order to allow encryption and decryptionIn case of association and disassociation controller adds and removes the nodes in a secure manner

AvailabilityThe adversary may target the availability of a WBAN by disabling an ECG node, which may result in loss of life

Security Solutions - Summary

Security Solutions - Summary

Security Threats Security Requirements Possible security solutions

Unauthenticated or unauthorized access

Key establishment and trust setup

Random key distributionPublic key cryptography

Message disclosure Confidentiality and privacy

Link/network layer encryptionAccess control

Message modification

Integrity and authenticity

Keyed secure hash functionDigital signature

Denial of Service (DoS)

Availability Intrusion detectionRedundancy

Node capture & compromised node

Resilience to node compromise

Inconsistency detection of node and revocation

Tamper-proofing

Routing attacks Secure routing Secure routing protocols

Intrusion and high level security attacks

Secure group management, intrusion detection, secure data

aggregation

Secure group communicationIntrusion detection

CASE STUDY – IWPAN - Zigbee

WPAN

• Application Layer: Explicitly enables the security by adjusting certain control parameters

• Example: IEEE 802.15.4• Security modes to control the different security levels• Best is AES-CCM-128 : Could be used for most critical applications

Updating programs in pacemakers and implantable cardiac-defibrillators

Security Modes Description

Null No security

AES-CTR Encryption only, CTR Mode

AES-CBC-MAC-128 128 bit MAC

AES-CBC-MAC-64 64 bit MAC

AES-CBC-MAC-32 32 bit MAC

AES-CCM-128 Encryption & 128 bit MAC

AES-CCM-64 Encryption & 64 bit MAC

AES-CCM-32 Encryption & 32 bit MAC

AES - CTR

• Plain text is xored with the AES encrypted counter using a symmetric secret key to obtain the cipher text

• At the receiver the plain text is obtained by xoring the cipher text with the AES encrypted counter

• Receiver uses the same symmetric secret key used by the transmitter

• There is secure encryption

• There is no authentication provided

AES - CTR

Counter (CTR) : This mode is used by the sender to encrypt dataEncryption

Clear text is broken into 16-byte data blocks The cipher text is computed using Where, is the encryption of the counter

DecryptionThe receiver recovers the plain text by computing

AES – CBS - MAC

• Variable length 32, 64 or 128 bits message authentication code (MAC) - Cyclic block chaining (CBC) mechanism

• Secure hashing function method• Plain text is divided into number of blocks • In each block the plain text is xored with the AES

encrypted cipher text of the previous block • Repeated in a cyclic mechanism in which the first

block’s plain text is xored with an initialization vector• End result of these operations is the MAC

• This MAC is transmitted along with the message • The receiver re-computes the MAC using an identical

scheme and checks with the received MAC to authenticate the message.

• Thus there is a secure authentication, however, there is no encryption provided in this mode.

AES – CBS - MAC

Cipher Block Chaining (CBC-MAC) : In this mode, the plaintext is XORed with the previous cipher text until the final encryption

Message Authentication Code (MAC) could be either 32, 64 or 128 bits

Receiver computes its own MAC and compare it with senders MAC and accepts the packet if both the MACs are identical

CBC-MAC Operation :

AES - CCM

• Variable length 32, 64, or 128 bit MAC same as in AES – CBC – MAC scheme and appended to the plain text

• Then both the plain text and MAC together is encrypted using the AES –CTR scheme.

• At the receiver decryption is first done as illustrated in AES – CTR scheme

• Followed by authentication as illustrated in AES – CBC – MAC

• Thus there is both secure authentication and encryption provided in this mode

• AES – CCM – 128 is highest level of security that could be provided

• Hence it the best mode which is to be mandated for most critical applications

AES - CCM

CTR and CBC-MAC modes are combined to ensure high-level security that includes both data integrity and encryption

The sender first apply the integrity protection to the data frames and then encrypt the frames using CTR mode

This mode can be used to send or receive sensitive information such as updating programs in pacemakers and implantable cardiac-defibrillators

Possible suggestion for improvement:

The addition of security protocols to a WBAN consumes extra energy due to the overhead transmission required by the protocol

Best way is to use a stream cipher for encryption, where the size of cipher-text is same as that of the plain-text.

CASE STUDY – IIWBAN – IEEE 802.15 WG 6

WBAN

• Implants and Wearable Sensors: Helps to monitor health status

• Applications: Health care systems, Sporting activities & Military

• WBAN Communication classifications

• In-body: Implantable devices and monitoring equipment

• On-body: Within on-body networks

• Off-body: BS to Transceiver on a human being

WBAN Architecture

Level 1 : In-Body and on-body nodes which are Implant node: A node that is placed inside the human body. Role: This could be immediately below the skin to further deeper inside the body tissue and act as sensorsExamples : ECG; Oxygen saturation sensor

Level 2 : Body Surface nodeA node that is placed on the surface of the human skin or at most 2 centimeters away Role: To collect patient’s vital information from the Level 1 nodes and communicate it to the Level 3 nodesExample : BAN Network Coordinator (BNC) contains wakeup circuit, a main radio & security circuit ;

Level 3 : External node A node that is not in contact with human skin (between a few centimeters and up to 5 meters away from the bodyRole: Keep patient’s medical records; provides relevant diagnostic recommendationsExample: Number of remote BS;

Security in WBAN

• Various operation involve are life critical applications• Like updating programs in implantable cardiac-

defibrillators

• Hence network security is more critical in WBAN environment than a simple WPAN scenario

• 802.15 TG 6 draft has provision of the following modes and are very similar to that of ZigBee• Unsecured communication• Authentication but not encryption• Authentication and encryption of data

Key Security Differences from WPAN

• Apart from the standard AES-128 forward cipher function which was the only option in ZigBee there is 2nd option

• IEEE 802.15 TG 6 draft provides a provision to opt for a different Cammillia-128 forward cipher function

• The complexity is kept low in IEEE 802.15 WG 6 draft unlike the ZigBee• No provision for variable message authentication code

size of different security modes• Message authentication code, referred to as Message

Integrity Code (MIC), size is fixed to 32 bits.

Secure Management in WBAN

• Security starts with a negotiation of desired security suite between the two communicating parties, node and hub

• The security selection in turn sets off a security association between the two parties • For activating a pre-shared or generating a new

shared master key (MK). • Security association protocols are done based on

• The Diffie-Hellman key exchange employing elliptic curve public key cryptography

• Some of the possible security association protocols are • Master key pre-shared association• Unauthenticated association• Public key hidden association• Password authenticated association• Display authenticated association

CONCLUSIONS

QUESTIONS & ANSWERS

Biography

Rangaraj received his B.Tech in Electrical Engineering from Indian Institute of Technology (IIT) Madras, India in 1998, M.S in Electrical and Computer Engineering from Georgia Tech, U.S.A. in 2000 and PhD in Electrical Engineering from IIT Madras, India in 2005 with specialization in communication systems. His current areas of interest include design and development of wireless solutions/ PHY/MAC layer chipsets for future wireless systems involving wireless personal/body area networks and signal processing algorithms for 4G wireless communication systems. During his doctoral studies, he also worked as Project Officer for the DECT Wireless in Local Loop project with the Tenet Group. After graduation, he worked as Technical Lead Engineer at HCL Technologies, Chennai, where he was developing physical layer of MBOA UWB wireless system on FPGA platforms and at NXP Semiconductors, Bangalore developing physical layer for Wireless LAN on embedded vector processors. He then worked as Wireless Specialist at Tata Elxsi, Chennai in design of Physical layer for LTE wireless systems and other 4G wireless systems on DSP platforms. Currently he is working as Senior Technical Manager at HCL Technologies, Chennai in design of wireless solutions in medical, automotive and industrial verticals. He has published more than ten papers in various national and international conferences and journals and also an active reviewer. He is the recipient of the Philips award and Seimens award for being the student with best academic record in Electrical Engineering Department at IIT Madras during 1994–1998. He is also the recipient of the Colonel Oscar Cleaver award for being the outstanding graduate student in the School of Electrical and Computer Engineering, Georgia Institute of Technology during 1998–1999.

 

Thank You

43