Threat Modeling: What to do when a human guinea pig simply isn't an option

Even if you had all the resources in the world — and for at least the first few years of the IoT revolution, you won’t — sometimes you simply can’t run full testing. This is especially true when you’re dealing with implanted medical devices that, if you sling a testing curveball at them, you could make the device fail or worse.

When as a quality analyst you find that you cannot do a full testing because it’s dangerous in some way or there simply aren’t the resources available, you should get used to threat modeling — thinking about how an attacker could perform reconnaissance and exploit your environment, and then layer protections against the threats identified in your model.

From an Internet of Things perspective, Brian Knopf founder of BRK Security and 20- year veteran of security research and testing, says that when you are going to test Internet of Things security via threat modeling, there are three key factors:

  1. Sensors to collect and measure data
  2. Connectivity to connect & communicate
  3. People and processes to integrate and innovate

“We’re not talking about your IoT toy. We’re talking about a person who needs something for quality of life,” Knopf said. He says his QA security job used to be like “Hey Brian, I need an alarm system in my home. Come tell me what I need. Bars on windows, alarm sensors, a siren, a sign.” He says that now, in the IoT space, “Those windows and doors are just interfaces — wireless, ethernet, [asking] what are the interfaces.”

Screen-Shot-2018-03-23-at-9-28-04-AM.pngWhen something fell on Knopf’s wife’s foot, causing irreparable nerve damage and pain levels that she could no longer function with, eventually, the only solution left on the table was to have an implant put into her back to manage the pain.

But being a security assessor, when the doctor told her, “We can implant a pain management device in your back that you can control and charge wirelessly,” Knopf became skeptical.

The tiny pain management device generates electricity in the body to block pain. It’s controlled by a remote about the size of a pager and is charged magnetically, with a battery pack that you actually plug into the wall, with his wife having to charge herself weekly for multiple hours at a time, not able to fall asleep during for fear of overheating the device.

“Unlike some of the other medical devices where they can say ‘You know what, it’s vulnerable, take it out,’ we’re talking about an operation at this point. It’s tied into her spine with anchors and the initial operation costs $30,000, so that’s not something that we’re just going to go ahead, ‘Hey, why not? Let’s update it’, ” Knopf explained.

Of course, Knopf didn’t think it was a good idea to go through a full QA test or to reverse engineer the device because, well, it’s risky to run experiments on your wife in more ways than one.

“I had no intention of doing a security audit of a device in my wife’s back. I didn’t want to break it,” he pointed out.

Therefore, he decided it would be much safer to threat model his wife, in order to understand what impact it may have.

 

What did he threat model for?

 

Lifespan

Scar tissue usually develops around these devices, so those that only had a couple years’ lifespan didn’t make the cut. They chose one that should last for nine years, in which time her nervous system could reset itself.

Voltage

This is an internal device that doesn’t require higher voltage like an external defibrillator, but it still has a range between 0 and 10.5 volts. To put it into perspective, anything higher than 3.5 volts causes his wife physical pain.

Leakage 

One of the three main manufacturers of the about 40 different device options had to do a recall because the battery could leak into the body. Of course, in this situation, a recall involves repeating a major surgery. “If you think about it, at this point, it’s no longer updating firmware,” Knopf said.

Instead of going through how a general threat model works, we think the results of Knopf’s threat model and the potential risks Knopf flagged explain the logic behind the risk, mitigation, and likelihood of an attack.

 

Risk #1:

Damage to neurostimulator caused by strong electromagnetic (EMI) interference.

Mitigation #1: EMI shielding and an MRI-safe mode.

Likelihood: Highly unlikely.

 

Risk #2:

Via wireless signal, someone could change stimulation profile, causing the user to be in pain, which in turn needs more medication and potentially overdose.

Mitigation #2: Remote only works when directly against the skin. External signals don’t change this.

Likelihood: Highly unlikely

 

Risk #3:

Attacker turns stimulation on high voltage.

Mitigation #3: Remote only works when directly against the skin. External signals don’t change this.

Likelihood: Highly unlikely.Screen-Shot-2018-03-23-at-9-27-08-AM.png

 

 Risk #4:

Overheating of skin during charging causes burns.

Mitigation #4: Neurostimulator monitors skin temperature and its own device temperature. Stops if unit or skin overheats.

Likelihood: Highly unlikely.

 

Risk #5:

Riskiest, based on damaging leads with high radio frequency causing scarring, electrocution, shock or death.

Mitigation #5: New devices have much thicker lead dispersing RF across whole length of lead.

Likelihood: Highly unlikely

 

Because of these strong mitigations of the risk, Knopf, his wife, and his doctor decided to move ahead with the operation to insert the device. But why did he choose to use only a threat model? • Device was $30,000

  • You shouldn’t pen test inside your spouse
  • Wasn’t sure if they’d even sell him one. (But he would continue on-device research if donations for purchas ing one are received.)

Threat modeling is becoming a popular way to address the distance problem that we will increasingly have when more devices come to market, particularly with big-ticket devices and those embedded in our body, but threat modeling is a compelling way to kick off any testing for IoT security

“Many of the organizations or even the developers want to build a particular product and then test security before market. Whenever you build a particular product, you should start thinking of the security from the very start built into the framework. Create a threat model from the start” Gupta said. It’s a better role for the developer to have the security mechanism in place before the testers actually test it.

 

Get started with security testing today by getting a free trial of ReadyAPI! 

 

Learn more:

Security in the age of IoT

State of API Security

Security Vulnerability Testing

Automated Testing is Key to IoT Success