Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses CSE 727 - Spring 2014 Seminar in Wireless Network Security Principles and Practices Professor Shambhu Upadhyaya Meenakshi Muthuraman & Bich Vu
Pacemakers and Implantable Cardiac Defibrillators:
Software Radio Attacks and Zero-Power Defenses
CSE 727 - Spring 2014Seminar in Wireless Network Security
Principles and PracticesProfessor Shambhu Upadhyaya
Meenakshi Muthuraman & Bich Vu
● D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohmo, and W. H. Maisel. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” in IEEE Symposium on Security and Privacy, Oakland, CA, 2008, pp. 129-142.
Implantable Medical Devices (IMD)
Pacemakers ● Medical device used to restore heartbeat to
normal (uses electrodes)● About the size of a small coin● Placed under the skin - near the heart● Between 1992 and 2006 2.6 Million pacemakers
and ICDs were implanted in patients in the US
Implantable Medical Devices (IMD)
Neurostimulators ● Delivers electric signals to the epidural space
near the spine● About the size of a stop watch● Reduces chronic pain● Sends electronic signals to the brain faster
than the pain signal
● Introduced in 2003● Uses electric pulses or shocks to restore
heart beat● Especially used during a cardiac arrest● Typically include wires that pass through
a vein to the right chamber of the heart● Communicates with external
programmer at 175 kHz frequency
Implantable Cardioverter Defibrillator (ICD)
Implantable Medical Devices (IMD)
ICD
Post Surgery medical practitioner can use external programmer for :● Perform diagnostics● Read/Write private data● Adjust therapy settings
Magnetic Switch● Located within the ICD● Used to send telemetry data and electrocardiogram
readings
Wireless Communications● 175 kHz for short range communications● 402 - 405 MHz (Medical Implant Communications
Band) for long range communications
Motivation
● ICD discloses sensitive information in clear● Reprogramming attacks (attacks that change the
operation of the device) have been conducted● Denial of service attacks have been performed● Attacks can be performed within the range of a few
centimeters using a specially configured radio device
Proposed Defence
● 3 different deterrence and prevention mechanisms● Zero-power Defenses - draw no power from the
primary battery● Zero-power Notification● Zero-power Authentication● Sensible Security
Wireless Identification and Sensing Platform (WISP)● WISP is a family of sensors that are powered and read
by UHF RFID readers● They do not require batteries● They harvest their power from RF signal generated by
the reader● It is open source
Security Model
Possible types of attacks :1. An adversary with an commercial ICD programmer2. Passive Attacks 3. Active Attacks
Tools used to reverse-engineer attacks
● Commercial ICD programmer ● Software radio (Universal Software Radio Peripheral -
USRP)● Oscilloscope● Device Used for study
➢ Medtronic Maximo DR VVE-DDDR model #7278 ICD
● Threats➢ Vital information life patient details and vital signals
of the patient are transmitted in clear
Reverse Engineering Transmissions
● ICD and the programmer use the same encoding scheme but different modulation schemes
● Programmer uses binary frequency shift keying (2-FSK) for modulation
● ICD uses differential binary phase shift keying (DBPSK) for modulation
● Encoded using Non-Return-to-Zero Inverted (NRZI) with bit stuffing
Attacks Performed
Replay attacks ● ICD Identification● Disclosing patient data ● Disclosing cardiac data (32 packets/second)● Changing the patient's name (10 attempts)● Setting ICD’s clock (10 attempts)● Changing therapies (24 attempts)● Denial of service (esp. with respect to power
consumption)● Inducing Fibrillation (electro psychological test)
Test mode
● Safety mechanisms are enforced in the ICD programmers software so that the physician can not accidently active test mode
● But can be induced using USRP systems● Solution Proposed : “we argue that if any
IMD exhibits a test procedure T for some property P, and if there are no medical reasons for conducting procedure T other than testing property P , then it should be impossible to trigger T unless P is enabled.”
Zero Power Notification
● Cryptographic keys - hinders emergency response● Must not consume a lot of energy● Harvests power from RF energy● Uses Piezo-elements to alert user● Uses Wireless Identification and Sensing Platform
(WISP) that contains a RFID circuitry and a microcontroller with 256 Bytes RAM and 8KB memory
Evaluation
● Standard - Sound Pressure Level ● Buzzing peaks at 67 dB SPL at
1m● Simulation : Device implanted
beneath 1cm of Bacon and 4 cm of 85% lean ground beef
● Measured 84 dB SPL at a distance of 1m
Zero Power Authentication
● Harvests RF energy to power a cryptographic protocol that authenticates requests from external device programmer
● Challenge response protocol based on RC5-32/12/16
● Master Key - Km● IMD identity I● IMD specific key K = (Km,I)
Zero Power Sensible Key Exchange● Complements above 2 defence techniques● Primary goal is to allow the user to know that a key exchange
is happening● Programmer initiates the protocol by supplying unmodulated
RF signal● IMD generates a random no to be used as session key and
modulates it as sound wave● The sound wave can only be read and demodulated by a
reader with a microphone situated close to the patients body● Can latter be used for long range communication
Future Work
● Access for previously unauthorized users during emergency situations
● Next generation IMDs with more networking abilities should not rely solely on external mechanisms for security.
● Device manufacturers must not view external devices like external programmers as trusted computing base for IMDs
● Ensure that all devices used do not harm the human body
References
● D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohmo, and W. H. Maisel. “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” in IEEE Symposium on Security and Privacy, Oakland, CA, 2008, pp. 129-142.
● D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. Maisel. “Security and privacy for implantable medical devices. IEEE Pervasive Computing, Special Issue on Implantable Electronics, January 2008.”
● WISP - http://sensor.cs.washington.edu/WISP.html