Syndrome: Spectral analysis for anomaly detection on medical IoT and embedded devices

Recent advances in embedded and IoT (internet-of-things) technologies are rapidly transforming health-care solutions and we are headed to a future of smaller, smarter, wearable and connected medical devices. IoT and advanced health sensors provide more convenience to patients and physicians. Where physicians can now wirelessly and automatically monitor patient's state. While these medical embedded devices provide a lot of new opportunities to improve the health care system, they also introduce a new set of security risks since they are connected to networks. More importantly, these devices are extremely hardware- and power-constrained, which in turn makes securing these devices more complex. Implementing complex malware detectors or anti-virus on these devices is either very costly or infeasible due to these limitations on power and resources. In this paper, we propose a new framework called SYNDROME for “externally” monitoring medical embedded devices. Our malware detector uses electromagnetic (EM) signals involuntary generated by the device as it executes a (medical) application in the absence of malware, and analyzes them to build a reference model. It then monitors the EM signals generated by the device during execution and reports an error if there is a statistically significant deviation from the reference model. To evaluate Syndrome, we use open-source software to implement a real-world medical device, called a Syringe Pump, on a variety of well-known embedded/IoT devices including Arduino Uno, FPGA Nios II soft-core, and two Linux IoT mini-computers: OlimexA13 and TS-7250. We also implement a control-flow hijack attack on SyringePump and use Syndrome to detect and stop the attack. Our experimental results show that using Syndrome, we can detect the attack for all the four devices with excellent accuracy (i.e. 0% false positive and 100% true positive) within few milliseconds after the attack starts.