This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion - - PowerPoint PPT Presentation

this ain t your dose sensor spoofing attack on medical
SMART_READER_LITE
LIVE PREVIEW

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion - - PowerPoint PPT Presentation

Sep 01, 2023 124 likes •474 views

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs 2 System Security Laboratory, KAIST 10th USENIX Workshop on Offensive

slide-1
SLIDE 1

This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump

Youngseok Park1,2, Yunmok Son2, Hocheol Shin2, Dohyun Kim2, and Yongdae Kim2

1 NAVER Labs 2 System Security Laboratory, KAIST

10th USENIX Workshop on Offensive Technologies (WOOT '16) Aug.09.2016

slide-2
SLIDE 2

Sensor

v Sensing changes in physical property and converting to electric signal v Gyroscope, Accelerometer, Radar, Sonar, Infrared sensor, etc.

2

slide-3
SLIDE 3

Sensing and Actuation System

3

Real World Processor Sensor Actuator

Sensing Actuation

System ADC

ADC: Analog-to-Digital Converter

Converting Processing Gyroscope Radar Flight control Crash avoidance

slide-4
SLIDE 4

Sensing and Actuation System

4

Real World Processor Sensor Actuator

Sensing Actuation

System ADC

ADC: Analog-to-Digital Converter

Converting Processing Gyroscope Radar Flight control Crash avoidance

No Authentication Vulnerable to sensor spoofing attack

Spoofing!

slide-5
SLIDE 5

Sensor Spoofing Attack

v Manipulating sensors with a malicious signal v Previous works

  • Attacking Circuit using EMI: Injecting EMI into a wire of a defibrillator (S&P’13)
  • Canceling and injecting Active Sensor Signal: magnetic signal on ABS sensor (CHES’13)
  • Generating Resonance (DoS): Injecting sound noise into a gyroscope of a drone (SEC’15)

5 EMI: Electromagnetic Interference ABS: Anti-lock Braking System

slide-6
SLIDE 6

6

This Work: Manipulating Sensing Values by Saturating Receiver

slide-7
SLIDE 7

Target: Medical Infusion Pump

v Controlling infused volume of medicine to patients v Sometimes using a drop sensor for accuracy

7

Infusion Pump (body)

Display Control panel Actuator (Peristaltic Fingers) IV Tube

To human’s body From drop sensor

Medicine IR receiver IR emitter

To infusion pump body

Drop sensor

Drop IV Tube Drip chamber Output

~

slide-8
SLIDE 8

Infusion Pump Operation

8

Light

slide-9
SLIDE 9

Sensor Saturation

v New type of sensor spoofing attack using saturation

  • Sensors have typical operating region
  • Output is saturated when exceeding a saturation point
  • Blinding sensors

9 In case of the infusion pump

slide-10
SLIDE 10

Medical Infusion Pump

v Two infusion pumps with drop sensors

10

Infusion pump Drop sensor JSB-1200 (Pump1) BYS-820 (Pump2)

slide-11
SLIDE 11

Hardware Analysis

v Pump1 (JSB-1200)

11 Peristaltic fingers Tube

Infusion pump

LED

Drop sensor

IR emitter IR receiver IR Filter

slide-12
SLIDE 12

Hardware Analysis

v Measuring signal with oscilloscope

  • Connector = 4 pins: VCC, GND, LED, and IN (signal)

12

Connector (Device side) Four pins (Sensor side) Normal drop

slide-13
SLIDE 13

Simple Test (Saturation, w/o filter)

13

slide-14
SLIDE 14

Simple Test (Saturation, w/o filter)

14

slide-15
SLIDE 15

Hardware Analysis

v Mainboard (2 MCUs)

15 W78E516D (MCU2) AT89S52 (MCU1)

Internal structure

SPI Port Drop sensor port

slide-16
SLIDE 16

Hardware Analysis

v Sensor output is inserted to MCU1 after ADC

  • 8-bit ADC (0 to 255)
  • Digital signal indicates voltage level of the drop sensor

16

Output of ADC

8-bit ADC

IN (sensor output)

MCU1

slide-17
SLIDE 17

Firmware Extraction

v Extracting firmware of MCU1 via SPI port

  • Reading Flash memory using USBISP and AVR Studio
  • Data section -> 8051 assembly -> IDA Pro

17

USBISP AVR Studio 4 Intel HEX format Data section

AT89S52 (MCU1) SPI Port

slide-18
SLIDE 18

Firmware Analysis

v Finding sensor output in Timer interrupt function

18

Put 8-bit sensor output to RAM

slide-19
SLIDE 19

Firmware Analysis

19

slide-20
SLIDE 20

Drop Detection Algorithm

20

Sensing drop when voltage decreases by 𝟏.𝟒𝟑𝑾 Send command (0x11) through serial port, connected to MCU2

slide-21
SLIDE 21

Pump1 Structure

  • 1. Drop sensor output enters into AT89S52 (MCU1)
  • 2. MCU1 sends data to W78E516D (MCU2) via serial comm.
  • 3. MCU2 actuates peripherals with this data
  • Pins of MCU2 are directly connected to motor, display and alarm

21

slide-22
SLIDE 22

Vulnerability

v Drop sensor

  • Saturated with an external source
  • Cannot sense drops in saturation

v Drop detection algorithm

  • Counting drops based on a relative change in voltage
  • Making a voltage drop to sensor output

22

Saturation Fake drop

slide-23
SLIDE 23

Experimental Setting

23

Measuring cylinder IR Laser (905nm, 30mW) Drop sensor Arduino Infusion pump

slide-24
SLIDE 24

Experiment

v Performed on both infusion pumps (Pump1, Pump2) v Saturation (failed in Pump2)

  • Sensor is saturated when injecting IR laser to receiver
  • Drop sensor cannot sense real drops -> Over-infusion

v Fake drops

  • Sensor is deceived by fake drops with external IR
  • Pump perceives that there are drops already -> Under-infusion

v Both cases cause an alarm

24

slide-25
SLIDE 25

Spoofing Pattern

v Over-infusion

  • Alarm: “No drop is detected”
  • Inject some period and compensate insufficient drops

v Under-infusion

  • Alarm: “Too many drops are detected”
  • Find properly interval of fake drops experimentally

v Example (60mL/h setting)

  • 1 drop per 3 seconds

25 Normal operation Continuous saturation Over-infusion

Saturation time (13s) Real drop interval (3s) drop fake drop Alarm

Under-infusion

Fake drop interval 2s

slide-26
SLIDE 26

Demo (Over-infusion)

26

slide-27
SLIDE 27

Demo (Under-infusion)

27

slide-28
SLIDE 28

Spoofing Pattern

v Over-infusion

  • Alarm: “No drop is detected”
  • Inject some period and compensate insufficient drops

v Under-infusion

  • Alarm: “Too many drops are detected”
  • Find properly interval of fake drops experimentally

28 Normal operation Continuous saturation Over-infusion

Saturation time Real drop interval drop fake drop Alarm

Under-infusion

Fake drop interval 2s

slide-29
SLIDE 29

Results

v Controlling infused volume is possible

  • By adjusting saturation time or fake drops
  • Measured in 10 minutes and 5 times each (No alarm rings over 30 minutes)
  • Over-infusion fails on Pump2

29

slide-30
SLIDE 30

Discussion

v Attack distance

  • Related to power of source
  • Possible in the range of 12m with 30mW IR laser

v Mitigation

  • Authentication between emitter and receiver
  • PyCRA (CCS ‘15)
  • Generate random zero signal in an emitter
  • Voltage level detection
  • Checking boundary of legitimate signal
  • Physical isolation

30

Saturation

(by spoofing)

Sensor output

Real drops

(without spoofing)

Boundary check Detect!

Concept of PyCRA Voltage level detection

slide-31
SLIDE 31

Discussion

v Attack distance

  • Related to power of source
  • Possible in the range of 12m with 30mW IR laser

v Mitigation

  • Authentication between emitter and receiver
  • PyCRA (CCS ‘15)
  • Generate random zero signal in an emitter
  • Voltage level detection
  • Checking boundary of legitimate signal
  • Physical isolation

31

slide-32
SLIDE 32

Conclusion

v Presenting a new type of sensor spoofing attack

  • Deceiving a sensor by saturation

v Analysis on medical infusion pumps

  • Finding vulnerability in drop detection algorithm

v Controlling infused fluid from 65% to 330% v Note

  • Infusion pump was not communicating at all.
  • IR lay is invisible to human eyes.
  • FDA approved US devices?

v Sensor security

  • Most sensors are exposed to receive signal
  • Must be considered for safety

32

slide-33
SLIDE 33

Thank You!

E-mail: ys.park@navercorp.com