UNKNOWN DEVICE
Report
- Report Number
- 3007566237-2018-01502
- Event Type
- Malfunction
- Date Received
- May 18, 2018
- Date of Event
- March 19, 2018
- Report Date
- May 18, 2018
- Manufacturer
- MEDTRONIC NEUROMODULATION
- Product Code
- GZF
- PMA / PMN Number
- P840001
- Product Problem
- Yes
- Report Source
- Manufacturer report
- Reporter Location
- BE
- Reporter Occupation
- OTHER
Narratives
MARIN, E., SINGLELEE, D., YANG, B., VOLSKI, V., VANDENBOSCH, GAE., NUTTIN, B., PRENEEL, B. SECURING WIRELESS NEUROSTIMULATORS. PROCEEDINGS OF THE EIGHTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY. 2018. DOI: 10.1145/3176258.3176310. PLEASE NOTE THAT THIS DATE IS BASED OFF OF THE DATE OF PUBLICATION OF THE ARTICLE AS THE EVENT DATES WERE NOT PROVIDED IN THE PUBLISHED LITERATURE. IF INFORMATION IS PROVIDED IN THE FUTURE, A SUPPLEMENTAL REPORT WILL BE ISSUED.
SUMMARY: IMPLANTABLE MEDICAL DEVICES (IMDS) TYPICALLY RELY ON PROPRIETARY PROTOCOLS TO WIRELESSLY COMMUNICATE WITH EXTERNAL DEVICE PROGRAMMERS. IN THIS PAPER, WE FULLY REVERSE ENGINEER THE PROPRIETARY PROTOCOL BETWEEN A DEVICE PROGRAMMER AND A WIDELY USED COMMERCIAL NEUROSTIMULATOR FROM ONE OF THE LEADING IMD MANUFACTURERS. FOR THE REVERSE ENGINEERING, WE FOLLOW A BLACK-BOX APPROACH AND USE IN EXPENSIVE HARDWARE EQUIPMENT. WE DOCUMENT THE MESSAGE FORMAT AND THE PROTOCOL STATE-MACHINE, AND SHOW THAT THE TRANSMISSIONS SENT OVER THE AIR ARE NEITHER ENCRYPTED NOR AUTHENTICATED. FURTHERMORE, WE CONDUCT SEVERAL SOFTWARE RADIO-BASED ATTACKS THAT COULD COMPROMISE THE SAFETY AND PRIVACY OF PATIENTS, AND INVESTIGATE THE FEASIBILITY OF PERFORMING THESE ATTACKS IN REAL SCENARIOS. MOTIVATED BY OUR FINDINGS, WE PROPOSE A SECURITY ARCHITECTURE THAT ALLOWS FOR SECURE DATA EXCHANGE BETWEEN THE DEVICE PROGRAMMER AND THE NEUROSTIMULATOR. IT RELIES ON USING A PATIENT¿S PHYSIOLOGICAL SIGNAL FOR GENERATING A SYMMETRIC KEY IN THE NEUROSTIMULATOR, AND TRANSPORTING THIS KEY FROM THE NEUROSTIMULATOR TO THE DEVICE PROGRAMMER THROUGH A SECRET OUT-OF-BAND (OOB) CHANNEL. OUR SOLUTION ALLOWS THE DEVICE PROGRAMMER AND THE NEUROSTIMULATOR TO AGREE ON A SYMMETRIC SESSION KEY WITHOUT THESE DEVICES NEEDING TO SHARE ANY PRIOR SECRETS; OFFERS AN EFFECTIVE AND PRACTICAL BALANCE BETWEEN SECURITY AND PERMISSIVE ACCESS IN EMERGENCIES; REQUIRES ONLY MINOR HARDWARE CHANGES IN THE DEVICES; ADDS MINIMAL COMPUTATION AND COMMUNICATION OVERHEAD; AND PROVIDES FORWARD AND BACKWARD SECURITY. FINALLY, WE IMPLEMENT A PROOF-OF-CONCEPT OF OUR SOLUTION. REPORTED EVENTS: THE AUTHORS REPORTED THAT, IN AN EFFORT TO EVALUATE THE DATA SECURITY AND PRIVACY CHARACTERISTICS OF IMPLANTABLE NEUROSTIMULATOR (INS) SOFTWARE, THEY WERE ABLE TO FULLY REVERSE ENGINEER THE PROPRIETARY PROTOCOL BETWEEN THE DEVICE PROGRAMMER AND THE NEUROSTIMULATOR OVER A SHORT-RANGE COMMUNICATION CHANNEL. THEY DEMONSTRATED THAT REVERSE ENGINEERING WAS POSSIBLE WITHOUT NEEDING TO HAVE PHYSICAL ACCESS TO THE DEVICES, NOTING THAT HAVING HAD ACCESS TO THE PROGRAMMER AND INS SPED UP THE PROCESS, BUT THE INNER WORKINGS OF THE COMMUNICATION PROTOCOL COULD THEORETICALLY BE DECODED EVEN WHEN THE ACTIONS BEING PERFORMED ON THE DEVICE PROGRAMMER ARE NOT KNOWN. ULTIMATELY THE AUTHORS WERE ABLE TO DOCUMENT THE MESSAGE FORMAT AND THE PROTOCOL STATE-MACHINE, AS WELL AS TO DISCOVER THAT THE MESSAGES EXCHANGED BETWEEN THE DEVICES ARE NEITHER ENCRYPTED NOR AUTHENTICATED. THEY WERE THEN ABLE TO DEMONSTRATE USING INEXPENSIVE HARDWARE DEVICES SEVERAL SOFTWARE RADIO-BASED ATTACKS THAT COULD ENDANGER THE PATIENTS¿ SAFETY OR COMPROMISE THEIR PRIVACY IF PERFORMED ON A REAL IMPLANTED DEVICE. FOR ONE, THEY DESCRIBE THE ABILITY TO PERFORM A ¿REPLAY ATTACK¿ IN WHICH THEY WERE ABLE TO MODIFY ANY OF THE NEUROSTIMULATOR SETTINGS BY INTERCEPTING AND REPLAYING PAST TRANSMISSIONS SENT FROM LEGITIMATE PROGRAMMERS. THEY NOTED THAT THIS WAS PRACTICALLY LIMITED BY THE FACT THAT A POTENTIAL ASSAILANT MUST WAIT UNTIL THERE WAS ACTIVE COMMUNICATION BETWEEN A PROGRAMMER AND INS TO INTERCEPT THESE TRANSMISSIONS AND THEY ARE LIMITED TO REPLAYING PREVIOUSLY SENT/INTERCEPTED MESSAGES. ANOTHER EXPLOIT THEY INVESTIGATED THEY TERMED A ¿SPOOFING ATTACK;¿ ONCE THEY WERE ABLE TO FULLY REVERSE-ENGINEER THE DEVICE¿S PROTOCOL THEY WERE ABLE TO CREATE ANY ARBITRARY MESSAGE AND SEND IT TO THE INS, ALLOWING THEM TO CHANGE DATA FIELDS SUCH AS PATIENT NAME. PRACTICALLY THIS WOULD REQUIRE GETTING CLOSE ENOUGH TO THE VICTIM TO COMMUNICATE WITH THE INS, HOWEVER THEY HYPOTHESIZED THAT THIS COULD BE FEASIBLE IN SETTINGS SUCH AS A CROWDED SUBWAY. MOREOVER, ANY PRIVATE DATA SENT BETWEEN PROGRAMMER AND INS REPORTEDLY COULD BE OBTAINED BY MALICIOUS EAVESDROPPERS. LASTLY, THE AUTHORS HYPOTHESIZED DENIAL OF SERVICE (DOS) ATTACKS WOULD BE POSSIBLE BY REPEATEDLY SENDING MALICIOUS MESSAGES, BUT THEY DID NOT ATTEMPT TO SIMULATE THIS. IT WAS NOT POSSIBLE TO ASCERTAIN SPECIFIC DEVICE INFORMATION FROM THE ARTICLE.
Devices
| Seq | Brand | Generic | Product Code | Manufacturer | Model | Lot | UDI-DI |
|---|---|---|---|---|---|---|---|
| 367196 | UNKNOWN DEVICE | STIMULATOR, PERIPHERAL NERVE, IMPLANTED (PAIN RELIEF) | GZF | MEDTRONIC NEUROMODULATION | NEU_UNKNOWN | UNKNOWN |
Patients
| Seq | Age | Sex | Outcome | Treatment |
|---|---|---|---|---|
| 1 |