|
||||||||||
Modern Techniques to Prevent Hacking in Medical SystemsBy Bobby Wong, Renesas Electronics America The advent of electronics has transformed medical devices to become smarter and more convenient to our daily lives. But recent headlines of hacking point out a consternation of electronics. Medical device designers need to understand new tools and design techniques that can prevent hacking and illicit modification. The issue of hacking and illicit modification is multi-faceted. Is the software protected inside a microcontroller? How can access to a chip be eliminated to prevent hacking? Is there a way to detect code modification? These are chip-level concerns. There are also system-level issues such as how to enforce an expiration date and how to authenticate genuine equipment. We will discuss several microcontroller features and modern design techniques that address these concerns.
Most modern microcontrollers utilize Flash memory to store software programs. To protect the software, designers must consider preventing unauthorized reading and modification of the software stored in the Flash. Unauthorized reading could potentially happen in two situations: during development and manufacturing and in the field. During development and manufacturing, designers should utilize an authenticated debugging capability, such as that supported in Renesas microcontrollers, to restrict access of software in the Flash through the debug interface. Developers and testers are required to enter a key for authentication before a debug session is allowed. The authentication is performed inside the microcontrollers. After the software is fully tested and the system is ready for deployment to the field, the debug interface must be disabled to eliminate further access. This can be accomplished by setting certain special registers inside the Renesas microcontrollers. At this time, designers also should review the microcontrollers’ Flash protection to prevent any modification of the software. Microcontrollers have different levels of Flash protection. To essentially lock in the code, designers should look for the Erase Protection capability; after setting, the content in the Flash cannot be erased and cannot be re-programmed. In addition to authenticated debug capability and Flash protection, designers should also consider including an integrity check on the software before execution. The integrity test detects any abnormal change of code. Designers can use an on-chip CRC hardware to compute and compare a checksum during system start-up and before operation. If an unexpected modification is detected, the system can shut itself down and display a message that asks the equipment to be returned for further analysis. Figure 2: Renesas Electronics offers BoardID and several other secure solutions that enable system-level needs such as authentication of genuine equipment and secure enforcement of expiration dates. Beyond the chip-level protection, designers need to pay attention to other system-level issues. Many medical systems enforce an expiration date. For instance, some medical equipment may function properly and accurately for a limited number of hours. Typically, the sub-systems that have an expiration date are disposable. That means the accumulative hour is stored in the disposable sub-system, away from the main system. A typical design choice would be to use an EEPROM to store the accumulative hour. Although this solution sounds adequate, one could overlook the possibility that the disposed sub-system may be illicitly refurbished. A used EEPROM can be easily replaced by a new EEPROM. With a complex supply chain in the medical market, these illicitly refurbished components could show up in the market. A modern method to securely store the data is by using a secure MCU, similar to Renesas’ Board ID solution. The secure MCU is tamper-proof to physical attack. The data stored inside is encrypted. And the communication between the secure MCU and the application MCU requires public key/private key authentication; thus, preventing eaves-dropping. In addition to enforcing an expiration date, a secure MCU can also be used to authenticate genuine equipment. Authentication of genuine equipment has a financial impact to a company of which the disposable sub-systems generate a significant amount of revenue. We have examined several layers of security, from software protection, to detection of modification and authentication of genuine systems. Designers need to utilize these techniques when designing safe and modern medical systems. About the author Bobby Wong is Medical Segment Marketing Manager at Renesas Electronics America. He has over 15 years of experience in embedded system/ASIC design. In his early career, he conducted architecture research at Intel and developed ASICs at several start-ups. Wong holds a BS EECS from UC Berkeley and a MSEE degree from Stanford University.
|
Home | Feedback | Register | Site Map |
All material on this site Copyright © 2017 Design And Reuse S.A. All rights reserved. |