This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor...
Transcript of This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor...
![Page 1: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/1.jpg)
This Ain’t Your Dose:Sensor Spoofing Attack on Medical
Infusion Pump
Youngseok Park1,2, Yunmok Son2, Hocheol Shin2, Dohyun Kim2, and Yongdae Kim2
1 NAVER Labs2 System Security Laboratory, KAIST
10th USENIX Workshop on Offensive Technologies (WOOT '16)
Aug.09.2016
![Page 2: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/2.jpg)
Sensor
v Sensing changes in physical property and converting to electric signal
v Gyroscope, Accelerometer, Radar, Sonar, Infrared sensor, etc.
2
![Page 3: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/3.jpg)
Sensing and Actuation System
3
Real World
Processor
Sensor Actuator
Sensing Actuation
System
ADC
ADC: Analog-to-Digital Converter
Converting Processing
GyroscopeRadarFlightcontrol
Crashavoidance
![Page 4: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/4.jpg)
Sensing and Actuation System
4
Real World
Processor
Sensor Actuator
Sensing Actuation
System
ADC
ADC: Analog-to-Digital Converter
Converting Processing
GyroscopeRadarFlightcontrol
Crashavoidance
No Authentication
Vulnerable to sensor spoofing attack
Spoofing!
![Page 5: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/5.jpg)
Sensor Spoofing Attack
v Manipulating sensors with a malicious signal
v Previous works- Attacking Circuit using EMI: Injecting EMI into a wire of a defibrillator (S&P’13)
- Canceling and injecting Active Sensor Signal: magnetic signal on ABS sensor (CHES’13)
- Generating Resonance (DoS): Injecting sound noise into a gyroscope of a drone (SEC’15)
5
EMI: Electromagnetic InterferenceABS: Anti-lock Braking System
![Page 6: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/6.jpg)
6
This Work: Manipulating Sensing Valuesby Saturating Receiver
![Page 7: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/7.jpg)
Target: Medical Infusion Pump
v Controlling infused volume of medicine to patients
v Sometimes using a drop sensor for accuracy
7 Infusion Pump (body)
Display
Controlpanel
Actuator(PeristalticFingers)
IV Tube
To human’s body
From drop sensorMedicine
IR receiver
IR emitter
To infusion pumpbody
Drop sensor
Drop
IV TubeDrip
chamber
Output
~
![Page 8: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/8.jpg)
Infusion Pump Operation
8
Light
![Page 9: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/9.jpg)
Sensor Saturation
v New type of sensor spoofing attack using saturation- Sensors have typical operating region- Output is saturated when exceeding a saturation point- Blinding sensors
9
In case of the infusion pump
![Page 10: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/10.jpg)
Medical Infusion Pump
v Two infusion pumps with drop sensors
10
Infusion pump Drop sensor
JSB-1200(Pump1)
BYS-820(Pump2)
![Page 11: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/11.jpg)
Hardware Analysis
v Pump1 (JSB-1200)
11
Peristalticfingers
Tube
Infusion pump
LED
Drop sensor
IR emitter
IR receiver
IR Filter
![Page 12: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/12.jpg)
Hardware Analysis
v Measuring signal with oscilloscope- Connector = 4 pins: VCC, GND, LED, and IN (signal)
12
Connector(Device side)
Four pins(Sensor side)
Normal drop
![Page 13: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/13.jpg)
Simple Test (Saturation, w/o filter)
13
![Page 14: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/14.jpg)
Simple Test (Saturation, w/o filter)
14
![Page 15: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/15.jpg)
Hardware Analysis
v Mainboard (2 MCUs)
15
W78E516D(MCU2)
AT89S52(MCU1)
Internal structure
SPI Port
Drop sensor port
![Page 16: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/16.jpg)
Hardware Analysis
v Sensor output is inserted to MCU1 after ADC- 8-bit ADC (0 to 255)- Digital signal indicates voltage level of the drop sensor
16
Output of ADC
8-bit ADC
IN(sensor output)
MCU1
![Page 17: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/17.jpg)
Firmware Extraction
v Extracting firmware of MCU1 via SPI port- Reading Flash memory using USBISP and AVR Studio- Data section -> 8051 assembly -> IDA Pro
17
USBISP
AVR Studio 4 Intel HEX format
Data sectionAT89S52(MCU1)
SPI Port
![Page 18: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/18.jpg)
Firmware Analysis
v Finding sensor output in Timer interrupt function
18
Put 8-bit sensor output to RAM
![Page 19: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/19.jpg)
Firmware Analysis
19
![Page 20: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/20.jpg)
Drop Detection Algorithm
20
Sensing drop when voltage decreases by 𝟎.𝟑𝟐𝑽
Send command (0x11) through serial port,connected to MCU2
![Page 21: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/21.jpg)
Pump1 Structure
1. Drop sensor output enters into AT89S52 (MCU1)
2. MCU1 sends data to W78E516D (MCU2) via serial comm.
3. MCU2 actuates peripherals with this data- Pins of MCU2 are directly connected to motor, display and alarm
21
![Page 22: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/22.jpg)
Vulnerability
v Drop sensor- Saturated with an external source- Cannot sense drops in saturation
v Drop detection algorithm- Counting drops based on a relative change in voltage- Making a voltage drop to sensor output
22
Saturation
Fake drop
![Page 23: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/23.jpg)
Experimental Setting
23
Measuringcylinder
IR Laser(905nm, 30mW) Drop sensor
Arduino
Infusion pump
![Page 24: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/24.jpg)
Experiment
v Performed on both infusion pumps (Pump1, Pump2)
v Saturation (failed in Pump2)- Sensor is saturated when injecting IR laser to receiver
- Drop sensor cannot sense real drops -> Over-infusion
v Fake drops- Sensor is deceived by fake drops with external IR
- Pump perceives that there are drops already -> Under-infusion
v Both cases cause an alarm
24
![Page 25: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/25.jpg)
Spoofing Pattern
v Over-infusion- Alarm: “No drop is detected”- Inject some period and compensate insufficient drops
v Under-infusion- Alarm: “Too many drops are detected”- Find properly interval of fake drops experimentally
v Example (60mL/h setting)- 1 drop per 3 seconds
25
Normal operation
Continuous saturation
Over-infusion
Saturation time (13s)
Real drop interval (3s) drop fake drop
Alarm
Under-infusion
Fake drop interval
2s
![Page 26: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/26.jpg)
Demo (Over-infusion)
26
![Page 27: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/27.jpg)
Demo (Under-infusion)
27
![Page 28: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/28.jpg)
Spoofing Pattern
v Over-infusion- Alarm: “No drop is detected”- Inject some period and compensate insufficient drops
v Under-infusion- Alarm: “Too many drops are detected”- Find properly interval of fake drops experimentally
28
Normal operation
Continuous saturation
Over-infusion
Saturation time
Real drop interval drop fake drop
Alarm
Under-infusion
Fake drop interval
2s
![Page 29: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/29.jpg)
Results
v Controlling infused volume is possible- By adjusting saturation time or fake drops- Measured in 10 minutes and 5 times each (No alarm rings over 30 minutes)- Over-infusion fails on Pump2
29
![Page 30: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/30.jpg)
Discussion
v Attack distance- Related to power of source- Possible in the range of 12m with 30mW IR laser
v Mitigation- Authentication between emitter and receiver
• PyCRA (CCS ‘15)
• Generate random zero signal in an emitter
- Voltage level detection• Checking boundary of legitimate signal
- Physical isolation
30
Saturation(by spoofing)
Sensor output
Real drops(without spoofing)
Boundary check
Detect!
Concept of PyCRA
Voltage level detection
![Page 31: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/31.jpg)
Discussion
v Attack distance- Related to power of source- Possible in the range of 12m with 30mW IR laser
v Mitigation- Authentication between emitter and receiver
• PyCRA (CCS ‘15)
• Generate random zero signal in an emitter
- Voltage level detection• Checking boundary of legitimate signal
- Physical isolation
31
![Page 32: This Ain’t Your Dose: Sensor Spoofing Attack on Medical ... · This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump ... v Manipulating sensors with a malicious](https://reader034.fdocuments.in/reader034/viewer/2022051601/5ad31bba7f8b9a92258df9a1/html5/thumbnails/32.jpg)
Conclusion
v Presenting a new type of sensor spoofing attack- Deceiving a sensor by saturation
v Analysis on medical infusion pumps- Finding vulnerability in drop detection algorithm
v Controlling infused fluid from 65% to 330%
v Note- Infusion pump was not communicating at all. - IR lay is invisible to human eyes.- FDA approved US devices?
v Sensor security- Most sensors are exposed to receive signal- Must be considered for safety
32