WattsUpDoc: Detecting malware on medical devices via an instrumented power outlet

I will be presenting research results on how to detect malware on medical devices at USENIX HealthTech in Washington, D.C. on August 12th. Below is a summary of our research (lightly edited from the final paper). I would be happy to discuss the project at the workshop or before. We are particularly interested in collaborating with manufacturers and hospitals to further field test our prototype.

Health care networks are composed of general-purpose computers (e.g., desktop workstations) and embedded devices that perform specific functions and connect to the network for centralized control or configuration.  A primary drawback of increasing connectivity is that all devices on the network---including embedded devices---are increasingly exposed to malware [1,2]. The U.S. Food and Drug Administration has recently acknowledged these risks by issuing a safety communication concerning cybersecurity.

This pharmaceutical compounder is a medical device running Windows XP Embedded. In a controlled lab, we repeatedly infected such devices with malware to evaluate the effectiveness of WattsUpDoc.

Unfortunately, there are no simple solutions to this problem. Many embedded devices are incompatible with conventional software-based anti-malware mechanisms such as antivirus (AV) programs or networked intrusion-detection systems (NIDS). Traditional embedded devices commonly use custom firmware or OSes for which no antivirus program exists.  Other embedded medical devices are built with commodity hardware and software and are thus compatible with AV or NIDS, but some manufacturers explicitly forbid device owners to install OS security updates or antivirus software[3].

A high-level illustration of system deployment. WattsUpDoc monitors system behavior without affecting any inputs, outputs, or software. No software or hardware change is required on the device under observation.

Our paper addresses the challenge of malware on embedded systems by introducing WattsUpDoc, a behavior-monitoring system for embedded devices. WattsUpDoc relies on the side channel of systemwide power consumption, which leaks information about the system's computing activity without requiring any hardware or software modifications. WattsUpDoc uses machine-learning techniques to match patterns of power consumption. In our experiments, WattsUpDoc detected previously known malware with at least 94% accuracy and previously unknown malware with at least 85% accuracy on several embedded devices.

Using WattsUpDoc, device owners can gain greater visibility into the behavior of the systems they own.  WattsUpDoc can provide preliminary evidence of abnormal behavior, such as malware problems, signaling the need for further investigation. WattsUpDoc may also help to detect general abnormalities such as a failing hardware component or misconfigured software. With better visibility and earlier warnings, WattsUpDoc can help to detect problems that otherwise could lead to hazardous situations and harm.

--Shane Clark