FDA wary over medical device hacks

This entry was posted on Wednesday, May 10th, 2017.

Casey Harper of The Hill reports that regulators and medical device makers “are bracing” for an expected barrage of hacking attacks.

“High-profile attacks have hit hospitals and health insurers, and now attention is turning to a new vulnerability: medical devices like pacemakers and insulin pumps,” writes Harper.

Pacemaker

“The Food and Drug Administration (FDA) has become increasingly concerned about the issue and is working to coordinate with other agencies on how to respond if a serious medical device hack were to occur.”

According to Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, manufacturers should consider the environment a hostile one, with constant attempts at intrusion, which is why medical devices need to be hardened against attacks.

As Harper points out, concerns over medical device security vulnerabilities have mounted significantly in recent years due to a number of reported lapses. For example, Johnson & Johnson acknowledged that its insulin pumps had a security vulnerability (via a wireless controller) that hackers could exploit to access the device and cause a potentially fatal overdose of insulin. Similarly, the FDA warned hospitals not to use Hospira’s Symbiq infusion pumps due to a vulnerability that could allow the pump to be accessed via a hospital network, potentially enabling an attacker to change the dose.

More recently, the Food and Drug Administration (FDA) warned Abbot Labs that it would take action if the company failed to address safety and security issues in certain medical devices. The devices in question were acquired via the recent purchase of St. Jude Medical which manufactures implanted cardiac devices. More specifically, a warning letter issued by the FDA gave Abbott Labs 15 days to submit a plan to address errors in the products’ design that could allow hackers to tamper with the settings and drain the batteries of the devices.

As we’ve previously discussed on Rambus Press, millions of implanted medical devices (IMDs) do not typically receive software upgrades to address security vulnerabilities. Such devices – which are often connected via the internet or wireless technologies – include cardiac pacemakers, insulin pumps and brain neurostimulators. Consequently, IMDs pose very clear risks along with their obvious benefits. This is precisely why IMDs need to be protected against a wide range of vulnerabilities and attacks, including malware and side-channel attacks that measure the timing, power consumption and electromagnetic radiation of a device.

According to Roman Lysecky, an associate professor in the University of Arizona Department of Electrical and Computer Engineering, side-channel attacks represent a critical threat to the security of embedded systems.

“By analyzing data transmission timing, power consumption and electromagnetic radiation from a life-critical device such as a pacemaker, a hacker can extract data like cryptographic keys that are essential for shielding communications from unauthorized users,” he explained.

To be sure, all physical electronic systems routinely leak information about their internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys. Regardless of specific instruction set architecture (ISA), most industry security solutions on the market today can be soundly defeated by side-channel attacks. Even a simple radio is capable of gathering side-channel information by eavesdropping on frequencies emitted by electronic devices. In some cases, secret keys can be recovered from a single transaction clandestinely performed by a device several feet away.

One notable side-channel attack technique is Differential Power Analysis (DPA), a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets. Given enough traces, extremely minute correlations can be isolated—no matter how much noise is present in the measurements.

A typical DPA attack comprises 6 primary stages: communicating with a target device; recording power traces while the target device performs cryptographic operations; signal processing to remove errors and reduce noise; prediction and selection function generation to prepare and define for analysis; as well as computing the averages of input trace subsets and evaluating DPA test results to determine the most probable key guesses. Additional DPA variants include reverse engineering unknown S-boxes and algorithms, correlation power analysis (CPA), probability distribution analysis, high-order DPA and template attacks.

Specific DPA countermeasure techniques include decreasing the signal-to-noise ratio of the power side channel by reducing leakage (signal) or increasing noise, for example, by making the amount of power consumed less contingent upon data values and/or operation (balancing); introducing amplitude and temporal noise; incorporating randomness with blinding and masking by randomly altering the representation of secret parameters and implementing protocol-level countermeasures by continually refreshing and updating cryptographic protocols used by a device.

Interested in learning more about protecting electronic systems against side-channel attacks? You can check out our DPA countermeasures product page here.