Shane S. Clark

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Our study analyzes the security and privacy properties of an implantable cardioverter defibrillator (ICD). Introduced to the U.S. market in 2003, this model of ICD includes pacemaker technology and is designed to communicate wirelessly with a nearby external programmer in the 175 kHz frequency range. After partially reverse-engineering the ICDs communications protocol with an oscilloscope and a software radio, we implemented several software radio-based attacks that could compromise patient safety and patient privacy. Motivated by our desire to improve patient safety, and mindful of conventional trade-offs between security and power consumption for resource-constrained devices, we introduce three new zero-power defenses based on RF power harvesting. Two of these defenses are human-centric, bringing patients into the loop with respect to the security and privacy of their implantable medical devices (IMDs). Our contributions provide a scientific baseline for understanding the potential security and privacy risks of current and future IMDs, and introduce human-perceptible and zero-power mitigation techniques that address those risks. To the best of our knowledge, this paper is the first in our community to use general-purpose software radios to analyze and attack previously unknown radio communications protocols.

Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors

Electromagnetic interference (EMI) affects circuits by inducing voltages on conductors. Analog sensing of signals on the order of a few millivolts is particularly sensitive to interference. This work (1) measures the susceptibility of analog sensor systems to signal injection attacks by intentional, low-power emission of chosen electromagnetic waveforms, and (2) proposes defense mechanisms to reduce the risks. Our experiments use specially crafted EMI at varying power and distance to measure susceptibility of sensors in implantable medical devices and consumer electronics. Results show that at distances of 1-2m, consumer electronic devices containing microphones are vulnerable to the injection of bogus audio signals. Our measurements show that in free air, intentional EMI under 10 W can inhibit pacing and induce defibrillation shocks at distances up to 1-2m on implantable cardiac electronic devices. However, with the sensing leads and medical devices immersed in a saline bath to better approximate the human body, the same experiment decreases to about 5 cm. Our defenses range from prevention with simple analog shielding to detection with a signal contamination metric based on the root mean square of waveform amplitudes. Our contribution to securing cardiac devices includes a novel defense mechanism that probes for forged pacing pulses inconsistent with the refractory period of cardiac tissue.

On the limits of effective hybrid micro-energy harvesting on mobile CRFID sensors

Mobile sensing is difficult without power. Emerging Computational RFIDs (CRFIDs) provide both sensing and general-purpose computation without batteries--instead relying on small capacitors charged by energy harvesting. CRFIDs have small form factors and consume less energy than traditional sensor motes. However, CRFIDs have yet to see widespread use because of limited autonomy and the propensity for frequent power loss as a result of the necessarily small capacitors that serve as a microcontrollers power supply. Our results show that hybrid harvesting CRFIDs, which use an ambient energy micro-harvester, can complete a variety of useful workloads--even in an environment with little ambient energy available. Our contributions include (1) benchmarks demonstrating that micro-harvesting from ambient energy sources enables greater range and read rate, as well as autonomous operation by hybrid CRFIDs, (2) a measurement study that stresses the limits of effective ambient energy harvesting for diverse workloads, (3) application studies that demonstrate the benefits of hybrid CRFIDs, and (4) a trace-driven simulator to model and evaluate the expected behavior of a CRFID with different capacitor sizes and operating under varying conditions of mobility and solar energy harvesting. Our results show that ambient harvesting can triple the effective communication range of a CRFID, quadruple the read rate, and achieve 95% uptime in RAM retention mode despite long periods of low light.

Current Events: Identifying Webpages by Tapping the Electrical Outlet

Computers plugged into power outlets leak identifiable information by drawing variable amounts of power when performing different tasks. This work examines the extent to which this side channel leaks private information about web browsing to an observer taking measurements at the power outlet. Using direct measurements of AC power consumption with an instrumented outlet, we construct a classifier that correctly identifies unlabeled power traces of webpage activity from a set of 51 candidates with 99% precision and 99% recall. The classifier rejects samples of 441 pages outside the corpus with a false-positive rate of less than 2%. It is also robust to a number of variations in webpage loading conditions, including encryption. When trained on power traces from two computers loading the same webpage, the classifier correctly labels further traces of that webpage from either computer. We identify several reasons for this consistently recognizable power consumption, including system calls, and propose countermeasures to limit the leakage of private information. Characterizing the AC power side channel may help lead to practical countermeasures that protect user privacy from an untrustworthy power infrastructure.

Recent Results in Computer Security for Medical Devices

The computer security community has recently begun research on the security and privacy issues associated with implantable medical devices and identified both existing flaws and new techniques to improve future devices. This paper surveys some of the recent work from the security community and highlights three of the major factors affecting security and privacy solutions for implantable medical devices: fundamental tensions, software risks, and human factors. We also present two challenges from the security community with which the biomedical community may be able to help: access to medical devices and methods for in vitro experimentation.

BAT: Backscatter Anything-to-Tag Communication

Computational RFID prototypes are limited by networking abstractions that impose narrow preconceptions about topologies and applications. These prototypes support programmability and integrate a wide array of sensors, which open the door to more varied applications. Implementing these on constrained platforms will need primitives that seamlessly support communication among tags and also with other devices. While overlays on top of existing protocols are possible, they introduce in ef?ciency because of packet formats designed explicitly for the tag inventory paradigm. This paper presents BAT, a networked system designed from the ground up to enable non-supply-chain RFID applications while carefully considering the unique constraints under which these platforms operate.

VFILM: a value function driven approach to information lifecycle management

Information Management (IM) services need lifecycle management, i.e., determining how long persistent information is retained locally and when it is moved to accommodate new information. This is important when bridging IM services from enterprise to tactical environments, which can have limited onboard storage and be in highly dynamic situations with varying information needs. In this paper, we describe an approach to Value Function based Information Lifecycle Management (VFILM) that balances the value of existing information to current and future missions with constraints on available storage. VFILM operates in parallel with IM services in dynamic situations where missions and their information needs, the types of information being managed, and the criticality of information to current missions and operations are changing. In contrast to current solutions that simply move the oldest or least frequently accessed information when space is needed, VFILM manages information lifecycle based on a combination of inputs including attributes of the information (its age, size, type, and other observable attributes), ongoing operations and missions, and the relationships between different pieces of information. VFILM has three primary innovative features: (1) a fuzzy logic function that calculates a ordering of information value based on multiple relative valued attributes; (2) mission/task awareness that considers current and upcoming missions in information valuation and storage requirements; and (3) information grouping that treats related information collectively. This paper describes the VFILM architecture, a VFILM prototype that works with Air Force Research Laboratory IM services, and the results of experiments showing VFILMs effectiveness and efficiency.

Hybrid-powered RFID sensor networks

RFID sensor networks comprising batteryless devices that are passively powered by RFID readers present exciting possibilities for ubiquitous computing applications. They require minimal maintenance, are cheap to manufacture and have small form factor. However, their lack of autonomy due to the need for constant power from an RFID reader hinders their deployment. We demonstrate that RFIDs augmented with ambient energy-harvesting capabilities may be used as a first-class sensor platform, allowing them to operate untethered from reader infrastructure. Specifically, we show that a CRFID-based accelerometer sensor can provide both real-time and delayed access to time-stamped sensor data when provided with a small amount of solar energy. The data is collected using a standard RFID reader and displayed in a graphical interface.