Two large US hospitals will in the next few months begin using a system that can detect malware infections on medical equipment by monitoring AC power consumption.
The unnamed hospitals will be the first in a list to test the add-on monitoring platform dubbed WattsUpDoc to check for potentially life-threatening malware running on critical medical devices.
PhDs Benjamin Ransford and Denis Foo Kune developed the platform which uses the “traditionally undesirable” power consumption side channel to detect malware with the accuracy of desktop anti-virus at run-time without the need to modify the hardware or software of systems.
The duo first revealed WattsUpDoc in a 2013 paper WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices [PDF] and have since formed the commercial outfit Virta Labs.
They say the need to secure embedded systems without modifying code is critical for sectors such as healthcare which cannot due to risk or regulation easily patch ”zombie” machinery.
“What you may be able to determine through AC power consumption are things like the computer that is plugged into an outlet, or more interestingly what is that computer doing?” Ransford told the RSA Conference in San Francisco last week.
“We are thinking about those machines that are really hard to patch, really hard to upgrade, and really hard to get inside.
“We turned side-channel analysis on it's head … traditionally it is used to disclose secrets but in this case we want to spy on malware instead of people.”
WattsUpDoc identifies Twitter.
Ransford and Kune cannot yet name the hospitals which are trialling the platform as beta in the second quarter this year but told El Reg they have built a machine-learning feed for system information and event management (SIEM) systems and upgraded WattsUpDoc hardware.
“We've productised our research in two ways; designing a new hardware that puts the technology on a single board, and building a cloud-based machine-learning infrastructure that processes the information flowing in from our hardware and integrates with SIEMs,” Ransford says.
WattsUpDoc works in part through classifiers under a supervised learning condition where the platform can be taught to identify malware, websites, or any other computer function that creates feedback over AC.
In tests the platform detected known and unknown malware with at least 94 percent and 85 percent accuracy respectively over different embedded devices, which was about the same rate as PC-based anti-virus.
In a live demonstration at RSA, the platform was able to generate unique power frequency footprints by visiting different websites including Yahoo, Twitter, and YouTube.
“This causes changes in the software execution path that echoes back on the power line,” Kune says.
An early, somewhat dangerous, version.
WattsUpDoc was in separate tests able to identify the Alexa Top 50 websites using frequency signatures.
The former university of Washington and Michigan students point out that the same functions that allow their system to work can allow a very fast and brazen hacker to spy on machines if they are able to quickly switch a power socket with one that bears the WattsUpDoc monitoring kit.
Challenges to monitoring malware over AC include the wide variation in power consumption in modern computers – OS X regulates power consumption between keystrokes – and carving through noise for the hypothetical centralised monitoring of multiple machines.
It is the latest foray into embedded device security works. In 2008 Ransford was responsible for kick-starting a flurry of research into hacking pacemakers after he presented a paper (PDF) at the IEEE Symposium on Security and Privacy on hacking an implantable cardiac defibrillator.
Their presentation slides are available for all online [PDF]. ®
Darren Pauli travelled to San Francisco as a guest of RSA.