Adrasteia: A Smartphone App for Securing Legacy Mobile Medical Devices

For a variety of reasons, Bluetooth-enabled mobile medical devices are often not designed with security in mind. As a result, many of them are open to malicious attacks, notably man-in-the-middle (MITM) attacks. For some classes of mobile medical devices, such as pulse oximeters, a MITM attack may have little impact on the safety and privacy of the patient. For more essential devices, such as pacemakers and insulin pumps, protection against MITM attacks can have fatal consequences. Though future medical devices may be designed more securely, a significant portion of existing medical devices still use an overly trusting procedure to communicate with their desired access point. Thus, these legacy devices are still at risk of attack. This paper presents the design and implementation of an Android application to act as a personal security device (PSD) that defends against MITM attacks. To the best of our knowledge, this is the first smartphone application designed for this purpose. The use of this PSD requires no changes to either the medical device or its monitoring software, offers protection for millions of existing devices, and adds an insignificant amount of overhead to the original functionality of the medical device. Furthermore, the PSD is easily obtainable by anyone with an Android smartphone. We evaluate our defence approach by analyzing its robustness against various attacks, and we conclude with a discussion of future applications of our defense mechanism.