“The adversary doesn’t get any dumber,” Kevin Fu recently commented to The Boston Globe. To prove his point, Fu, who is investigating RFID attacks and countermeasures at the RFID Consortium for Security and Privacy, or CUSP, at the University of Massachusetts at Amherst, and his researchers conducted a rather extreme experiment.
For their experiment, Fu and his colleagues at the Medical Device Security Center — a partnership between UMass, Beth Israel Deaconess Medical Center in Boston, and the University of Washington – used a defibrillator that included a radio frequency chip and transponder to allow doctors to read and record patient information, and to reprogram the device.
The Secure Medicine team was able to glean the equivalent of personal medical records from the defibrillator by using an ad-hoc, unauthorized device. The researchers also managed to take control of the defibrillator, to create shocks that would be life-threatening to a patient.
But he believes there is a solution — using sophisticated radio frequency devices to foil attackers.
The Secure Medicine team is developing a radio frequency gadget called WISPer, which sounds an audible alarm and vibrates when it detects unauthorized attempts to reprogram an implanted device. To test it, researchers packed the WISPer prototype into a simulated human torso, made of beef and bacon. It worked.
We wonder if a better approach might have the device “phone home” electronically to the manufacturer, who can then approach the patient in a perhaps less freaky way.
Of course the best approach is to prevent arbitrary code execution in the first place, even if that code is successfully introduced into the system. Anti-malware code purpose-built for tight device environments, like Mocana’s NanoDefenderâ„¢.
Tags: malware, nanodefender, rfid, rfid-attacks
