986 research outputs found
Cybersecurity in implantable medical devices
Mención Internacional en el título de doctorImplantable Medical Devices (IMDs) are electronic devices implanted within
the body to treat a medical condition, monitor the state or improve the
functioning of some body part, or just to provide the patient with a capability
that he did not possess before [86]. Current examples of IMDs
include pacemakers and defibrillators to monitor and treat cardiac conditions;
neurostimulators for deep brain stimulation in cases such as epilepsy
or Parkinson; drug delivery systems in the form of infusion pumps; and a
variety of biosensors to acquire and process different biosignals.
Some of the newest IMDs have started to incorporate numerous communication
and networking functions—usually known as “telemetry”—,
as well as increasingly more sophisticated computing capabilities. This
has provided implants with more intelligence and patients with more autonomy,
as medical personnel can access data and reconfigure the implant
remotely (i.e., without the patient being physically present in medical facilities).
Apart from a significant cost reduction, telemetry and computing
capabilities also allow healthcare providers to constantly monitor the patient’s
condition and to develop new diagnostic techniques based on an
Intra Body Network (IBN) of medical devices [25, 26, 201].
Evolving from a mere electromechanical IMD to one with more advanced
computing and communication capabilities has many benefits but
also entails numerous security and privacy risks for the patient. The majority
of such risks are relatively well known in classical computing scenarios,
though in many respects their repercussions are far more critical in the case
of implants. Attacks against an IMD can put at risk the safety of the patient
who carries it, with fatal consequences in certain cases. Causing an intentional
malfunction of an implant can lead to death and, as recognized by the
U.S. Food and Drug Administration (FDA), such deliberate attacks could
be far more difficult to detect than accidental ones [61]. Furthermore, these
devices store and transmit very sensitive medical information that requires
protection, as dictated by European (e.g., Directive 95/46/ECC) and U.S.
(e.g., CFR 164.312) Directives [94, 204].
The wireless communication capabilities present in many modern IMDs
are a major source of security risks, particularly while the patient is in open
(i.e., non-medical) environments. To begin with, the implant becomes no
longer “invisible”, as its presence could be remotely detected [48]. Furthermore,
it facilitates the access to transmitted data by eavesdroppers who
simply listen to the (insecure) channel [83]. This could result in a major privacy breach, as IMDs store sensitive information such as vital signals,
diagnosed conditions, therapies, and a variety of personal data (e.g., birth
date, name, and other medically relevant identifiers). A vulnerable communication
channel also makes it easier to attack the implant in ways similar
to those used against more common computing devices [118, 129, 156],
i.e., by forging, altering, or replying previously captured messages [82].
This could potentially allow an adversary to monitor and modify the implant
without necessarily being close to the victim [164]. In this regard,
the concerns of former U.S. vice-president Dick Cheney constitute an excellent
example: he had his Implantable Cardioverter Defibrillator (ICD)
replaced by another without WiFi capability [219].
While there are still no known real-world incidents, several attacks on
IMDs have been successfully demonstrated in the lab [83, 133, 143]. These
attacks have shown how an adversary can disable or reprogram therapies
on an ICD with wireless connectivity, and even inducing a shock state to
the patient [65]. Other attacks deplete the battery and render the device
inoperative [91], which often implies that the patient must undergo a surgical
procedure to have the IMD replaced. Moreover, in the case of cardiac
implants, they have a switch that can be turned off merely by applying a
magnetic field [149]. The existence of this mechanism is motivated by the
need to shield ICDs to electromagnetic fields, for instance when the patient
undergoes cardiac surgery using electrocautery devices [47]. However, this
could be easily exploited by an attacker, since activating such a primitive
mechanism does not require any kind of authentication.
In order to prevent attacks, it is imperative that the new generation of
IMDs will be equipped with strong mechanisms guaranteeing basic security
properties such as confidentiality, integrity, and availability. For example,
mutual authentication between the IMD and medical personnel is
essential, as both parties must be confident that the other end is who claims
to be. In the case of the IMD, only commands coming from authenticated
parties should be considered, while medical personnel should not trust any
message claiming to come from the IMD unless sufficient guarantees are
given.
Preserving the confidentiality of the information stored in and transmitted
by the IMD is another mandatory aspect. The device must implement
appropriate security policies that restrict what entities can reconfigure the
IMD or get access to the information stored in it, ensuring that only authorized
operations are executed. Similarly, security mechanisms have to
be implemented to protect the content of messages exchanged through an insecure wireless channel.
Integrity protection is equally important to ensure that information has
not been modified in transit. For example, if the information sent by the
implant to the Programmer is altered, the doctor might make a wrong decision.
Conversely, if a command sent to the implant is forged, modified,
or simply contains errors, its execution could result in a compromise of the
patient’s physical integrity.
Technical security mechanisms should be incorporated in the design
phase and complemented with appropriate legal and administrative measures.
Current legislation is rather permissive in this regard, allowing the
use of implants like ICDs that do not incorporate any security mechanisms.
Regulatory authorities like the FDA in the U.S or the EMA (European
Medicines Agency) in Europe should promote metrics and frameworks for
assessing the security of IMDs. These assessments should be mandatory
by law, requiring an adequate security level for an implant before approving
its use. Moreover, both the security measures supported on each IMD
and the security assessment results should be made public.
Prudent engineering practices well known in the safety and security domains
should be followed in the design of IMDs. If hardware errors are
detected, it often entails a replacement of the implant, with the associated
risks linked to a surgery. One of the main sources of failure when treating
or monitoring a patient is precisely malfunctions of the device itself.
These failures are known as “recalls” or “advisories”, and it is estimated
that they affect around 2.6% of patients carrying an implant. Furthermore,
the software running on the device should strictly support the functionalities
required to perform the medical and operational tasks for what it was
designed, and no more [66, 134, 213].
In Chapter 1, we present a survey of security and privacy issues in
IMDs, discuss the most relevant mechanisms proposed to address these
challenges, and analyze their suitability, advantages, and main drawbacks.
In Chapter 2, we show how the use of highly compressed electrocardiogram
(ECG) signals (only 24 coefficients of Hadamard Transform) is enough
to unequivocally identify individuals with a high performance (classification
accuracy of 97% and with identification system errors in the order of
10−2). In Chapter 3 we introduce a new Continuous Authentication scheme
that, contrarily to previous works in this area, considers ECG signals as
continuous data streams. The proposed ECG-based CA system is intended
for real-time applications and is able to offer an accuracy up to 96%, with
an almost perfect system performance (kappa statistic > 80%). In Chapter 4, we propose a distance bounding protocol to manage access control of
IMDs: ACIMD. ACIMD combines two features namely identity verification
(authentication) and proximity verification (distance checking). The
authentication mechanism we developed conforms to the ISO/IEC 9798-2
standard and is performed using the whole ECG signal of a device holder,
which is hardly replicable by a distant attacker. We evaluate the performance
of ACIMD using ECG signals of 199 individuals over 24 hours,
considering three adversary strategies. Results show that an accuracy of
87.07% in authentication can be achieved. Finally, in Chapter 5 we extract
some conclusions and summarize the published works (i.e., scientific
journals with high impact factor and prestigious international conferences).Los Dispositivos Médicos Implantables (DMIs) son dispositivos electrónicos
implantados dentro del cuerpo para tratar una enfermedad, controlar
el estado o mejorar el funcionamiento de alguna parte del cuerpo, o simplemente
para proporcionar al paciente una capacidad que no poseía antes
[86]. Ejemplos actuales de DMI incluyen marcapasos y desfibriladores
para monitorear y tratar afecciones cardíacas; neuroestimuladores para la
estimulación cerebral profunda en casos como la epilepsia o el Parkinson;
sistemas de administración de fármacos en forma de bombas de infusión; y
una variedad de biosensores para adquirir y procesar diferentes bioseñales.
Los DMIs más modernos han comenzado a incorporar numerosas funciones
de comunicación y redes (generalmente conocidas como telemetría)
así como capacidades de computación cada vez más sofisticadas. Esto
ha propiciado implantes con mayor inteligencia y pacientes con más autonomía,
ya que el personal médico puede acceder a los datos y reconfigurar
el implante de forma remota (es decir, sin que el paciente esté
físicamente presente en las instalaciones médicas). Aparte de una importante
reducción de costos, las capacidades de telemetría y cómputo también
permiten a los profesionales de la atención médica monitorear constantemente
la condición del paciente y desarrollar nuevas técnicas de diagnóstico
basadas en una Intra Body Network (IBN) de dispositivos médicos
[25, 26, 201].
Evolucionar desde un DMI electromecánico a uno con capacidades de
cómputo y de comunicación más avanzadas tiene muchos beneficios pero
también conlleva numerosos riesgos de seguridad y privacidad para el paciente.
La mayoría de estos riesgos son relativamente bien conocidos en los
escenarios clásicos de comunicaciones entre dispositivos, aunque en muchos
aspectos sus repercusiones son mucho más críticas en el caso de los
implantes. Los ataques contra un DMI pueden poner en riesgo la seguridad
del paciente que lo porta, con consecuencias fatales en ciertos casos.
Causar un mal funcionamiento intencionado en un implante puede causar
la muerte y, tal como lo reconoce la Food and Drug Administration (FDA)
de EE.UU, tales ataques deliberados podrían ser mucho más difíciles de
detectar que los ataques accidentales [61]. Además, estos dispositivos almacenan
y transmiten información médica muy delicada que requiere se
protegida, según lo dictado por las directivas europeas (por ejemplo, la Directiva 95/46/ECC) y estadunidenses (por ejemplo, la Directiva CFR
164.312) [94, 204].
Si bien todavía no se conocen incidentes reales, se han demostrado con
éxito varios ataques contra DMIs en el laboratorio [83, 133, 143]. Estos
ataques han demostrado cómo un adversario puede desactivar o reprogramar
terapias en un marcapasos con conectividad inalámbrica e incluso
inducir un estado de shock al paciente [65]. Otros ataques agotan
la batería y dejan al dispositivo inoperativo [91], lo que a menudo implica
que el paciente deba someterse a un procedimiento quirúrgico para reemplazar
la batería del DMI. Además, en el caso de los implantes cardíacos,
tienen un interruptor cuya posición de desconexión se consigue simplemente
aplicando un campo magnético intenso [149]. La existencia de este
mecanismo está motivada por la necesidad de proteger a los DMIs frete
a posibles campos electromagnéticos, por ejemplo, cuando el paciente se
somete a una cirugía cardíaca usando dispositivos de electrocauterización
[47]. Sin embargo, esto podría ser explotado fácilmente por un atacante,
ya que la activación de dicho mecanismo primitivo no requiere ningún tipo
de autenticación.
Garantizar la confidencialidad de la información almacenada y transmitida
por el DMI es otro aspecto obligatorio. El dispositivo debe implementar
políticas de seguridad apropiadas que restrinjan qué entidades
pueden reconfigurar el DMI o acceder a la información almacenada en él,
asegurando que sólo se ejecuten las operaciones autorizadas. De la misma
manera, mecanismos de seguridad deben ser implementados para proteger
el contenido de los mensajes intercambiados a través de un canal inalámbrico
no seguro.
La protección de la integridad es igualmente importante para garantizar
que la información no se haya modificado durante el tránsito. Por ejemplo,
si la información enviada por el implante al programador se altera, el
médico podría tomar una decisión equivocada. Por el contrario, si un comando
enviado al implante se falsifica, modifica o simplemente contiene
errores, su ejecución podría comprometer la integridad física del paciente.
Los mecanismos de seguridad deberían incorporarse en la fase de diseño
y complementarse con medidas legales y administrativas apropiadas.
La legislación actual es bastante permisiva a este respecto, lo que permite
el uso de implantes como marcapasos que no incorporen ningún mecanismo
de seguridad. Las autoridades reguladoras como la FDA en los Estados
Unidos o la EMA (Agencia Europea de Medicamentos) en Europa deberían
promover métricas y marcos para evaluar la seguridad de los DMIs.
Estas evaluaciones deberían ser obligatorias por ley, requiriendo un nivel
de seguridad adecuado para un implante antes de aprobar su uso. Además,
tanto las medidas de seguridad implementadas en cada DMI como los resultados
de la evaluación de su seguridad deberían hacerse públicos.
Buenas prácticas de ingeniería en los dominios de la protección y la
seguridad deberían seguirse en el diseño de los DMIs. Si se detectan errores
de hardware, a menudo esto implica un reemplazo del implante, con
los riesgos asociados y vinculados a una cirugía. Una de las principales
fuentes de fallo al tratar o monitorear a un paciente es precisamente el
mal funcionamiento del dispositivo. Estos fallos se conocen como “retiradas”,
y se estima que afectan a aproximadamente el 2,6 % de los pacientes
que llevan un implante. Además, el software que se ejecuta en el
dispositivo debe soportar estrictamente las funcionalidades requeridas para
realizar las tareas médicas y operativas para las que fue diseñado, y no más
[66, 134, 213].
En el Capítulo 1, presentamos un estado de la cuestión sobre cuestiones
de seguridad y privacidad en DMIs, discutimos los mecanismos más relevantes
propuestos para abordar estos desafíos y analizamos su idoneidad,
ventajas y principales inconvenientes. En el Capítulo 2, mostramos
cómo el uso de señales electrocardiográficas (ECGs) altamente comprimidas
(sólo 24 coeficientes de la Transformada Hadamard) es suficiente para
identificar inequívocamente individuos con un alto rendimiento (precisión
de clasificación del 97% y errores del sistema de identificación del orden
de 10−2). En el Capítulo 3 presentamos un nuevo esquema de Autenticación
Continua (AC) que, contrariamente a los trabajos previos en esta
área, considera las señales ECG como flujos de datos continuos. El sistema
propuesto de AC basado en señales cardíacas está diseñado para aplicaciones
en tiempo real y puede ofrecer una precisión de hasta el 96%,
con un rendimiento del sistema casi perfecto (estadístico kappa > 80 %).
En el Capítulo 4, proponemos un protocolo de verificación de la distancia
para gestionar el control de acceso al DMI: ACIMD. ACIMD combina
dos características, verificación de identidad (autenticación) y verificación
de la proximidad (comprobación de la distancia). El mecanismo de autenticación
es compatible con el estándar ISO/IEC 9798-2 y se realiza utilizando
la señal ECG con todas sus ondas, lo cual es difícilmente replicable
por un atacante que se encuentre distante. Hemos evaluado el rendimiento
de ACIMD usando señales ECG de 199 individuos durante 24 horas, y
hemos considerando tres estrategias posibles para el adversario. Los resultados
muestran que se puede lograr una precisión del 87.07% en la au tenticación. Finalmente, en el Capítulo 5 extraemos algunas conclusiones
y resumimos los trabajos publicados (es decir, revistas científicas con alto
factor de impacto y conferencias internacionales prestigiosas).Programa Oficial de Doctorado en Ciencia y Tecnología InformáticaPresidente: Arturo Ribagorda Garnacho.- Secretario: Jorge Blasco Alís.- Vocal: Jesús García López de Lacall
Assentication: User Deauthentication and Lunchtime Attack Mitigation with Seated Posture Biometric
Biometric techniques are often used as an extra security factor in
authenticating human users. Numerous biometrics have been proposed and
evaluated, each with its own set of benefits and pitfalls. Static biometrics
(such as fingerprints) are geared for discrete operation, to identify users,
which typically involves some user burden. Meanwhile, behavioral biometrics
(such as keystroke dynamics) are well suited for continuous, and sometimes more
unobtrusive, operation. One important application domain for biometrics is
deauthentication, a means of quickly detecting absence of a previously
authenticated user and immediately terminating that user's active secure
sessions. Deauthentication is crucial for mitigating so called Lunchtime
Attacks, whereby an insider adversary takes over (before any inactivity timeout
kicks in) authenticated state of a careless user who walks away from her
computer. Motivated primarily by the need for an unobtrusive and continuous
biometric to support effective deauthentication, we introduce PoPa, a new
hybrid biometric based on a human user's seated posture pattern. PoPa captures
a unique combination of physiological and behavioral traits. We describe a low
cost fully functioning prototype that involves an office chair instrumented
with 16 tiny pressure sensors. We also explore (via user experiments) how PoPa
can be used in a typical workplace to provide continuous authentication (and
deauthentication) of users. We experimentally assess viability of PoPa in terms
of uniqueness by collecting and evaluating posture patterns of a cohort of
users. Results show that PoPa exhibits very low false positive, and even lower
false negative, rates. In particular, users can be identified with, on average,
91.0% accuracy. Finally, we compare pros and cons of PoPa with those of several
prominent biometric based deauthentication techniques
Utilizing ECG Waveform Features as New Biometric Authentication Method
In this study, we are proposing a practical way for human identification based on a new biometric method. The new method is built on the use of the electrocardiogram (ECG) signal waveform features, which are produced from the process of acquiring electrical activities of the heart by using electrodes placed on the body. This process is launched over a period of time by using a recording device to read and store the ECG signal. On the contrary of other biometrics method like voice, fingerprint and iris scan, ECG signal cannot be copied or manipulated. The first operation for our system is to record a portion of 30 seconds out of whole ECG signal of a certain user in order to register it as user template in the system. Then the system will take 7 to 9 seconds in authenticating the template using template matching techniques. 44 subjects‟ raw ECG data were downloaded from Physionet website repository. We used a template matching technique for the authentication process and Linear SVM algorithm for the classification task. The accuracy rate was 97.2% for the authentication process and 98.6% for the classification task; with false acceptance rate 1.21%
Shallow Neural Network for Biometrics from the ECG-WATCH
Applications such as surveillance, banking and healthcare deal with sensitive data whose confidentiality and integrity depends on accurate human recognition. In this sense, the crucial mechanism for performing an effective access control is authentication, which unequivocally yields user identity. In 2018, just in North America, around 445K identity thefts have been denounced. The most adopted strategy for automatic identity recognition uses a secret for encrypting and decrypting the authentication information. This approach works very well until the secret is kept safe. Electrocardiograms (ECGs) can be exploited for biometric purposes because both the physiological and geometrical differences in each human heart correspond to uniqueness in the ECG morphology. Compared with classical biometric techniques, e.g. fingerprints, ECG-based methods can definitely be considered a more reliable and safer way for user authentication due to ECG inherent robustness to circumvention, obfuscation and replay attacks. In this paper, the ECG WATCH, a non-expensive wristwatch for recording ECGs anytime, anywhere, in just 10 s, is proposed for user authentication. The ECG WATCH acquisitions have been used to train a shallow neural network, which has reached a 99% classification accuracy and 100% intruder recognition rate
Reconhecimento de padrões baseado em compressão: um exemplo de biometria utilizando ECG
The amount of data being collected by sensors and smart devices that
people use on their daily lives has been increasing at higher rates than
ever before. That enables the possibility of using biomedical signals in
several applications, with the aid of pattern recognition algorithms in several
applications. In this thesis we investigate the usage of compression based
methods to perform classification using one-dimensional signals. In order to
test those methods, we use as testbed example, electrocardiographic (ECG)
signals and the task biometric identification.
First and foremost, we introduce the notion of Kolmogorov complexity
and how it relates with compression methods. Then, we explain how
can these methods be useful for pattern recognition, by exploring different
compression-based measures, namely, the Normalized Relative Compression,
a measure based on the relative similarity between strings. For this purpose,
we present finite-context models and explain the theory behind a generalized
version of those models, called the extended-alphabet finite-context models,
a novel contribution.
Since the testbed application for the methods presented in the thesis is
based on ECG signals, we explain what constitutes such a signal and the
methods that should be used before data compresison can be applied to
them, such as filtering and quantization.
Finally, we explore the application of biometric identification using the ECG
signal into more depth, making some tests regarding the acquisition of
signals and benchmark different proposals based on compresison methods,
namely, non-fiducial ones. We also highlight the advantages of such an
alternative approach to machine learning methods, namely, low computational
costs and not requiring any kind of feature extraction, making this
approach easily transferable into different applications and signals.A quantidade de dados recolhidos por sensores e dispositivos inteligentes
que as pessoas utilizam no seu dia a dia tem aumentado a taxas mais
elevadas do que nunca. Isso possibilita a utilização de sinais biomédicos
em diversas aplicações práticas, com o auxílio de algoritmos de reconhecimento
de padrões. Nesta tese, investigamos o uso de métodos baseados
em compressão para realizar classificação de sinais unidimensionais. Para
testar esses métodos, utilizamos, como aplicação de exemplo, o problema
de identificação biométrica através de sinais eletrocardiográficos (ECG).
Em primeiro lugar, introduzimos a noção de complexidade de Kolmogorov
e a forma como a mesma se relaciona com os métodos de compressão. De
seguida, explicamos como esses métodos são úteis para reconhecimento de
padrões, explorando diferentes medidas baseadas em compressão, nomeadamente,
a compressão relativa normalizada (NRC), uma medida baseada
na similaridade relativa entre strings. Para isso, apresentamos os modelos
de contexto finito e explicaremos a teoria por detrás de uma versão generalizada
desses modelos, chamados de modelos de contexto finito de alfabeto
estendido (xaFCM), uma nova contribuição.
Uma vez que a aplicação de exemplo para os métodos apresentados na tese
é baseada em sinais de ECG, explicamos também o que constitui tal sinal
e os métodos que devem ser utilizados antes que a compressão de dados
possa ser aplicada aos mesmos, tais como filtragem e quantização.
Por fim, exploramos com maior profundidade a aplicação da identificação
biométrica utilizando o sinal de ECG, realizando alguns testes relativos à
aquisição de sinais e comparando diferentes propostas baseadas em métodos
de compressão, nomeadamente os não fiduciais. Destacamos também as
vantagens de tal abordagem, alternativa aos métodos de aprendizagem computacional, nomeadamente, baixo custo computacional bem como não exigir tipo de extração de atributos, tornando esta abordagem mais facilmente
transponível para diferentes aplicações e sinais.Programa Doutoral em Informátic
Non-invasive multi-modal human identification system combining ECG, GSR, and airflow biosignals
A huge amount of data can be collected through a wide variety of sensor technologies. Data mining techniques are often useful for the analysis of gathered data. This paper studies the use of three wearable sensors that monitor the electrocardiogram, airflow, and galvanic skin response of a subject with the purpose of designing an efficient multi-modal human identification system. The proposed system, based on the rotation forest ensemble algorithm, offers a high accuracy (99.6 % true acceptance rate and just 0.1 % false positive rate). For its evaluation, the proposed system was testing against the characteristics commonly demanded in a biometric system, including universality, uniqueness, permanence, and acceptance. Finally, a proof-of-concept implementation of the system is demonstrated on a smartphone and its performance is evaluated in terms of processing speed and power consumption. The identification of a sample is extremely efficient, taking around 200 ms and consuming just a few millijoules. It is thus feasible to use the proposed system on a regular smartphone for user identification.This work was supported by MINECO grant TIN2013- 46469-R (SPINY: Security and Privacy in the Internet of You) and CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks)
- …