Welcome Michel Reece

Michel.ReeceThe THaW team is pleased to welcome Prof. Michel Reece, of Morgan State University, as a new collaborator in research on security and privacy issues medical devices.  Together with Tim Pierson (Dartmouth) and David Kotz (Dartmouth), Michel and her group will investigate the potential for identifying devices through features sensed at the PHY and MAC layers, and validating the authenticity of such devices.

Dr. Michel A. Reece currently serves as the interim Chairperson and  the director of  the laboratory for Advanced RF/Microwave Measurement and Electronic Design (ARMMED) in the Department of Electrical and Computer Engineering at Morgan State University (MSU). Her research interests include wireless  signal characterization and device authentication of IoT devices, high frequency device characterization and modeling for III-V semiconductors, RF/ MMIC circuit design, adaptable electronic components for software defined radio applications and most recently power amplifier development for THz mobile communication applications. She received her B.S from Morgan State in 1995 and her M.S.E.E.  from Penn State in 1997, both in Electrical Engineering. She became the first female recipient at MSU  to obtain her doctorate degree in Engineering in 2003.  Previously, she served as a post- doctoral researcher of the Microwave Systems Section of the RF Engineering Group at Johns Hopkins University Applied Physics Laboratory Space Department. She has a passion for education where she has developed curriculum for the RF Microwave Engineering concentration offered at MSU, one out of a few HBCUs to have a dedicated program in this area. She has also taught as an adjunct faculty member at Johns Hopkins University Engineering Professionals Program.

Cybersecurity vulnerabilities

David Slotwiner, Thomas Deering, Kevin Fu, Andrea Russo, Mary Walsh, and George Van Hare recently published a paper titled Cybersecurity vulnerabilities of cardiac implantable electronic devices: Communication strategies for clinicians:

Abstract: Computers, networking, and software have become essential tools for health care. Our daily lives increasingly depend on digital technology, and we are persistently bombarded by the need to secure the systems and data they generate and store from attack, damage, and unauthorized access. Cybersecurity vulnerabilities of cardiac implantable electronic devices (CIEDs) are no longer hypothetical. While no incident of a cybersecurity breach of a CIED implanted in a patient has been reported, and no patient is known to have been harmed to date by the exploitation of a vulnerability, the potential for such a scenario does exist. The public awareness of cybersecurity vulnerabilities in medical devices, particularly devices such as CIEDs on which a patient’s life may depend and where the potential for reprogramming or rendering the device nonfunctional exists, is raising questions and fueling fears among patients and the clinical provider community. The Heart Rhythm Society (HRS) has identified a gap in clinician-patient communication about the appropriate balance of the risks of such a potential attack against the benefits of lifesaving medical devices. To address these communication gaps, HRS convened a 1-day summit in November 2017, in partnership with the U.S. Food and Drug Administration (FDA). The goal of the meeting was to develop patient-centered communication strategies for health care professionals, industry, and governmental agencies. Participants included patient representatives, subject matter experts, HRS and the American College of Cardiology leadership, representatives from the FDA, and the Federal Bureau of Investigation (FB1) and leadership of 5 CIED manufacturers. This proceedings statement is based on the 4 communication themes that emerged from the discussion: when to notify patients, whom to notify, how to communicate with patients, and key elements to discuss with patients.

Proceedings of the Heart Rhythm Society’s Leadership Summit, Heart Rhythm Journal, July 2018.  DOI 10.1016/j.hrthm.2018.05.001.

Tattle Tail Security

Lanier Watkins, Shreya Aggarwal, Omotola Akeredolu, William H. Robinson and Aviel D. Rubin recently published a paper titled Tattle Tail Security: An Intrusion Detection System for Medical Body Area Networks:

Abstract:  Medical Body Area Networks (MBAN) are created when Wireless Sensor Nodes (WSN) are either embedded into the patient’s body or strapped onto it. MBANs are used to monitor the health of patients in real-time in their homes. Many cyber protection mechanisms exist for the infrastructure that interfaces with MBANs; however, not many effective cyber security mechanisms exist for MBANs. We introduce a low-overhead security mechanism for MBANs based on having nodes infer anomalous power dissipation in their neighbors to detect compromised nodes. Nodes will infer anomalous power dissipation in their neighbors by detecting a change in their packet send rate. After two consecutive violations, the node will “Tattle” on its neighbor to the gateway, which will alert the Telemedicine administrator and notify all other nodes to ignore the compromised node.

Workshop on Decentralized IoT Systems and Security (DISS ’19),  (February, 2019). (pdf)

Intrusion Detection for Medical Body Area Networks (MBAN)

THaW researchers recently presented a new paper at the Workshop on Decentralized IoT Systems and Security (DISS).  [PDF]

Abstract:  Medical Body Area Networks (MBAN) are created when Wireless Sensor Nodes (WSN) are either embedded into the patient’s body or strapped onto it. MBANs are used to monitor the health of patients in real-time in their homes. Many cyber protection mechanisms exist for the infrastructure that interfaces with MBANs; however, not many effective cyber security mechanisms exist for MBANs. We introduce a low-overhead security mechanism for MBANs based on having nodes infer anomalous power dissipation in their neighbors to detect compromised nodes. Nodes will infer anomalous power dissipation in their neighbors by detecting a change in their packet send rate. After two consecutive violations, the node will “Tattle” on its neighbor to the gateway, which will alert the Telemedicine administrator and notify all other nodes to ignore the compromised node.

TattleTale-DISS19 figure1

Proposed Telemedicine Scenario

IoT Two-Factor Neurometric Authentication

Angel Rodriguez, Sara Rampazzi, and Kevin Fu recently had a poster accepted titled IoT Two-Factor Neurometric Authentication System using Wearable EEG:

Abstract: The IoT authentication space suffers from various user-sided drawbacks, such as poor password choice, the accidental publication of biometric data, and the practice of disabling authentication completely. This is commonly attributed to the “Security vs Usability” problem – generally, the stronger the authentication, the more inconvenient it is to perform and maintain for the user. Neurometric authentication offers a compelling resistance to eavesdropping and replay attacks, and the ability for a user to simply “think to unlock”. Furthermore, the recent increase in popularity of consumer EEG devices, as well as new research demonstrating its accuracy, have made EEG-based neurometric authentication much more viable.

Using a Support Vector Machine and one-time tokens, we present a secure two-factor authentication method, that allows a user to authenticate multiple IoT devices. We perform preliminary trials on the Psyionet BCI dataset and demonstrate a qualitative comparison of extracted EEG feature sets.

RampazziLeft: IoT two factor authentication scheme –  (1)  After internal user-thought authentication, the  device securely sends a one-time token to the IoT device. (2) The IoT device securely communicates with a server to verify the token. (3) If the token is verified, the server sends a secure confirmation reply to the IoT device, authenticating the user. Right: Proof of concept using the Psyionet BCI dataset – The top row shows the averaged covariance matrices of the extracted features of two different users thinking about the same mental task (imagining closing their fists). The bottom row shows similar features for one user thinking of two different tasks (imagine closing both fists vs both feet).

Proceedings of the IEEE Workshop on the Internet of Safe Things (SafeThings), May 2019. Accepted, publication pending.

 

Testimony in support of IoT Security

Professor Avi Rubin recently testified at a Maryland State Senate Finance Committee, hearing regarding a bill about IoT security [February 26, 2019].  Below are his remarks.

My name is Avi Rubin, and I am a full professor of Computer Science at Johns Hopkins University and Technical Director of our Information Security Institute. I am also the Founder and Chief Scientist of Harbor Labs, a Maryland CyberSecurity company that has developed an IoT Security Analysis product. I have been an active researcher in the area of Computer and Network Security since 1992. The primary focus of my research is Security for the Internet of Things (IoT Security). These are the types of connected devices that are addressed in SB 553.

Continue reading

Securing the life-cycle of Smart Environments (video)

This one-hour talk by David Kotz was presented at ARM Research in Austin, TX at the end of January 2019.  The first half covers some recent THaW research about Wanda and SNAP and the second half lays out some security challenges in the Internet of Things.  Watch the video below.

Abstract: The homes, offices, and vehicles of tomorrow will be embedded with numerous “Smart Things,” networked with each other and with the Internet. Many of these Things interact with their environment, with other devices, and with human users – and yet most of their communications occur invisibly via wireless networks.  How can users express their intent about which devices should communicate – especially in situations when those devices have never encountered each other before?   We present our work exploring novel combinations of physical proximity and user interaction to ensure user intent in establishing and securing device interactions. 

What happens when an occupant moves out or transfers ownership of her Smart Environment?  How does an occupant identify and decommission all the Things in an environment before she moves out?  How does a new occupant discover, identify, validate, and configure all the Things in the environment he adopts?  When a person moves from smart home to smart office to smart hotel, how is a new environment vetted for safety and security, how are personal settings migrated, and how are they securely deleted on departure?  When the original vendor of a Thing (or the service behind it) disappears, how can that Thing (and its data, and its configuration) be transferred to a new service provider?  What interface can enable lay people to manage these complex challenges, and be assured of their privacy, security, and safety?   We present a list of key research questions to address these important challenges.

Proximity Detection

Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz recently published a paper titled Proximity Detection with Single-Antenna IoT Devices:

Abstract: Providing secure communications between wireless devices that encounter each other on an ad-hoc basis is a challenge that has not yet been fully addressed. In these cases, close physical proximity among devices that have never shared a secret key is sometimes used as a basis of trust; devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user’s device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques.

We present theoretical and practical evaluation of a method called SNAP – SiNgle Antenna Proximity – that allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our proximity detection technique leverages the repeating nature Wi-Fi’s preamble and the behavior of a signal in a transmitting antenna’s near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm.

Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom), October 2019. ACM Press. Accepted for publication.  DOI 10.1145/3300061.3300120.

De Facto Diagnosis Specialties: Recognition and Discovery

Aston Zhang, Xun Lu, Carl A. Gunter, Shuochao Yao, Fangbo Tao, Rongda Zhu, Huan Gui, Daniel Fabbri, David Liebovitz, and Bradley Malin recently published a paper titled De Facto Diagnosis Specialties: Recognition and Discovery:

A medical specialty indicates the skills needed by health care providers to conduct key procedures or make critical judgments. However, documentation about specialties may be lacking or inaccurately specified in a health care institution. Thus, we propose to leverage diagnosis histories to recognize medical specialties that exist in practice. Such specialties that are highly recognizable through diagnosis histories are de facto diagnosis specialties. We aim to recognize de facto diagnosis specialties that are listed in the Health Care Provider Taxonomy Code Set (HPTCS) and discover those that are unlisted. First, to recognize the former, we use similarity and supervised learning models. Next, to discover de facto diagnosis specialties unlisted in the HPTCS, we introduce a general discovery‐evaluation framework. In this framework, we use a semi‐supervised learning model and an unsupervised learning model, from which the discovered specialties are subsequently evaluated by the similarity and supervised learning models used in recognition. To illustrate the potential for these approaches, we collect 2 data sets of 1 year of diagnosis histories from a large academic medical center: One is a subset of the other except for additional information useful for network analysis. The results indicate that 12 core de facto diagnosis specialties listed in the HPTCS are highly recognizable. Additionally, the semi‐supervised learning model discovers a specialty for breast cancer on the smaller data set based on network analysis, while the unsupervised learning model confirms this discovery and suggests an additional specialty for Obesity on the larger data set. The potential correctness of these 2 specialties is reinforced by the evaluation results that they are highly recognizable by similarity and supervised learning models in comparison with 12 core de facto diagnosis specialties listed in the HPTCS.

Learning Health Systems, 2018:e10057, 2018. DOI: 10.1002/lrh2.10057

NRF: A Naive Re-identification Framework

Shubhra Kanti, Karmaker Santu, Vincent Bindschadler, ChengXiang Zhai, and Carl A. Gunter recently published a paper titled NRF: A Naive Re-identification Framework:

The promise of big data relies on the release and aggregation of data sets. When these data sets contain sensitive information about individuals, it has been scalable and convenient to protect the privacy of these individuals by de-identification. However, studies show that the combination of de-identified data sets with other data sets risks re-identification of some records. Some studies have shown how to measure this risk in specific contexts where certain types of public data sets (such as voter roles) are assumed to be available to attackers. To the extent that it can be accomplished, such analyses enable the threat of compromises to be balanced against the benefits of sharing data. For example, a study that might save lives by enabling medical research may be enabled in light of a sufficiently low probability of compromise from sharing de-identified data. In this paper, we introduce a general probabilistic re-identification framework that can be instantiated in specific contexts to estimate the probability of compromises based on explicit assumptions. We further propose a baseline of such assumptions that enable a first-cut estimate of risk for practical case studies. We refer to the framework with these assumptions as the Naive Re-identification Framework (NRF). As a case study, we show how we can apply NRF to analyze and quantify the risk of re-identification arising from releasing de-identified medical data in the context of publicly-available social media data. The results of this case study show that NRF can be used to obtain meaningful quantification of the re-identification risk, compare the risk of different social media, and assess risks of combinations of various demographic attributes and medical conditions that individuals may voluntarily disclose on social media.

ACM Workshop on Privacy in an Electronic Society (WPES ’18), Toronto, Canada, October 2018.  DOI: 10.1145/3267323.3268948