Toward a Safe and Secure Medical Internet of Things
In our attack, a compromised pulse oximeter publishes Alarm Limits associated with an
uncompromised capnograph, either masking an alarm when it should happen (e.g. in case of a
drug overdose) or when it shouldn’t (e.g. causing alarm fatigue). Even though all communication
in this attack scenario is encrypted and authenticated, a compromised insider device can cause
system-wide damage, simply because what it can or cannot publish is not enforceable. DDS
Security allows for fine-grained access control per device, preventing this significant type of
attack.
In the second prototype, each ICE device has a cryptographically signed permission file that
specifically indicates what topics can be published or subscribed by it. In order to recreate the
original attack on this new framework, the attacker would have to hack into the public-key
infrastructure (PKI) used in the framework, which is considered a much more difficult task if PKI
is managed properly. In any case, if the PKI infrastructure becomes compromised, any
cryptographic approach based on it will fail, be it based on TLS/DTLS or DDS Security.
Figure 7. Simplified Architectural Diagram of OpenICE Infusion Safety App
Boxes represent ICE devices, and arrows represent topics that each device either publishes or
subscribes to. The box in red represents a compromised oximeter that, in principle, should not
be allowed to publish AlarmLimit topic data. AlarmLimit topic data should only be published by
IIC Journal of Innovation
- 15 -