Schneier on Security
A blog covering security and security technology.
« Matt Blaze Comments on his 15-Year-Old "Afterword" |
| Security for Implantable Medical Devices »
April 15, 2010
Storing Cryptographic Keys with Invisible Tattoos
This idea, by Stuart Schechter at Microsoft Research, is -- I think -- clever:
Abstract: Implantable medical devices, such as implantable cardiac defibrillators and pacemakers, now use wireless communication protocols vulnerable to attacks that can physically harm patients. Security measures that impede emergency access by physicians could be equally devastating. We propose that access keys be written into patients' skin using ultraviolet-ink micropigmentation (invisible tattoos).
It certainly is a new way to look at the security threat model.
Posted on April 15, 2010 at 6:43 AM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Security measures that impede emergency access by physicians could be equally devastating. We propose that access keys be written into patients' skin..."
Now let me think, the skin is the outer "wrapping" of the meat bag, and is perhaps the place most likely to be "not available" due to minor or major injury (think grazes through to full on burns and even grimed in dirt oil etc from an accident)...
Plus do you actually want to have a mark on you that will light up in a night life entertainment place when the MC/DJ turns on the UV light...
Why would it need to be invisible? Wouldn't a code on a medical bracelet be sufficient? If a particular device is needed to read the code, it still puts an extra hurdle between medical providers and the patient. Does the risk of such an attack warrant such drastic measures?
To launch such an attack through a wireless network implies that it is anonymous and remote. Learning the code necessary to disrupt a particular device would require personal contact. So, unless a particular person is the target, ultra-secret codes don't achieve a much higher level of security, just more hurdles for legitimate users.
I agree with Clive - it seems pretty mental to put the security key in the thing most likely to be damaged.
Do they propose to cover every inch of the skin or just a select location and hope its not in the injured area.
On a related note, I suspect there will be all manner of user-objections to being "branded" invisible or otherwise..
Yes, any student of history will likely feel a chill at the thought of tatooing a number on a person for any reason.....
"ultraviolet-ink micropigmentation (invisible tattoos)."
IIRC, Asimov had the secret police in one of his Foundation novels using that as an ID device.
"καὶ ἵνα μή τις δύνηται ἀγοράσαι ἢ πωλῆσαι εἰ μὴ ὁ ἔχων τὸ χάραγμα, τὸ ὄνομα τοῦ θηρίου ἢ τὸν ἀριθμὸν τοῦ ὀνόματος αὐτοῦ."
As a person who has had open-heart surgery and offered both of these items (and rejected), a tattoo has to be the worst idea I've heard of for "protecting" against hacking. I've had enough needles poked in me to qualify as a human pin cushion.
Aside from my own distaste for needle pokes, I've a few more relevant reasons against this idea:
1. As several people have pointed out, if the skin the tattoo is on is damaged can it still be read? The only solution for this is to tattoo the key in several different places on the patients body. (Ouch, Ouch and OUCH!)
2. Anyone with a ultraviolet light would be able to read the tattoo. This would force anyone with one of these tattoos to wear a shirt/pants/hat to prevent it from being revealed.
3. What about foreign travel? If the tattoo is in English and you're in China, can a doctor/EMT read it?
The biggest problems I see with pacemakers and defibrillators are badly shielded electronics (including the devices mentioned), EMP/HERF generators and solar flares. Leaky microwave ovens and EMP/HERF devices are easier to obtain or build than trying to hack into the cardio-devices.
I am a young person (mid 30's) with a pacemaker. May thoughts are:
-I definitely want something to secure my device.
-Periodic checkups of the device require a technician to elevate my heart rate via remote control. It's freaky and uncomfortable plus potentially life threatening if done incorrectly.
-Reading or adjusting my pacemaker does not require authentication
-I definitely want something to protect my device against malicious threats. I just want to make sure it does not get in the way of me receiving medical treatment.
-I am not opposed to micropigmentation.
easy to detect, easy to destroy, easy to fake, etc.
and what about hijacking etc. if you use tattoos, why not a fingerprint?
ultraviolet-ink tattoos are cool. but Cryptographic Keys? No.
Emergency data? Maybe.
when in history have tattoos been a good concept of AAA?
sry. i was a little confused writing my comment.
but i still don't think that tattoos are good at this. if you have somthing like an implantable cardiac defibrillators, wear a necklace or an armring with the information. that is faster and no doctor has to search every inch of your body with an UV light.
Sounds pretty straightforward (you might want multiple copies, but if you're putting someone under for the implantation that's not really a problem. And as for cracking, it obeys a pretty standard rule: it can only be accessed and cracked by someone who already has physical access to the person. So except for movie plots, it exposes you to being killed only by people who are already in a position to kill you.
I do wonder, though, whether some kind of short-range rfid-like device might be more secure and less susceptible to damage. rfid plus an IR emitter would let you bury the tag somewhere relatively safe inside the body. (Although people might also object to being chipped.)
I am confused, but not surprised that there seem to be so many comments from people that have not read the proposal (it's only two pages). The reason for tattoos rather than other methods is clearly explained in the text, as is the reasoning for the positioning.
I disagree with the positioning, I think that the leftmost foot has too much risk of being lost and would suggest that either the leftmost armpit or hip would be better, both for reasons solar exposure and risk of loss (if you've lost those areas, you have bigger problems than your implant.
I wonder what some religious views would be. Self mutilation (i.e.: tattoos) are generally forbidden in some religious sects. But this would be for medical pruposes..
I don't necessarily think it is effective, but it is interesting.
Oh, and there would have to be a protocol for indicating key changes, in the event that your key becomes compromised, e.g. by someone wielding a UV light.
Oh, and if you're anti-social enough to dance around without a shirt in a nightclub, perhaps you deserve what you get. ;-)
And is clubbing a top priority for IMD recipients?
tattoo of Nomad on your forehead? Instead of showing up with increased blood pressure it shows up with blacklight. hmmm
I experimented with ultraviolet inks years ago - made a very small version of 'The Wave' machine - using the ultraviolet ink as the 'water'. was interesting, if expensive.
I also considered incorporating ultraviolet into my tattoos - but my tattooist and I decided that the quaility of the ink was questionable at best. For embedding particles under my skin, I choose the best quality I can find :)
As seen in the comments, this is an idea, and is quickly being discarded as impractical. oh well.
Reminds of a joke, i had with my son. I threatened to use the finger print reader. It wasn't my finger I was going to stick on the reader. He claimed he could get around it with a fingerprint kit and silly putty. Funny at the time. Maybe less for you folks.
How is this different from, say a bar code, with enough "digits" to make it more secure. Maybe 12 digits.
they make UV tatoos. Use your big toe print? Blood vessels in your wrist. the possiblities are endless. Companies are using more and more possiblities, trying to sell products. I'm cautious about this push in the security industry. I will just use 100 digits of Pi. Guess which ones?
It is far rarer (sp) for the mathematics or even the number of digits that fail. The NSA or CIA use other means. A keyboard bug or software. We tend to get focused on the code and not the human factor. You could probably call or walk through a lobby and get the info you need rather than spy vs. spy scenarios.
some women and men are size queens. the security industry is the same way.
Mine is bigger than yours. Give me a break. If you have the need to say that you have already lost the game. Not that mine isn't bigger than yours. (key size of course)
Having been through a motorcycle accident and had certain limbs peeled like potatoes, I don't want to "lose" my key when I need it most.
I don't like the idea terribly much, but other comments here don't solve one basic issue -- the availability of the necessary information to change say a toe print back into a key by some random personnel who may not have total-instant access to the records of the entire world at the moment the information is needed to save your life. In fact, having everyone with medical creds having instant access to all that scares me for other reasons. It isn't like that system is immune to gaming, ID theft, etc if someone wanted to "crack" your device.
So, along with Bruce, I think the idea is at least a little clever -- it solves some of the above nicely.
I would think that (with some rare exceptions) that by the time you're frail enough to need a pacemaker that some of the above concerns about losing a tatoo are specious (but that some ideas of better places to put it are good) -- you'd not be riding a motorcycle hard at that point in life, I think, unless you had a death wish anyway; I've had my share of road rash but gave that up as I got older.
The devices in question use Medical Implant Communication Service (MICS). The range of these wireless communications is of the order of two meters (6 feet). If someone is trying to harm you from that short a distance, this has to be one of the least likely or effective ways.
These devices may be susceptible to some laboratory bench attacks, but we should stop proposing solutions without due regard to the context / environment in which they operate. Are the risks as they exist today unacceptable? If so, do the proposed solutions represent a lesser risk?
Just because we see the word wireless does not mean it is appropriate to defend the device as if it used IP and Wi-Fi.
An alternative solution which some PPM/AICD companies already do, is to have all the information as radio-opaque markings within the casing, and easily readable on Xray or fluoro.
This has the information in an area where it can't be damaged unless the device itself is damaged, (and would still probably be readable long after the device is non-functional).
Here's an interesting fact I came across as a first responder, that seems to be a ridiculously outmoded 'security' precaution:
Pacemaker/Defibrillators need to have the battery replaced every few years.
(Actually, the battery is not replaced because the unit is sealed and unopenable; the entire generator is replaced.) There is an automatic 'low-battery' alert, where the pacing drops to a rate of 62.5/min, at which point there is still a few weeks of reserve left.
The Russians got the brilliant idea of making pacemakers with a battery reserve much longer than the life expectancy of even a young patient. They used a nuclear isotope within the generator. Surprisingly, there were no radiation issues as the isotopic output was very tiny, (although not recommended for child-bearing women).
The Americans improved upon the design, and there was a company in NJ that produced nuclear isotopic powered pacemakers.
No one uses them today, and the company went out of business.
Unsafe? - Nope.
Perfectly safe and well studied.
Too expensive? - Nope.
Very small isotope quantities required.
So, Why then?!
Because a patient who eventually died was NOT allowed to be buried with nuclear material!
It required a Federal Nuclear Regulatory crew to be summoned and remove the device and dispose of it properly!
(They wouldn't just let the hospital do it, and keep it for pick-up by the crew!)
Not only that, but such crews were not available in each state, and it was illegal to transport the body across state lines with the nuclear device still in place!
The delay in burial was extremely frustrating to families and funeral homes, and despite attempts to get the laws modified, no families wanted this type of device again.
(For those interested, do a google search on 'Nuclear Pacemakers'.)
So, what is the actual risk of peoples IMD being hijacked and used for nefarious purposes? If you are already in the hospital with other injuries, I would think that you wouldn't mind your "system" being unsecure since they could then access it with less chance or running into imcompatibility issues etc. One could assume (I might be wrong) that the hospital is a safe area for persons with IMD.
I would agree with others that the risk of EMP/HERF type incidents would be much greater than a hi-jack of some kind. What's the receive range for the little devices?
Sorry mister we have to tattoo you again because of the last software security update
Like the paper suggests, tattoo the key adjacent to the implantation scar. If that skin is absent you have physical access to the device, or the device is destroyed or absent too.
The authors recommend imprinting a backup copy of the passcode on the arch of the "patient’s leftmost foot." The risk of losing this backup to traumatic injury notwithstanding, how many patients have more than a left or a right foot? "Not that foot nurse, the leftmost..."
This paper cites another by Denning, et al. from CHI 2010 that considers UV tattoos, among many alternatives, as a security solution for the IMD scenario.
The CHI study focuses on human values for IMD security solutions, along the lines of "Patient Acceptability" in this paper's Section 4 but actually principled. They study (interview, survey, etc.) real medical device users. One of the more interesting things, perhaps, is comparing Schechter's text with the reality shown in the study. The results turn out pretty different! I suspect this is the (other) 'Slashdot effect' -- conjecture from (even quite intelligent) computer scientists isn't exactly reflective of reality.
Consider a person with only one foot. It is their "leftmost". In the common (two feet) case, "leftmost" is also "left".
@vedaal - is that the plot of "Ironman 4"? ;)
I echo Aodhain's comments. This is a solution looking for a problem.
The attacker must be within a few of feet of the victim to access the implanted device. From that range there are much simpler and cheaper methods to harm the victim.
@Andre: While considering a person with only one foot as you suggest, I fail to find a need for distinction between feet ;)
I think I have to agree that this is clever but I also have some issues.
I don't like the idea of using a non-secret key and in this respect I don't see much of a difference between a UV tattoo key and biometric keys. Still it does have me wondering whether secrets don't have to be something you know.
Another issue is cameras. I have seen CMOS sensors that have a spectral response up to 200nm, which covers UV-A and UV-B so if the UV ink is visible under a black light then it is also likely visible to a camera after some image processing.
I thought the UV-blocking sunblock suggestion was a rather astute remark but it also turned out to be an argument against the idea. If UV-blocking sunblock helps keep the tattoo invisible to attackers then it is also keeping it invisible to doctors. There is also no visual feedback to suggest reapplication.
Thanks for the link, I will probably look at it later. I also wanted to suggest that the link would have been clickable if you hadn't enclosed it in square brackets.
I also thought the end of your comment was funny but thought I could make it funnier with a label.
Conjecture from (even quite intelligent) computer scientists isn't exactly reflective of reality.
People's hearts are now accessable via wireless? Sounds like voodoo doll healthcare to me.
"The attacker must be within a few of feet of the victim to access the implanted device. From that range there are much simpler and cheaper methods to harm the victim."
Pressing an "off" button, even if an assassin has to do it at close range, is a much more subtle attack than having to jab the target with a ricin-tipped umbrella or making it appear he was killed in the course of a robbery. We might evade an jab or resist a mugging but there is little to be done about a nondescript stranger passing you in a crowd. Wait, that's about seventy-eleven movie plots. Time for more java!
People commenting here should read the article.
It discusses the issue of skin damage destroying the tattoo -- they propose marking a second key on another body part.
It discusses "why not ID bracelets" -- people tend to forget to wear them.
It discusses patient unease over the connotations of ID tattoos in fictional and historical settings -- they would make the tattoos optional but encouraged.
This is very interesting "Security Theater" being propagated by the one that created the term of disdain.
The vulnerability is a theoretical that has very low likelyhood, and requires someone that is highly motivated and well funded.
There are standards based efforts to create registries to address this, that would have authorized access based on registered emergency provider status. Yes, this is a long term solution that will take much work.
As Bruce has often mentioned, all this is a tradeoff. High value targets require more measures to insure their security. The range of a reader may "only be a few feet" -- sure, if it's an off the shelf reader/programmer and the target isn't very valuable so that's all the attacker uses.
As someone who once had a career in electronic intelligence, all I can really say is that for high value targets the normal "ranges" are utter baloney -- if you throw enough money and signal processing at a problem those "short ranges" get a lot longer really fast. Particularly if the device in question responds the same to every "ping" you can average signals out of the noise that would normally be large two digit dB numbers under it. And of course, with money etc, transmitter power can be more or less unlimited.
For most cases, yep, some super EMP kind of thing might work better if all you wanted to do was destroy the device...
There's a ton of difference in what effort would be expended to "get" a target that's "just some guy" and one who was important to a state. And YMMV -- what the attacker decides to attack is up to him, which Bruce has also wisely mentioned in other contexts.
But that level is for very rare cases (we hope). For most people instant access to the required info by a first responder or emergency room would be a good risk/benefit.
Childish response: Hey, its Microsoft thinking. Professional response: I don't know how "configurable" these wireless devices are once implanted, but isn't it good security to change keys periodically? Soooo...can we remove the 'tatoo'd key? If so, problem. If not, we only have so much skin realestate, thus...problem. (Picture the scene in Monsters vs Aliens where the guy scans his behind to get access to "the room". Changing un-removable keys would eventually result in this!)
2 words: Key Lifecycle
No thanks, not going to sign up for your key rotation/expiration process.
The Sofware Freedom Law Show had a podcast on this very topic.
One of the hosts has an IMD and specifically chose to have an older model implanted where the communication device ("programmer") must rest upon her shoulder. It cannot communicate wirelessly.
As a paramedic (in a semi-previous life) I cant stop giggling at the concept.
... also I cant help but thinking about the licensing implications. Your surgeon (that put the device in) went ahead and used the super special mechanism to tattoo you with the special ink -- but he didn't have a license to do so. Whats the remedy? Would I need to have an indemnification clause put into my chart? hehe...
I'm working in the implantable medical device industry and I think this type of proximity based authentication is missing certain things.
1. The paper mentions that after a device exchange the new implant may be given the same key as the old one so that a new tattoo is not necessary. So we need to authenticate the person giving the implant the already tattoed key or anyone could do that. The paper leaves this completely open and it's not trivial.
2. The paper says that anyone who is close enough to also read the key could have harmed the patient anyway. That's true but doing so without a trace is better than spilling blood all over the place. It's a different type of attack.
3. The paper leaves completely open who should do the tattooing with which instruments and who should pay for that. Implanting physicians would argue "Why should we do this? It's your problem to give me an IMD which is secure! I'm not going to do your work!" and the sales rep of course is not allowed to do the tattoo.
we already had stories about car thiefs cutting off thumbs from victims to unlock anti-theft devices with fingerprint readers in expensive cars. I just do not want to think about a tattoo and a determined person with a peeler...
Also quite messy to get rid of a key quickly. In " A beautiful mind" the main character (later nobel prize winner Nash) rips his wrist open, where he fantasizes to have some kind of black light tattoo.
On the other hand it is quite like SciFi or magic if we think of doors opening on the touch of some persons and not for others...
"What's the receive range for the little devices?"
Depending on the frequency and the transmit power, at least as far as any man made object has ever gone...
Even assuming that the protocol is two way one off TX(wakeup), RX(ack+nonce), TX(Enc(ID:K=nonce)) range would be only limited by the receiver gain at the attackers end. And depending on the frequency this could be a very long way.
Even near field or magnetic coupled systems leak EM radiation.
With regards "High Energy EM" as a weapon to attack these devices, it may not be as high as you might first consider. That is you don't need to damage the device only impair it's operation. Often this requires very very little EM energy, as most people will realize when they think about when their mobile phone has made it's "grunting noise" near a radio / HiFi / television / landline phone / other equipment with an audio amplifier in it. Open academic researchers are only just starting to investigate "EM Fault Injection" attacks, I was playing with them back in the early 1980's and I can assure you that they can be very very devastating, and effectively leave no trace... The advantage some of us have these days are the likes of the EMC regulations where passive shielding filtering is used.
A question that has not been asked but should be considered is "risk", not just of the ID being read by a hostile person, but also the "risk" of it needing to be read for emergency medical reasons?
That is how often does an ER or A&E medic or first responder actually need to access the implant?
I suspect the answer in "human terms" is vanishingly close to zero for each person with an implant (unless it is of an unreliable design). And still very small on assuming that every person in the US had three or four implants.
Outside of Emergency Response there will be more than sufficient time for other more reliable ways the issue can be dealt with.
Then there is the issue of training etc. That is even if a first responder or ER / A&E medic could access the device, would they have the required "expert knowledge" to know what they where doing with it?
Which brings you back to my "Outside of Emergency Response..." point above.
Oh and then consider the investment in just the equipment to communicate with an implant. If you assume it was cheap for a medical electronics device at 500USD how many ambulances, First Responders and ER rooms are there in the US...
Sorry, I have a new "toy" (T-Mobile dropped the DangerOS system Motorola Sidekick yesterday so I'm having probs with a new way of working... 8(
In my post above this I was editing the,
"The advantage some of us have these days are the likes of the EMC regulations where passive shielding filtering is used. "
It should read,
"The advantage some of us have these days is the use of passive shielding / filtering in a device due to the EMC regulations. Unfortunately medical implant devices are by and large exempt from the EMC regulations, and the regulations are "mask based" which has allowed manufactures to use "active" methods to meet the masks (ie spread spectrum techniques like DSS on CPU clocks etc). Active EMC methods offer no protection from active attacks such as "EM Fault Injection" attacks."
Accessing the implants wirelessly is a great idea, the invisible tattooing Im not so sure?
My grandfather had tattoos that were really blurry once he got old. That should be super fun for access keys and emergencies! "I think it's a 7! D'oh, it must have been a 1."
Also, what about the Jewish people?! Would a potentially life saving tattoo still be forbidden?
It's a conflict of beliefs.. The religion allows for anything which puts life/health first.
So, I think that woudl be one of the allowed instances.
Also lazy and didn't read the article but as for the "language" of the tattoo, it obviously will not be roman characters, a way too wasteful encoding.
2D barcodes (QRCode etc) are probably a good idea, if blurring with age is a problem I'm pretty sure 1D barcodes (the usual ones...) will be much more robust against that.
Clearly, the tattoo should be done directly to the heart with pigment that would show up ... doesn't anyone read Mark Leyner?
"My insignia is a guy surfing on an enormous wave of lava -- it's an avalanche of this lurid molten spume with this glowering chiseled commando in baggy polka-dotted trunks on an iridescent board careering across the precipice of this incredible fuming tsunami of lava -- and there's an erupting volcano in the distance in the upper right hand corner. It's excellent.
"I have it tattooed on my heart. And I don't mean on the skin of my chest over my heart. I mean tattooed on the organ itself. It's illegal in the States -- I had to go to Mexico. It's called visceral tattooing. They have to open you up. They use an ink that contains a radioactive isotope so that the tattoo shows up on X-rays and CAT-scans."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.