Medical Proxies: Protecting medical implants...Medical Proxies: Protecting medical implants Dimitri de Malaise Thesis submitted for the degree of Master of Science in Electrical Engineering,

Medical Proxies: Protecting medicalimplants

Dimitri de Malaise

Thesis voorgedragen tot het behalenvan de graad van Master of Science

in de ingenieurswetenschappen:elektrotechniek, optie Ingebedde

systemen en multimedia

Promotoren:Prof. dr. ir. Preneel Bart

Prof. dr. ir. Pollin Sofie

Academiejaar 2016 – 2017

Master of Science in de ingenieurswetenschappen: elektrotechniek

Medical Proxies: Protecting medicalimplants

Dimitri de Malaise

Thesis submitted for the degree ofMaster of Science in

Electrical Engineering, optionEmbedded Systems and Multimedia

Thesis supervisors:Prof. dr. ir. Preneel Bart

Prof. dr. ir. Pollin Sofie

Assessor:Prof. dr. ir. Wambacq Patrick

Mentors:dr. ir. D. Singelée

ir. E. Marinir. T. Vermeulen

Academic year 2016 – 2017

© Copyright KU Leuven

Without written permission of the thesis supervisors and the author it is forbiddento reproduce or adapt in any form or by any means any part of this publication.Requests for obtaining the right to reproduce or utilize parts of this publication shouldbe addressed to Departement Elektrotechniek, Kasteelpark Arenberg 10 postbus2440, B-3001 Heverlee, +32-16-321130 or by email [email protected].

A written permission of the thesis supervisors is also required to use the methods,products, schematics and programs described in this work for industrial or commercialuse, and for submitting this publication in scientific contests.

Preface

I would like to thank everyone who has helped me with this thesis. First I want tothank my thesis supervisors, Prof. Bart Preneel and Prof. Sofie Pollin for giving methe opportunity to work on this subject.

I also want to thank my mentors Dave Singelée, Eduard Marin and Tom Vermeulen.They were always ready to give me some advise on the problems I encountered andguide me to achieve the goals of this thesis. The feedback I received from themhelped me a lot. I enjoyed working together with them and I learned a lot from thisexperience.

Finally I would like to thank my family and friends for giving me feedback andsupporting me.

Dimitri de Malaise

i

Contents

Preface iAbstract ivAbstract vList of Figures xiiList of Abbreviations and Symbols xv1 Introduction 1

1.1 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 IMD Shield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Problem description . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Communication between Device Programmer and Shield 62.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Communication between Shield and IMD 113.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.3 Protocol Communication . . . . . . . . . . . . . . . . . . . . . . . . . 143.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Threat Model 164.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3 Adversary Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Implementation LabView 185.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185.2 Implementation using USRPs . . . . . . . . . . . . . . . . . . . . . . 195.3 Implementation Simulations . . . . . . . . . . . . . . . . . . . . . . . 205.4 Realisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6 Evaluation and Results 21

ii

Contents

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

7 Conclusion 35A LabView files 38

A Code used for Implementation with USRP . . . . . . . . . . . . . . . 38B Code used for Simulations . . . . . . . . . . . . . . . . . . . . . . . . 41

Bibliography 44

iii

Abstract

The medical world has evolved a lot in the last century and keeps improving with newtechnological inventions. Implantable Medical Devices (IMDs), such as pacemakers,cardiac defibrillators and insulin pumps can substantially enhance the health andcomfort of patients. In recent research the security of IMDs has been investigated.It has been proven that the absence of strong cryptographic mechanisms makes thewireless interface of IMDs vulnerable to different attacks that put the patient’s safetyat risk. It is possible for an attacker to eavesdrop the communication between adevice programmer and an IMD. An attacker can also send their own messages toalter the settings of an IMD. Different solutions have been proposed to solve theseproblems. The goal of this thesis is to find a solution that will protect legacy devicesagainst the different attacks. We want to protect legacy devices because IMDs canbe implanted for up to ten years. This thesis will extend a solution called the shieldbecause no modifications to the IMD are required. The shield is a wearable devicecontaining a battery that acts as a proxy for the communication between a deviceprogrammer and an IMD. It uses jamming to protect the IMD from adversarieswhich allows the shield to mitigate the existing security problems.

This research investigates how to efficiently jam to increase the lifetime ofthe battery powering the shield. A second challenge is the real-time detection ofadversaries.

iv

Abstract

In de laatste eeuw is er bijzonder veel technologische vooruitgang geweest in demedische wereld. Medische implantaten (IMD's) zoals de pacemaker, cardioverter-defibrillators en insulinepompen zijn voorbeelden van deze vooruitgang. Dezetoestellen kunnen de gezondheid en het comfort van patiënten enorm verbeteren. Eris recent veel onderzoek gedaan naar de veiligheid van deze IMD's. Er is immersaangetoond dat de draadloze verbinding die gebruikt wordt om met een IMD te com-municeren kwetsbaar is voor verschillende aanvallen die de veiligheid van de patiëntin gedrang brengen. De communicatie met IMDs maakt geen gebruik van sterkecryptografische methoden waardoor aanvallers zelf berichten kunnen sturen naar deIMD om de instellingen aan te passen. Het is ook mogelijk om de communicatieaf te luisteren en gevoelige informatie te leren als aanvaller. Er zijn verschillendemethoden voorgesteld om deze problemen op te lossen. Het doel van deze thesis isom bestaande toestellen te beschermen. In deze thesis wordt het schild (the shield)uitgebreid omdat deze oplossing geen aanpassingen aan het implantaat vereist. Ditis belangrijk voor patiënten die recent een IMD hebben gekregen omdat een IMD tottien jaar gebruikt wordt. Het schild is een draagbaar toestel dat de communicatietussen een programmeertoestel (the device programmer) en het implantaat regelt. Hetgebruikt jamming om IMD's te beschermen tegen aanvallers. Hoewel deze oplossingniet perfect is kan het schild de bestaande problemen wel verzwakken. Deze thesisbekijkt hoe het jammen efficiënt kan gebeuren om een redelijke levensduur van hetschild, werkend op batterijen, te garanderen. Het schild moet enkel jammen als hetnoodzakelijk is en voor een zo kort mogelijk tijd. Een tweede probleem dat bekekenwordt is het realtime detecteren van aanvallers.

v

Medische Proxies: Beschermingvan medische implantaten

Nederlandse samenvatting

Hoofdstuk 1: InleidingDe voorbije jaren heeft de veiligheid van medische implantaten veel aandacht gekre-gen. De draadloze verbinding die het mogelijk maakt om de programmatie van deimplantaten aan te passen gebeurt in de MICS band (402-405MHz). Om een implan-taat te activeren wordt een kleinere frequentie gebruikt, tussen 30 en 300kHz. In deliteratuur zijn er verschillende technieken voorgesteld om deze draadloze verbindingveiliger te maken. Er zijn echter nog veel verbeteringen die gemaakt kunnen wordenvoor elke oplossing om hun problemen en nadelen op te lossen. De oplossing die indeze thesis verder behandeld wordt is het schild. Dit is een klein en draagbaar toesteldat met behulp van friendly jamming het implantaat beschermt tegen aanvallers enhet moeilijk maakt om dit kanaal af te luisteren. Het nadeel van deze oplossing isdat het mogelijk is om in de aanwezigheid van een jammer het signaal nog steeds teachterhalen. Toch is er voor het schild gekozen omdat de implantaten niet aangepastmoeten worden. Dit is een groot voordeel omdat het voorkomt dat alle patiëntenmet een IMD een operatie moeten ondergaan om het implantaat te laten veranderen.

Het doel van het schild is om ervoor te zorgen dat aanvallers niet kunnen com-municeren met het implantaat en dat de legitieme communicatie niet afgeluisterdkan worden. In noodgevallen moet het wel mogelijk zijn om gemakkelijk met hetimplantaat te communiceren. De jammer moet actief zijn wanneer een aanvallergedetecteerd wordt en wanneer het IMD berichten naar het schild stuurt. Aan deontvanger van het schild moet het jamming signaal en de data gescheiden kunnenworden. Het schild is dus ontworpen als een full-duplex radio, in staat om gelijktijdigte zenden en te ontvangen. Het kanaal kan echter niet perfect beschermd wordentegen afluisteren met deze friendly jamming techniek en de manier waarop het effectvan de jammer wordt weggehaald is geen probleem dat hier behandeld wordt.

Er bestaat een multiple-input multiple-output (MIMO) aanval die ervoor zorgt datde communicatie niet geheim is en kan afgeluisterd worden. Door het faseverschil van

vi

Abstract

de signalen aan verschillende antennes kan het effect van de jammer teniet gedaanworden. Dit is een belangrijke beperking van het schild. Een ander nadeel van hetschild is dat de energie die gebruikt mag worden om te zenden in de MICS bandbeperkt is. Aanvallers moeten zich echter niet houden aan deze regels en wanneer zeover genoeg energie beschikken kunnen ze de jammer overtreffen en communicerenmet het implantaat. Het schild kan in dit geval enkel een waarschuwing geven aande patiënt.

In deze thesis wordt de communicatie tussen een programmeertoestel en hetschild verder besproken gevolgd door de communicatie tussen het schild en een IMD.Er wordt vervolgens een model voor een aanvaller opgesteld en ten slotte volgen deimplementatie en de resultaten. De implementatie maakt gebruik van LabView enUSRP’s die de MICS band kunnen gebruiken.

Hoofdstuk 2: Communicatie tussenProgrammeertoestel en SchildIn dit hoofdstuk wordt er een pairing protocol bekeken tussen een programmeertoestelen het schild. Voor het schild is het belangrijk dat dit protocol zo efficiënt mogelijkkan uitgevoerd worden en dat een realisatie van het toestel zo klein en compactmogelijk blijft. In termen van veiligheid moet de communicatie echtheid en integriteit(authenticity and integrity) kunnen bewijzen en bescherming bieden tegen actieveaanvallen. Beide toestellen moeten zeker zijn van de identiteit van de andere partijen van de integriteit van de boodschappen. Hierdoor is het onmogelijk voor eenaanvaller om berichten aan te passen of nieuwe berichten te injecteren. Om dit teverwezenlijken worden verschillende bestaande technieken gebruikt. De data zal metsymmetrische sleutel cryptografie verzonden worden. De symmetrische sleutel moetmet een key establishment protocol afgesproken worden, dit zal met asymmetrischetechnieken gedaan worden. De publieke sleutels die hiervoor gebruikt worden moetennatuurlijk ook hun authenticiteit bevestigen. Aangezien er in deze applicatie nietmet een betrouwbare derde partij gewerkt kan worden, wordt er hier een out-of-band(OOB) kanaal gebruikt. Dit is een extra kanaal waarmee de authenticiteit vande publieke sleutels bewezen kan worden. Dit OOB kanaal zal tekst gebaseerdzijn om het systeem zo eenvoudig mogelijk te houden. Het manual authenticationprotocol is geschikt om de authenticiteit van de sleutels te bewijzen met behulp vaninteractie van de gebruiker. Het MANA I protocol zal hier verder gebruikt worden.Wanneer deze publieke waarden geauthentiseerd zijn, volgt er het key establishmentprotocol. Hiervoor is Elliptic Curve Diffie-Hellman (ECDH) geschikt. ECDH kanefficiënt geïmplementeerd worden en biedt hetzelfde veiligheidsniveau aan als hetstandaard DH protocol met een kortere sleutel. Voor de symmetrische encryptie zalhet Authenticated Lightweight Encryption (ALE) algoritme gebruikt worden. Ditalgoritme is gebaseerd op Advanced Encryption Standard (AES) en is zeer efficiëntvoor zowel de hardware als de software. Het energieverbruik van AES operatiesis bijna verwaarloosbaar ten opzichte van het energieverbruik van asymmetrische

vii

Abstract

algoritmes.

Hoofdstuk 3: Communicatie tussen Schild en IMDDit hoofdstuk beschrijft de communicatie tussen een schild en een IMD. Deze com-municatie gebeurt in de MICS band die onderverdeeld wordt in tien kanalen vanelke 300kHz. Op basis van de ruis aanwezig in elk kanaal wordt het beste kanaalgeselecteerd voor de berichten te versturen. Het schild moet er met friendly jammingvoor zorgen dat enkel geauthentiseerde toestellen kunnen communiceren met een IMDmaar zoals al vermeld kan de vertrouwelijkheid van de berichten niet gegarandeerdworden. Voor het jammen bestaan er verschillend technieken met verschillende com-plexiteit en efficiëntie. Een eerste mogelijkheid is een proactieve jammer, deze jammerzendt zijn signaal onafhankelijk van potentiële aanvallers. Een reactiever jammerzendt zijn signaal enkel wanneer er een aanvaller is gedetecteerd maar moet hetkanaal dan wel constant in het oog houden. Vervolgens kan een jammer volgens eenvooraf gedefinieerde functie jammen. Dit is de function-specific jammer. Tenslottezijn er de smart-hybrid jammers die zo efficiënt mogelijk proberen te jammen doorenkel op de noodzakelijke plekken de noodzakelijke energie te voorzien. Al dezetechnieken maken een afweging tussen complexiteit en efficiëntie. Voor het schildwordt er een efficiënte techniek gezocht die ervoor zorgt dat de levensduur van debatterij optimaal is. Een smart-hybrid techniek zal toegepast worden, de jammerzendt namelijk enkel een signaal uit wanneer een aanvaller gedetecteerd is. Hetjamming signaal is ook zo kort mogelijk om energie te besparen maar moet ookverzekeren dat het bericht niet meer aangenomen wordt door het implantaat.

Het schild moet dit natuurlijk voor alle tien kanalen controleren. Dit kan op eenefficiënte manier gebeuren door telkens het vermogen spectrum te bekijken van tweekanalen. Op deze manier moet elk kanaal niet afzonderlijk gecontroleerd worden.Als een signaal gedetecteerd wordt, kijkt men naar het vermogen spectrum vanbeide kanalen afzonderlijk om het juiste kanaal te kunnen selecteren. Hierna wordter bepaald om te jammen als er een Start-of-Frame (SoF) gedetecteerd wordt metbehulp van een kruis-correlatie.

Er kunnen drie situaties onderscheiden worden. In de eerste situatie is er geenprogrammeertoestel aanwezig en worden alle berichten beschouwd als aanvallers.Voor de tweede situatie is er wel een programmeertoestel aanwezig. Het programmeer-toestel zal dus communiceren met het implantaat. Voor alle andere berichten moeteen jamming signaal verstuurd worden. De laatste situatie bekijkt een programmeer-toestel dat wil communiceren met een IMD terwijl er verschillende schilden aanwezigzijn. Deze kunnen beginnen jammen en zo de geldige communicatie verstoren. Ditkan voorkomen worden door ook te controleren op het serienummer van een IMD.Deze situatie is niet verder onderzocht.

De repgrogramming mode laat toe om de instellingen aan te passen. Hiervoor

viii

Abstract

moeten Frequency Shift Keying (FSK) gemoduleerde signalen gebruikt worden. Deberichten volgen een bepaalde structuur. Belangrijk is de SoF waarmee elk berichtbegint, dit bestaat uit afwisselende enen en nullen. Een bericht sluit af met een CyclicRedundancy Check (CRC) en een End-of-Frame (EoF). De CRC wordt gebruikt omte zien of er geen fouten in het bericht staan. Jamming zorgt er dus voor dat deCRC validatie mislukt.

Hoofdstuk 4: Model aanvallerIedereen kan een aanvaller zijn voor dit systeem. Enkel van de patiënt zelf gaatmen ervan uit dat deze geen slechte intenties heeft. Een aanvaller kan proberen ominformatie te verkrijgen door de communicatie tussen de toestellen af te luisteren.Dit zijn passieve aanvallers. Actieve aanvallers zullen proberen om te communicerenmet de implantaten. Het is al aangetoond dat vertrouwelijkheid niet gegarandeerdkan worden ten gevolge van de MIMO aanval. Er kan echter niet afgeluisterd wordenaan de communicatie tussen het programmeertoestel en het schild. Dit betekentdat een passieve aanvaller in de buurt moet zijn van de patiënt door het beperktecommunicatiebereik van een IMD. Dit is niet onmogelijk maar passieve aanvallersworden verder niet meer beschouwd omdat het schild het implantaat in deze situatieniet kan beschermen. Actieve aanvallers zullen proberen om berichten te sturennaar de IMD. De aanvaller is succesvol als de berichten worden geaccepteerd dooreen implantaat. Het jamming signaal moet dus voldoende fouten introduceren inhet bericht zodat de CRC validatie mislukt. Dit betekent dat actieve aanvallers diebeschouwd worden ook een limiet hebben met betrekking tot het vermogen waarmeeze kunnen zenden. De limiet hangt af van de afstand waarop een aanvaller zichbevindt. Aangezien het jammen efficiënt gebeurt kan het schild ook lang genoegmeegaan. Een aanvaller zal de batterij van een schild dus niet binnen een redelijketijd kunnen legen door het schild constant te laten jammen.

Hoofdstuk 5: ImplementatieDe implementatie is gedaan in LabView. USRP's die in de MICS band kunnenverzenden en ontvangen worden gebruikt om het schild en de aanvallers te moduleren.De LabView programma's worden niet rechtstreeks op de USRP uitgevoerd maarop een PC. De connectie tussen deze PC en de USRP's zal een limiterende factorzijn. Hierdoor zijn enkele situaties voorgesteld in simulaties die geen gebruik makenvan de hardware. Door de programma's rechtstreeks op de FPGA van de USRP's tezetten kan dit probleem opgelost worden.

Eerst en vooral moet het FSK encoderen en decoderen van berichten geïm-plementeerd worden. In een volgende stap worden deze berichten dan verstuurdvan een USRP naar de andere. Daarna wordt er gekeken naar het detecteren vanaanvallers. Dit gebeurt op twee manieren, het vermogen spectrum analyseren ende kruis-correlatie berekenen met het SoF. Hiervoor moet telkens een threshold

ix

Abstract

gevonden worden. Voor het jamming signaal is een sinusfunctie gebruikt met dezelfdefrequentie als de FSK deviation. Hierdoor wordt de energie van het jamming signaalzo efficiënt mogelijk gebruikt. Het jamming signaal wordt ook zo kort mogelijkgemaakt

Hoofdstuk 6: ResultatenIn dit hoofdstuk worden de resultaten van de implementatie geanalyseerd. De resul-taten zijn opgesplitst in twee delen. Een eerste deel analyseert de resultaten die metde USRP's zijn aangetoond. De situaties die vereisen dat het programma rechtstreeksop de FPGA staat, zijn behandeld in simulaties.

Eerst wordt aangetoond dat FSK gemoduleerde berichten verzonden en ontvan-gen kunnen worden. In het frequentiedomein zijn de twee frequenties van de FSKmodulatie duidelijk zichtbaar. Het schild moet in staat zijn zulke berichten in hetmedium te detecteren. Hiervoor worden er twee methodes gebruikt die in het gevalvan meerdere kanalen gecombineerd kunnen worden. Een eerste methode is hetvermogen spectrum analyseren van een kanaal. Als het gemiddelde vermogen boveneen bepaalde grens ligt zal het schild besluiten dat er een bericht verzonden wordt opdit kanaal. De grenswaarde moet zo gekozen worden dat alle aanvallers gedetecteerdworden maar ook de kans op onnodig jammen zo laag mogelijk houden. De tweedemethode berekent de kruis-correlatie van het signaal met de SoF. Ook hier moeteen grenswaarde bepalen of er een jamming signaal gestuurd moet worden over hetbekeken kanaal. Bij de implementatie op USRP moet hiervoor rekening gehoudenworden met de sample clock offset. Dit is een mismatch tussen de zender en ont-vanger waardoor de kruis-correlatie niet altijd een betrouwbaar resultaat geeft. Dezemismatch is niet gecompenseerd in deze implementatie waardoor de grenswaarde inde simulaties bepaald is.

Als de aanvallers gedetecteerd zijn moet het schild jammen. Het jamming sig-naal bestaat uit twee pieken in het frequentiedomein op dezelfde plekken waar deenergie van de FSK gemoduleerde signalen zit. In het tijdsdomein blijkt het jamminggedeelte net te laat te komen om realtime te jammen. Dit wordt verder bekekenin de simulaties. Ook de combinatie van alle tien de kanalen gebeurt enkel in desimulatie. Om aan te tonen dat dit wel mogelijk is op de USRP worden twee kanalenwel behandelt. Een combinatie van filters laat toe om op elk kanaal apart aanvallerste detecteren.

Voor de simulaties moet er een model zijn voor het draadloze kanaal dat gebruiktwordt. Het Free Space Path Loss model kan gebruikt worden om het effect vande transmissie in de lucht te bepalen. Voor het kleine deel dat het signaal doorhet lichaam moet wordt een bijkomende 40dB gerekend. Nu kan er een signaaltot ruisverhouding (SNR) bepaald worden die overeenkomt met de afstand tussende zender en ontvanger. Het vermogen van de toestellen bepaalt hoeveel effect ze

x

Abstract

hebben op een bepaalde afstand. Het jamming signaal is gelimiteerd tot -16dBm enaanvallers tot 0dBm worden bekeken.

De lengte van het jamming signaal wordt bepaald door de bit error rate (BER) tebekijken. Het signaal moet zo kort mogelijk gekozen worden maar moet voldoende bitfouten introduceren om de IMD te beschermen. Een ideale jam lengte is ongeveer 2ms.

Wanneer de lengte van het jamming signaal is gekozen kan men naar de BERin functie van de afstand tussen de toestellen kijken. Het vermogen waarover deaanvaller beschikt bepaalt vanaf welke afstand het jammen effect heeft. Voor grotevermogens is aangetoond dat op korte afstanden de communicatie met een IMD geeneffect ondervindt van het jammen.

Voor de detectie worden opnieuw dezelfde technieken gebruikt. Eerst kijkt menop welke afstand een aanvaller met 0dBm equivalent isotropically radiated power(EIRP) niet meer kan communiceren met de IMD, zelfs zonder aanwezigheid van eenjamming signaal. Dit is de extreme situatie die het schild moet kunnen detecterenom de IMD te beschermen. De 40dB verlies door het lichaam worden hier niet meerin rekening gebracht omdat het signaal niet door het lichaam moet voor het schildte bereiken. De grenswaarden kunnen hieruit bepaald worden.

Als laatste stap moeten de tien kanalen gecombineerd worden. De detectie overdeze tien kanalen gebeurt in verschillende stappen om het zo efficiënt mogelijk telaten verlopen.

xi

List of Figures

1.1 Jammer-Cum-Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Shield Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1 MANA I protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 ECDH-based key establishment protocol . . . . . . . . . . . . . . . . . . 9

3.1 Different jamming techniques in order of increasing efficiency . . . . . . 123.2 Detecting adversaries on 10 channels . . . . . . . . . . . . . . . . . . . . 133.3 Device programmer message format . . . . . . . . . . . . . . . . . . . . 14

5.1 USRP 2952R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185.2 USRPs setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.1 2-FSK modulated signal (time domain) . . . . . . . . . . . . . . . . . . 226.2 2-FSK modulated signal (frequency domain) . . . . . . . . . . . . . . . 226.3 Mean values of the power measurements . . . . . . . . . . . . . . . . . . 236.4 Cross-correlation with the SoF . . . . . . . . . . . . . . . . . . . . . . . 246.5 Cross-correlation affected by sample clock offset . . . . . . . . . . . . . . 246.6 Representation jamming (time domain) . . . . . . . . . . . . . . . . . . 256.7 Representation jamming (frequency domain) . . . . . . . . . . . . . . . 256.8 Two adjacent channels (frequency domain) . . . . . . . . . . . . . . . . 266.9 Cross-correlation values of one channel . . . . . . . . . . . . . . . . . . . 266.10 Number of bit errors in function of the jamming signal’s length . . . . . 286.11 Simulated representation jamming (time domain) . . . . . . . . . . . . . 286.12 Number of bit errors in function of the distance for adversaries with

different transmit powers . . . . . . . . . . . . . . . . . . . . . . . . . . 296.13 Number of bit errors in function of the distance for adversaries with

different transmit powers while jamming . . . . . . . . . . . . . . . . . . 296.14 Number of bit errors in function of the distance for adversaries with

60dBm transmit power while jamming . . . . . . . . . . . . . . . . . . . 306.15 Power spectrum of noise and random messages . . . . . . . . . . . . . . 316.16 Cross-correlation with SoF . . . . . . . . . . . . . . . . . . . . . . . . . 326.17 The detection probability and false alarm rate for a thousand random

messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326.18 Signal in the seventh channel of the MICS band (frequency domain) . . 33

xii

List of Figures

6.19 Seventh channel of the MICS band (frequency domain) . . . . . . . . . 336.20 Signal and jamming signal(time domain) . . . . . . . . . . . . . . . . . . 34

A.1 Demodulation of modulated messages . . . . . . . . . . . . . . . . . . . 39A.2 USRPs communicating on one channel . . . . . . . . . . . . . . . . . . . 39A.3 Cross-correlation of an input signal with the SoF . . . . . . . . . . . . . 40A.4 Detection with power measurements . . . . . . . . . . . . . . . . . . . . 40A.5 Detection of messages extended with a jammer . . . . . . . . . . . . . . 41A.6 BER in function of the distance for two signals . . . . . . . . . . . . . . 42A.7 BER in function of the distance . . . . . . . . . . . . . . . . . . . . . . . 42A.8 Calculations for modelling the channel . . . . . . . . . . . . . . . . . . . 43

xiii

List of Abbreviations and Symbols

List of Abbreviations andSymbols

AbbreviationsIMD Implantable Medical DeviceMICS Medical Implant Communication ServicePV Physiological valueOOB Out-Of-BandECG ElectrocardiogramIPI Inter-pulse intervalDOS Denial Of ServiceMITM Man-In-The-middleMIMO Multiple Input and Multiple OutputUSRP Universal Software Radio PeripheralDH Diffie-HellmanMANA Manual AuthenticationCV Check-ValuePK Public KeySTS Station-To-StationECDH Elliptic Curve Diffie-HellmanECC Elliptic Curve CryptographyAES Advanced Encryption StandardMAC Message Authentication CodeGCM Galois Counter ModeOCB Offset Codebook ModeALE Authenticated Lightweight EncryptionCRC Cyclic Redundancy CheckFSK Frequency Shift KeyingDPSK Differential Phase Shift KeyingSoF Start-of-FrameEoF End-of-FrameFCC Federal Communications CommissionNI National InstrumentsFPGA Field-Programmable Field ArraySNR Signal-To-Noise RatioFSPL Free Space Path LossEIRP Equivalent Isotropically Radiated PowerBER Bit Error Rate

xv

Chapter 1

Introduction

The security of implantable medical devices (IMDs) is a topic that received a lotof interest the last couple of years. Most current IMDs offer a wireless interface tocommunicate with a device programmer that makes it possible to remotely monitorand change its settings [29]. The frequency band used for this communication is theMICS band (402-405MHz). The MICS band is suited in this application becausepropagation of the signals through the human body is possible without interferingwith other wireless devices [29].

To activate an IMD a programming head is used, this uses a short range channelbetween 30 and 300kHz [23]. Only after an IMD has been activated it can startcommunicating with a device programmer. The telemetry data can then be collectedand the treatment can be changed.

However current models of IMDs offer very limited security for this wirelessinterface. The main problem for this wireless communication is that its securityis typically based on keeping the protocol specifications secret [23]. This is calledsecurity-by-obscurity. Adversaries can reverse-engineer the communications protocolto have full control of the IMD [17, 23]. Another problem to consider is that inemergency situations the IMD should be accessible by any doctor [11]. This showsthat the solution should find the right balance between safety and security.

Some solutions have been proposed that would protect the patient against thesesecurity problems [29]. The solutions can either require modifications to the IMD orrequire only external devices to be modified allowing improved security for legacydevices. Solutions that protect legacy devices are important for patients that recentlygot an IMD since IMDs can be implanted for ten years [13]. This means that noadditional risks due to surgery are present for this type of solutions. Until now allsolutions still have their own problems and difficulties. So there is still a lot of roomfor research and improvements around this topic.

1.1 State of the ArtRushanan et al. [29] provide an overview of the different solutions that have beenproposed to secure the wireless interface. Physiological values (PV), out-of-band

1

1.1. State of the Art

(00B), distance bounding, anomaly detection and external devices are the maintechniques used for authentication and encryption.

PVs can be used to generate a symmetric key, usually this is done by performingthe same measurement of a certain PV by both the IMD and the programmer. Thisinformation will be the used by both devices to establish the secret session key. Itis important that the source for that information is random enough and changesso each session a different key is obtained [8]. An electrocardiogram (ECG) is apopular choice for such a PV because of the high randomness of the time betweenheartbeats, also called the interpulse interval (IPI). Xu et al. [33] and Hu et al. [20]proposed ECG as the source for generating the key. Other PVs can be used aswell as long as they are random enough such as temperature, blood pressure andblood flow as shown by Cherukuri et al. [8]. The amount of entropy in the PVscan be influenced by factors like age and health [29]. The measurement noise whichcan result in small differences on both measurements also needs to be taken intoaccount [7]. Another disadvantage of this method is that relative simple attacks existthat lower the expected security as described by Rostami et al. [28] and modificationsto the IMD are required.

OOB methods rely on an auxiliary channel to perform authentication [10, 17].Audio, visual or tactile based channels are different options for such an auxiliarychannel. A low-frequency audio channel has been proposed by Halperin et al. [17] thatis used to transmit a random key generated by the IMD. An ultra-violet or visibletattoo can be used as a master key when using a visual OOB channel as described byDenning et al. [10]. Both proposals have considerable disadvantages. Halevi et al. [16]show that the acoustic channel can be eavesdropped. A permanent key in the formof a tattoo is not very secure and key revocation is not possible [29]. If the tattoo isdamaged during an accident it will be unusable. Tattoos can also have cultural orhistorical associations which can be a reason for not using visible tattoos [10]. Anadditional disadvantage is that the IMD needs modifications. Because of this it isnot recommended to use these proposals in this application.

Distance bounding protocols [5,22,26] check the distance between two devices.The distance is found by measuring the delay that is needed to send a challenge andreceive the response. Rasmussen et al. [26] proposed to use an ultrasonic channelfor the distance bounding protocols but other signals can be used as well. Onlyverifying the distance between the devices that want to communicate provides onlyweak authentication [29]. Mostly additional authentication techniques are requiredto prove the identity of both devices. Implementing this technique also requiresmodifications for the IMD.

It is also possible to look at the IMD access patterns [19,34]. This makes it possibleto detect abnormal cases before the IMD starts its computations and prevent denialof service (DOS) attacks [29]. Hei et al. [19] based their approach on a supervisedlearning scheme. It is however designed for non-emergency situations [29]. Thesolutions that are proposed for emergency situations need the IMD to either detectemergency situations and fail open or have a master device key that is accessible forhospitals [19].

Using external devices is a last approach that handles the communication between

2

1.2. IMD Shield

the programmer and the IMD and such a technique will be used in this thesis [29].Existing proposals for the external devices are the cloaker [11], the IMDGuard [33]and the shield [13]. The cloaker, proposed by Denning et al. [11], describes the generalidea of external devices. The cloaker acts as a proxy for authorised communicationwith the IMD. In emergency situations the cloaker is removed or fails-open to allowfree acces to the IMD [11]. Xu et al. [33] proposed the IMDGuard which usesPVs to establish a symmetric key between the guardian and the IMD. Both theguardian and the IMD perform an ECG measurement which will be used in the keyagreement scheme. The guardian also authenticates the programmer resulting ina secure channel. It is however possible to reduce the effective key length with aman-in-the-middle (MITM) attack as shown by Rostami et al. [28]. This approachdoes need modifications to the IMD and will not be used in this thesis because ofthis. The last option of external devices is the shield. It is proposed by Gollakotaet al. [13]. The shield uses friendly jamming [13, 24] to protect the IMD. Friendlyjamming is used to deny adversaries access to the IMD but also to make it moredifficult to eavesdrop on messages from the IMD. Ensuring total confidentiality ishowever not possible with the shield. An attack exists that can recover the signalsunder these circumstances as shown by Tippenhauer et al. [32].

In this thesis the solution is based on the shield. The solution’s main advantageis that it does not require any modifications to the IMD. The shield is described inmore detail below.

1.2 IMD Shield

1.2.1 Description

A shield is an external, wearable device designed with confidentiality, inalterabilityof the IMD and safety in mind. Inalterability means that no modifications are madeto the IMD. As mentioned previously it operates on the MICS band to communicatewith the IMD [13].

The goal of the shield is to prevent attackers to be able to communicate withthe IMD or to eavesdrop on the messages being send. Ensuring confidentiality andpreventing unauthorised access are challenging when looking at the requirements.This is because the shield and the IMD are resource constrained devices which have toallow open-access in emergency situations [13]. The IMD, implanted on the patient’sbody, cannot be modified. The shield itself needs to be implemented efficiently andas compact as possible. This way it fits in a wearable device and does not consumetoo much energy. The shield relies on friendly jamming in a full duplex radio designto achieve its security requirements [13]. This means that the shield will jam alladversarial messages but also the messages originating from the IMD. The shieldwill however be able to demodulate the messages from the IMD in the presence ofthe jamming since it also has an antidote for the jamming. This antidote will cancelout the jamming at the front end of the receiving antenna and only at this place.This is introduced as a jammer-cum-receiver by Gollakota et al. [13]. The receiving

3

1.2. IMD Shield

chain is connected with a transmit chain that contains the antidote for the jammingsignal as shown in figure 1.1.

Figure 1.1: Jammer-Cum-Receiver

Previous designs of full duplex radio’s [9] were based on antenna separation andhence did not allow a small design. However for the jammer-cum-receiver [13] thereare no restrictions on the positioning of the antennas and because of this it is suitedto use in the shield. Finding the antidote that is needed to cancel out the jammingin a dynamic environment is a difficult problem that will not be considered in thisthesis. The setup between a device programmer, the shield and the IMD is shown infigure 1.2.

Figure 1.2: Shield Setup

1.2.2 Problems

Tippenhauer et al. [32] have demonstrated that the shield is not perfect for securingthe communication between the device programmer and the IMD. They have shownthat friendly jamming does not provide perfect confidentiality. There exists a multipleinput and multiple output (MIMO) based attack that allows an attacker to recoverthe data that is being exchanged. Multiple antennas can pick up the data and the

4

1.3. Problem description

jamming signal with a phase offset. Combining these signals makes it possible todestroy the jamming signal and recover the data signal. Multiple friendly jammerswould not solve this problem since this will only increase the area the jamming cancover and not improve the confidentiality [32]. Another weakness for the shield isthe regulations that exist for the MICS band [30]. The energy a device can use totransmit on this MICS band is limited to avoid interference with other devices. Thismeans that high-powered adversaries can still communicate with the IMD even inthe presence of jamming [13]. The shield can detect such high-powered signals andwarn the patient but cannot prevent unauthorised access by the attacker in this case.

1.3 Problem descriptionIn this thesis both the communication between the programmer and the shield aswell as between the shield and the IMD will be explored. First a theoretical setupis proposed in chapter 2 for the communication between the programmer and theshield in the form of a pairing protocol using existing techniques. Subsequently, inchapter 3, the communication between the shield and the IMD is handled. In thispart we discuss detecting adversaries in real-time and show how the jamming canbe done efficiently. Next a threat model is defined to show what adversaries arecapable of. The threat model can be found in chapter 4. This is followed by theimplementation and the results, chapter 5 and 6. LabView and USRPs are used tomodel the different situations that the shield can encounter. The USRPs are capableto transmit and receive signals in the MICS band.

5

Chapter 2

Communication between DeviceProgrammer and Shield

2.1 IntroductionIn this chapter we will describe the pairing protocol between the device programmerand the shield. Since the shield should be small and very efficient to increase thebattery lifetime, the pairing protocol will have to balance efficiency and effectiveness.The pairing protocol will need an out-of-band (OOB) channel since both devices donot have shared secrets [31]. We will first start with a discussion of the requirementsthat are needed to guarantee a secure communication link between the deviceprogrammer and the shield. This is followed by the pairing protocol consisting ofexisting solutions. The pairing protocol takes these requirements into account.

2.2 RequirementsIt is assumed that the programmer remains mainly as it is. The shield will have tobe designed in function of the requirements for this secure channel. It should becompact in order to be implemented as a wearable device and as user friendly aspossible so the patient is not hindered. The shield also needs a reasonable lifetime sothe energy consumption will need to be as low as possible. These are the physicalrequirements for the shield. In terms of security the communication needs to beauthenticated and provide integrity. The messages should also be encrypted eventhough confidentiality of the transmission is not achieved between the shield and theIMD. This limits the attack surface for an attacker to the commmunication betweenthe shield and the IMD. The channel needs to be secure against active attacks. Bothdevices should be able to authenticate each other and prove the messages are notaltered in any way. The device programmer should be authenticated to the shieldto make sure that valid commands are actually from the device programmer. Theshield should also be authenticated to the device programmer because that gives thedevice programmer the certainty that the telemetry data it receives is from the rightdevice. By having these security measures an adversary cannot successfully inject or

6

2.3. Solution

modify messages. Confidentiality is not defined as one of the requirements becauseMIMO-based attacks [32] are proven to be able to recover the information send fromthe shield to the IMD. The frequency band used for communicating between thedevice programmer and the shield can be done over the MICS band but this is notnecessary.

2.3 SolutionThe general idea behind our solution is to use a symmetric session key to encryptthe data on this channel. Since there are no shared secrets between the devices a keyestablishment protocol is needed. This protocol will be public key based resultingin a hybrid system. The key establishment is public key based because a publiccryptosystem transferring all the messages is much slower and uses more energy thana secret key cryptosystem. In most applications a public cryptosystem is only usedto transfer very small amounts of data of which RSA is a well known example.

First the key establishment protocol will be discussed. In public key cryptographyit is possible to share a secret with another party without anyone being able to findthis secret. Both parties need to be authenticated so each device knows with whomthey are communicating, this is called mutual authentication.

Different key establishment protocols exist and many use trusted third parties toagree on a shared secret. These protocols, like Kerberos, are usually more energyefficient than key agreement protocols such as Diffie-Hellman(DH) [14]. In thisapplication, however, a trusted third party is not available to establish a sharedsecret. Another possibility is to use an OOB channel to authenticate the temporarypublic keys (PK) of the device programmer and the shield [31]. If the PKs of bothdevices are authenticated a key agreement protocol can be performed that is resistantagainst MITM attacks.

Before the key agreement protocol is explained further our choices of the OOBchannel are discussed. We chose a text based OOB channel which allows for a simpleand cheap authentication protocol. Current device programmers already have aninterface that allows text based input and output.

On this text based OOB channel the authentication can be done with a MANualAuthentication (MANA) protocol as described by Gehrmann et al. [12]. The PKshave already been exchanged in this step. MANA means it requires interactionfrom the user. There exist different MANA protocols depending on the interfacepossibilities of the devices. The MANA I protocol is suited in this application becausethe devices only need a standard output interface or a standard input interface.The shield will have the standard output interface in this situation and the deviceprogrammer will have a standard input interface. To avoid that this protocol has tobe performed two times, the PKs are combined into one public value.

First a random key, K, is generated by the shield. This key is used to calculatea check-value (CV) function of the combined PKs. The key, K, and the result ofthe CV function are then entered manually on the device programmer. The deviceprogrammer can now also compute the CV function with K and compare the results.

7

2.3. Solution

The protocol is aborted in case the values do not match. This is an efficient wayto authenticate the public keys while satisfying the limitations of the shield. TheMANA I protocol is represented in figure 2.1.

Figure 2.1: MANA I protocol

At this point the public keys are authenticated, this is called implicit key authen-tication.

The next step is performing a key agreement protocol to establish a session key.Key agreement protocols such as DH, ElGamal, Station-to-Station (STS), Ellipticcurve Diffie-Hellman (ECDH) can be used. Großschädl et al. [14] show that theenergy cost of elliptic curve cryptography (ECC) is suitable for a wireless sensornetwork. We will use ECDH here, it is power efficient and a shorter key length isneeded to achieve the same security level as the standard DH protocol [21]. Theprinciple of ECDH is shown in figure 2.2.

8

2.3. Solution

Figure 2.2: ECDH-based key establishment protocol

The domain parameters that are being used in the ECDH protocol define afinite field and have to be available for both devices to perform this algorithm. It isimportant that these parameters also define an elliptic curve and a base point onthis curve. It is shown in [1] how the ECDH domain parameters can be exchangedfor this purpose. In this figure the values k and l are the private keys of the devices.The point multiplication of these values with P, a base point results in the publicvalues transmitted over the channel. From these public values it is assumed that itis impossible to recover the private keys k and l. Both parties can then compute theshared secret that will be used as a session key.

In practice both the ECDH protocol and the MANA protocol are combined tobe performed simultaneously. The MANA protocol requires that both parties haveaccess to the PKs. So the decision to accept or reject the PKs will be made justbefore the shared secret is computed.

Finally, the symmetric encryption will be done with the Advanced EncryptionStandard (AES) which is a fast and very secure algorithm. In [14] the energyconsumption of AES is shown to be very small compared to the energy used for thekey establishment.

Different modes of operation are available for AES. We choose for a mode that pro-vides authenticated encryption in one pass which does not need an additional messageauthentication code (MAC) to provide integrity and authentication. Popular modesthat are used are the Galois Counter Mode (GCM) [25] and the Offset CodebookMode (OCB) [27]. The latter mode is patented and will not be considered becauseof this. GCM, however, is not designed for a low cost hardware implementation [4].Because of this we look at a lightweight solution called Authenticated LightweightEncryption (ALE). [4]. This algorithm is based on AES with a block size of 128 bits.It can outperform AES-GCM because of its efficiency in hardware and software [4].

9

2.4. Conclusion

Attackers will focus on the weakest link in the communication between the deviceprogrammer and the shield. Because of this the communication between the deviceprogrammer and the shield will not be considered as part of the attack surface.

2.4 ConclusionThe solution has to take all the requirements into account. This results in an efficientsystem that is easy to use. An OOB channel, using the MANA I protocol, incombination with the ECDH protocol will be used to authenticate the PKs andestablish a session key between the device programmer and the shield. Next thesession key will be used in a symmetric authenticated encryption protocol, ALEwhich is based on AES. The result is a secure communication channel between thedevice programmer and the shield. First the OOB channel authenticates the publickeys of the device programmer and the shield. We choose a text based OOB channeland we use the MANA I protocol for this authentication. Next the ECDH protocolis used to establish a session key between both devices. Assuming adversaries willtarget the weakest link in the communication between the device programmer andthe IMD, this part of the communication will not be the attacker’s focus.

10

Chapter 3

Communication between Shieldand IMD

3.1 IntroductionIn this chapter we analyse the connection between the shield and the IMD. Thecommunication between those devices uses the MICS band, between 402MHz and405MHz [29]. This frequency band is divided in 10 sub-channels of 300kHz each,this is described in [18]. One of these channels is chosen for the communicationwith the IMD. The channel with the least amount of noise and interference in itsfrequency band is selected by the shield. The shield acts as a proxy in this design.An alternative could be that the shield only acts as a jammer and does not take partin the communication between the device programmer and the IMD. We chose to usethe shield as a proxy because this allows more possibilities for communicating withthe shield. An example would be allowing different devices, such as smart phones, tocommunicate with the shield. This can be used to send the data to a doctor who canthen check the health of the patient without the need to visit the doctor each time.

First we will discuss the requirements for the communication between the shieldand the IMD. We look also in more detail at the jammer and the different situationsit needs to handle. A method to efficiently detect adversaries which makes it possibleto jam in real-time is also presented here. Subsequently we shortly discuss theelements of the protocol that are important in this thesis.

3.2 RequirementsThe IMD, already implanted in the patient, is assumed to remain unaltered [13].This means that the shield has to be able to communicate with the IMD the sameway the device programmers do it now. The requirements will again be mainly forthe shield. As said before the physical requirements of the shield remain the sameas before. It has to be implemented in a small wearable device, be user friendlyand have a reasonable lifetime. This means that the power consumption shouldbe minimised for this part as well. This can be done by using the jamming signal

11

3.2. Requirements

efficiently. The security properties of the communication between the IMD and theshield consist of authentication and availability. It is possible to use the jammingfor denying adversaries or unauthorised devices access to the IMD. This propertyassumes that the attacker’s power is not unlimited [13].

There exist different approaches to use jamming with different degrees of efficiencyand complexity. Grover et al. [15] gave an overview of different techniques. Firstof all a jammer can be proactive. This means that the shield jams independentlyof adversarial activity. This method is easy to implement but is not very efficient.Reactive jamming only sends a jamming signal when an adversary is detected butthe channel has to be monitored constantly. Function-specific jamming is a thirdway to jam and is based on a predetermined function. There are also smart-hybridjammers which try to maximise their jamming effect and be as efficient as possibleby using only the energy needed in the right place. In our solution the shield willsend its jamming signal if an adversary is detected. The length of the jamming signalcan also be chosen as small as possible while still being effective. This makes ourjammer a smart-hybrid jammer implemented in a reactive way. Figure 3.1 shows thedifferent ways for the shield to use jamming in order of increasing efficiency.

Figure 3.1: Different jamming techniques in order of increasing efficiency

To detect adversaries the shield has to check all ten sub-channels for incomingmessages. We consider two methods to detect messages on a channel; (i) the firstmethod looks at the power spectrum of the frequency band and (ii) the secondmethod computes the cross-correlation with the start-of-frame (SoF). The cross-correlation method can also be used to check for the serial number of the shield.These methods can each be used separately to detect adversaries. Both methods canalso be combined based on the techniques described in [18]. This is the approachthat is followed for this thesis. First the frequency band can be divided in five largersub-channels. Each of these sub-channels contain two 300kHz channels. The firstmethod to detect messages in a certain frequency band (i) is used to decide which

12

3.2. Requirements

sub-channels contain a signal. Because of this not all channels have to be checkedindividually. Next the same method can be used again to decide which of the twochannels contains the signal. The final step is to use the latter method (ii) to decideif a SoF is present in the signal. If no SoF is detected the message will not beaccepted by the IMD and no jamming signal is required. This principle is shown infigure 3.2. The power detection is a fast way to find out which channels are beingused. Combining multiple channels in the first step allows for an efficient check inthe whole frequency band. When the cross-correlation method is added, the jammerbecomes more efficient because the jamming signal is only send when necessary.

In this example channel 6 is used for the communication between an attackerand the IMD. In the first step the shield will detect the transmitted power and knoweither channel 5 or channel 6 is being used. Next the shield will look at the powerspectrum of both channels separately and decide from which channel the signaloriginates. Before jamming the shield first checks if both the SoF and the serialnumber are present and correct to decide whether the message is valid or not.

Figure 3.2: Detecting adversaries on 10 channels

We consider now different situations that a shield can encounter and how theshield should react in these situations. First of all the situation is described whereno device programmer is present. All incoming messages on any channel of the

13

3.3. Protocol Communication

MICS band are considered attacks in this situation. Any message where the startsequence is present should be jammed. When a signal is jammed it should only jamfor a short period of time that ensures an incorrect cyclic redundancy check (CRC)verification [23]. A second situation is when the device programmer is present andis trying to communicate with the shield. Using the same principle as before, anychannel where a message is detected should be jammed since the adversary can useall channels in the MICS band.

A last situation that is acknowledged is when multiple shields and IMDs arepresent and one device programmer tries to communicate with one of these IMDsthrough the corresponding shield. In this situation all the other shields will jam thevalid messages and possibly deny the device programmer access to the right IMD. Inthe rest of this thesis we will only consider the two first situations.

3.3 Protocol CommunicationTo communicate with the IMD it is necessary to know the protocol that is used.This is explained by Marin et al. [23]. For security purposes some details were notmentioned in this work. The information that is available is however enough for ageneral description. It is assumed that an activated IMD is present in this situationso only the long-range channel in the MICS frequency is being used. The signalsthat are transmitted are modulated using Frequency Shift Keying (FSK). Since thesymbol rate being used is not mentioned, we will assume that the symbol rate is15000 symbols/sec. The messages that are being send to the IMD start with a SoFwhich consists of alternating 1s and 0s. A number of information bits are followingthe SoF and a CRC field indicates the end of a message. Figure 3.3 shows themessage format.

Figure 3.3: Device programmer message format

3.4 ConclusionThe shield has a lot of requirements for efficiency. It should consume little energyand be very small while still provide the IMD with the needed security. Findingthe right balance between efficiency and security is the challenge for this part of thecommunication. It is important to detect attackers efficiently over all ten channels.A combination of power measurements and the computation of the cross-correlationwith the SoF offers a good solution for detecting attackers. It is also important toefficiently jam adversarial messages. This is done by using a smart-hybrid jammer

14

3.4. Conclusion

implemented in a reactive way. This provides authenticated access to the IMDwithout modifications to the IMD or the protocol that is currently used.

15

Chapter 4

Threat Model

4.1 IntroductionAdversaries can follow different strategies to compromise or reduce the security ofthe communication between the IMD and the shield. In this chapter we will discussthe different options that an attacker can try out to achieve its goal. Attackers canbe divided in two categories, active and passive adversaries [29]. Passive adversariesonly try to eavesdrop on the communication between the IMD and the shield. Activeadversaries try to interact with the IMD and influence the behaviour of that IMD.Before doing so the capabilities and strengths of an attacker are defined.

4.2 AssumptionsThere are some assumptions on which the attacker model is based. It is realisticto assume that the attacker has no physical access to the devices being used. Thismeans that adversaries cannot tamper with the device programmer, the shield orthe IMD. An attacker could for example not alter the shield sabotaging the jammingsignal with this assumption. It is also assumed that there is no adversary present inan emergency situation when the shield is removed. An adversary can choose to use acommercial programmer or build his own custom hardware [13]. We will assume thatan adversary has a limited transmission power. An attacker that is more powerfulthan the jammer could force messages to the IMD [13]. The power of the jammer islimited by the existing Federal Communications Commission (FCC) regulations [30]so it will not interfere with other devices. Considering the distance, accounted forwith a certain path loss, the power limits for which the shield is effective can befound. Adversaries operating at a higher power can still be detected and give awarning to the user. In this model it is also assumed that the attacker focuses onthe communication between the shield and the IMD because the communicationbetween the shield and the device programmer is assumed to be secure.

16

4.3. Adversary Model

4.3 Adversary ModelAdversaries can have different goals in mind. They are divided in two main categories,the first one being passive adversaries who try to eavesdrop the channel between adevice programmer and the IMD. The other category are active adversaries. In thiscategory the goal of the adversary is to send unauthorised messages to the IMD.

4.3.1 Passive Adversary

The shield does not provide protection for IMDs against passive adversaries. TheMIMO-based attack [32] proved that signals can be recovered even when the shieldis jamming. This is an important limitation of this solution.

4.3.2 Active Adversary

Active adversaries will try to send malicious messages to the IMD. The attacker canreplay, modify or create its own messages to communicate with the IMD. For anattack to be successful the message has to be accepted by the IMD. This meansthat the effect of the jammer needs to create enough bit errors in the demodulatedsignal in order that the message fails the CRC verification. An attacker can alsotry to drain the battery of the shield. When the battery of the shield is depletedthe adversary can communicate at will with the IMD. For this purpose an attackercan continuously send messages in the MICS band containing a SoF to trigger thejammer.

4.4 ConclusionThe shield has its limitations and will only mitigate the flaws of legacy devices. Notbeing able to modify the IMD and the existing regulations of the MICS band are themain factors for the limitations. Perfect confidentiality cannot be achieved with thissetup. However it is designed to protect the IMD against active adversaries withlimited transmitting power and warn the patient if too much power is detected inthis frequency band. The shield is also designed to be resistant against adversarieswho try to deplete the shield’s battery.

17

Chapter 5

Implementation LabView

5.1 IntroductionIn this chapter we discuss the implementation setup, both hardware and software, ofthe different concepts. For the implementation a visual programming language andenvironment called LabView is used. The hardware that is used to model the shieldand attackers are USRPs from National Instruments (NI). The specific model is NIUSRP 2952R and can operate between 400 MHz and 4.4GHz [2], which covers theMICS frequency band. This implementation models the communication between theshield and the IMD. It also shows how the shield interacts with adversaries.

Figure 5.1 shows the model of USRP that is used. The setup of the USRPsthemselves is represented in figure 5.2. All the experiments involving the USRPs aredone on this setup.

Figure 5.1: USRP 2952R

18

5.2. Implementation using USRPs

Figure 5.2: USRPs setup

The goal is to show that it is feasible to detect adversaries who try to send mali-cious messages in real time. Both methods, power measurements and computationof the cross-correlation with the SoF, are used. In addition we also want to showthe effect of the jamming signal on adversaries who try to communicate with theIMD. These problems are investigated on a different number of channels. First theconcepts are analysed on one channel and next multiple channels are considered.

The setup that is being used has however some limitations. The programs made inLabView do not directly run on the USRP’s field-programmable gate array (FPGA).The code runs on a PC that is connected with the USRPs and the speed of thisconnection will be a limiting factor for the implementation. The concepts that cannotbe shown on the USRPs because of this will be shown in simulations. Implementingthe code directly on the FPGA of the USRP would solve the connection problem.We will first discuss the implementation while using the USRPs followed by thesimulations. Some important parts of the code can be found in the appendices.

5.2 Implementation using USRPsWe start the implementation with encoding and decoding messages using the 2-FSK modulation and demodulation. The messages that are used for testing theimplementation contain a SoF and a number of randomly generated information bits.They can be read out and stored in text files. Next the USRPs are added in thedesign. At first the USRPs were connected with cables to guarantee a clean signal.The only noise contribution to this signal is from the USRP itself. Subsequently thecables are replace with antennas which adds the effects of the wireless channel.

After this we start with detecting messages on one channel. Both detection meth-ods are implemented and can be used to start the jammer. The power measurementsimply looks at the power spectrum of the channel and compares the mean valuewith a threshold. The method based on the cross-correlation compares the maximalvalue of the normalised cross-correlation with a threshold. The jamming signal isimplemented as a sinus signal at the same frequency as the FSK deviation to makesure it is as effective as possible [13]. All the power of the jamming signal will beconcentrated on the frequencies used by the FSK modulation.

This is extended to detecting attackers on two channels. To work with theright frequency band we use a combination of filters. A passband filter can selectthe right frequency band and after a lowpass filter of the downsampled signal the

19

5.3. Implementation Simulations

required signal is situated in the baseband. Increasing the number of channels willrequire a higher sampling rate to satisfy the Nyquist criterion. This means thatthe connection between the USRP and the PC will become too slow to handle allthe data in real-time. The concepts that could not be shown because of this areimplemented in the simulations. However, the implementation on the USRP of oneand two channels does show that the implementation is feasible because the samplingrate of the USRPs is high enough to sample the ten channels.

5.3 Implementation SimulationsThe simulations analyse the concepts that could not be implemented with the USRPs.Because the wireless channel is not used this has to be modelled in the simulations.The first test performed as a simulation finds the number of bit errors of the messagein function of the length of the jamming signal. The number of bit errors are foundby aligning the demodulated signal with the original sequence and counting thenumber of inequalities. Next the number of bit errors are calculated in function ofthe attacker’s distance for a certain power. Both detection methods are reused fordetecting adversaries in the simulations. Until now the simulations have consideredone 300kHz channel. This is extended to detecting and jamming on all ten channels.The detection on ten channels uses a combination of the power measurements andthe cross-correlation with the SoF.

5.4 RealisationThe shield described in previous chapters could be implemented in a compact andcheap way. Containing only a few antennas, a display and some computational powerit is realistic to actually build this device. If it was not possible to have a cheaprealisation of the shield, it would be more interesting to look at ways to improve thesecurity by modifying IMDs.

5.5 ConclusionThe implementation focusses on the detection of adversaries in real-time. A com-bination of power measurements and cross-correlation is used to decide when thejammer should be active. An efficient way to jam is to make the signal as short aspossible and invest all the jamming power on the important frequencies. Monitoringand protecting all the ten channels is the goal of this implementation. Because ofthe limitations of the setup some parts are only considered as a simulation withoutusing the USRPs.

20

Chapter 6

Evaluation and Results

6.1 IntroductionIn this chapter we show that the goals of the implementation are feasible. The firstpart discusses the results of the implementation that uses the USRPs. The secondpart discusses the simulations that could not be implemented with the USRPs. Bothparts start with modelling one channel of the MICS band and extend this to a morecomplex model which contains multiple channels. The same methods are used inboth parts but the simulations show results that are not cannot be shown by usingthe USRPs. For adversaries with limited power it is shown that our solution, whichis based on the shield, can protect the IMD against active attacks.

6.2 ResultsImportant parts of the code used for obtaining these results can be found in theappendices. Appendix A contains the code that uses the USRPs for wireless commu-nication. The code that implements the simulations is shown in appendix B. All thefigures used in this chapter are made in LabView.

6.2.1 Results USRP

The setup used in this part is described in the previous chapter. In figure 6.1 anexample message is shown in the time domain. The signal contains a SoF sequence,information bits and a CRC. It is modulated with 2-FSK which can clearly be seenin the frequency domain represented in figure 6.2. The two peaks that can be seencorrespond with the two frequencies used to modulate the signal. Signals like thiscan either represent the messages that the device programmer is transmitting to theIMD or represent messages that an attacker generates to try and communicate withthe IMD.

21

6.2. Results

Figure 6.1: 2-FSK modulated signal (time domain)

Figure 6.2: 2-FSK modulated signal (frequency domain)

First of all the shield needs to be able to detect these messages to know if theIMD is being attacked. The two methods that are implemented to detect messagesare power measurements and the computation of the cross-correlation with a SoFsequence. When using the power measurement the mean value of the power spectrumin one channel is compared with a threshold. If the mean value exceeds the thresholdthe shield knows that a message is being transmitted over this channel. To decideon a good threshold it is important that all messages on the channel are detectedwhile the probability to detect a message when the channel is empty is as low aspossible. To find an ideal value for this threshold the power spectrum’s mean valuesof noise are compared with the mean values of messages. Figure 6.3 shows the resultof the power spectrum’s mean values for both cases. There is a clear separationbetween the values for noise and the ones for messages. The threshold for the powermeasurements that we choose is tp = 1.0 × 10(−10). The noise level is specific forthis environment and could change slightly in different environments with moreinterference from other devices. However when the threshold is not too close to thenoise level this change has no effect on the working of the shield. An attacker couldtry to send his messages below this threshold to avoid detection. This will not be avery realistic strategy because if the power of the message is below this threshold the

22

6.2. Results

IMD will not react on the message. The additional path loss of the signal which goesthrough the body will make the message undetectable. The IMD itself also workswith quantised values, if it would be possible to send messages below the thresholdthis quantisation would introduce bit errors.

Figure 6.3: Mean values of the power measurements

For finding the cross-correlation’s threshold the same principle is used. Whena SoF is detected the values for the cross-correlation should exceed the threshold.Again we want a perfect detection probability while keeping the false alarms as lowas possible. Figure 6.4 shows the values of the cross-correlation between the signalon the channel and the SoF. The message with the SoF is transmitted repeatedlyover the wireless channel and the peaks in the graph show where the SoFs aresituated. When implementing this using the USRPs the sample clock offset shouldbe taken into account. Briggs et al. [6] describe the sample clock offset and howit can be corrected. This effect describes that there can be a mismatch betweenthe sender and the receiver which can result in bad values for the cross-correlation.In this implementation we have not compensated the mismatch which makes itdifficult to find a suitable threshold for this method. Figure 6.5 shows this effect.The same signals are used compared to the previous figure but the result of thecross-correlation shows very low values in which the SoFs’ positions cannot be noticedanymore. Because of this the threshold for this method will be handled in one of thesimulations.

23

6.2. Results

Figure 6.4: Cross-correlation with the SoF

Figure 6.5: Cross-correlation affected by sample clock offset

When it is possible to detect the messages the jamming part is added. Figure6.6 shows the time domain representation of this situation whereas figure 6.7 showsthis in the frequency domain. It is clear from the frequency representation thatall the power of the jamming signal is situated at the frequencies used by the FSKmodulated signal. At first, when the channel is empty, the attacker starts sendingthe message and the shield reacts by sending its jamming signal as fast as possibleafter detection. The jammer keeps jamming from the moment it detects a messageuntil the receiver stops.

24

6.2. Results

Figure 6.6: Representation jamming (time domain)

Figure 6.7: Representation jamming (frequency domain)

After implementing this for one channel, the next step will be to extend this tomultiple channels. Figure 6.8 shows the extension for two channels in the frequencydomain. The same message is send continuously over both channels. Each channel ischecked separately for the SoFs by filtering out the right frequency band and bringingit back to baseband. Both channels are demodulated to check that the message canbe retrieved from either channel. Figure 6.9 shows the cross-correlation between thesignal on the second channel and the SoF. The peaks indicate again the startingpositions of each message.

Extending this to ten channels would be a logical next step but due to thelimitations of the connection to the USRP this has to be implemented as a simulation.The real-time jamming is also limited due to the same reasons. Figure 6.6 shows thatthe jamming signal takes a long time to be activated. The number of samples betweenthe start of the detection and the time needed to transmit the jamming signal islonger than the length of one message. The delay for the jamming is approximately20000 samples. The message consists of 5600 samples so it is clear that this delay istoo large to detect and jam messages in real-time. The shield should jam somewherein these 5600 samples to be effective. However, the implementation does show thatthe concept is feasible if the program can run directly on the FPGA of the USRP.

25

6.2. Results

Figure 6.8: Two adjacent channels (frequency domain)

Figure 6.9: Cross-correlation values of one channel

6.2.2 Results Simulations

The situations that cannot be modelled by using the USRPs can be representedwith simulations. To simulate the setup for this application a model for the wirelesschannel is needed. The Free Space Path Loss (FSPL) model (6.1) can be used tomodel the signal’s transmission over the air [3]. The extra path loss through thebody to get to the IMD will contribute for an additional 40dB [13]. With this modelit is possible to find an expression for the signal-to-noise ratio (SNR) for signals infunction of the distance between the transmitter and the receiver. This allows us todecide how much white noise is added to the signal. The variable d expresses thedistance in meter, f is the frequency in Hz and c is the speed of light. The result ofthe FSPL is expressed in dB.

FSPL[dB] = 10 log10 ((4πdfc

)2) = 20 log10 (d) + 20 log10 (f) − 147.55 (6.1)

26

6.2. Results

The noise level is defined at -100dBm, which is a realistic value to work with.Other known values are described in the FCC rules [30]. The maximal equivalentisotropically radiated power (EIRP) that can be used by devices operating in theMICS band is set to -16dBm, which is equivalent with 25µW. This will be themaximal power at which the jammer can transmit its jamming signal. When ajamming signal is used below, this will always be at the maximal allowed power.The device programmer transmits at -20dBm EIRP which is just below the limitsimposed by the FCC rules for the MICS band. Adversaries with limited transmitpower are considered for the simulations. Power levels up to 0dBm are consideredas the capabilities of an attacker. The power of a signal can be calculated with thefollowing formula (6.2). The signals used are scaled with this information. The peakvalue or amplitude for each signal can be determined which allows the signals tohave the right power compared to each other and compared to the noise level.

Psignal[dBm] = 10 log10 10V 2peak (6.2)

In the simulations we first find the minimal length needed for the jamming signal.The signal has to be as short as possible to save energy but also make sure that themessages send by attackers are not accepted by the IMD. To find the ideal length ofthis jamming signal the number of bit errors occurring for a certain length is plottedwhich is shown in figure 6.10. The number of bit errors is computed for a thousandrandom messages and the mean value of these numbers is plotted as the number ofbit errors for that specific length. As expected the number of errors increases withthe length of the jamming signal. The first part of the graph looks different becausehere the jamming signal only covers part of the fixed SoF. The randomness of themessage has no influence on the number of bit errors in this part. When dividingthe number of errors by the total length of the message the Bit Error Rate (BER) isfound. Gollakota et al. [13] show that the minimal number of bit flips should be fourto be sure the adversarial message will not be accepted by the IMD.

27

6.2. Results

Figure 6.10: Number of bit errors in function of the jamming signal’s length

To be sure that jammed messages cannot be demodulated correctly a mean valueof ten bit errors is chosen. This means a jamming signal around 3ms is enough tosuccessfully protect the IMD against attackers. This part calculates the number ofbit errors at the shield level. The effect of the extra 40dB attenuation due to thebody is not included yet. The number of bit errors at the IMD will be slightly higherthan the ten bit errors achieved at the shield level. The jamming signal, introducingthe bit errors, is also shown in the time domain, see figure 6.11.

Figure 6.11: Simulated representation jamming (time domain)

By using the FSPL model the number of bit errors can now be expressed infunction of the distance between an adversary and the IMD. In figure 6.12 andfigure 6.13 the number of bit errors of two attackers with different powers is shown.The first figure shows a situation without jamming and in the second figure when

28

6.2. Results

the jamming signal is present. It is clear that an adversary with 0dBm EIRP cansuccessfully communicate with the IMD from a much larger distance than regulateddevice programmers (-20dBm). When the jamming is active, the IMD is protectedfrom these adversaries from any distance since there are bit errors on any distancefrom the IMD. The attacker (with 0dBm power) cannot send messages to the IMDthat will be accepted in this setup.

Figure 6.12: Number of bit errors in function of the distance for adversaries withdifferent transmit powers

Figure 6.13: Number of bit errors in function of the distance for adversaries withdifferent transmit powers while jamming

29

6.2. Results

To show that adversaries with unlimited power can still communicate with theIMD despite the jamming, figure 6.14 shows a situation where the adversary cantransmit at 60dBm. This makes it possible to achieve zero bit errors up to 3.5meters from the IMD in the presence of a jamming signal. An attacker can startcommunicating with the IMD in the presence of a jammer when it can transmit witha minimum power of 30dBm. At this power the attacker will have to be extremelyclose to the IMD because only a very short distance is free of bit errors. By increasingthe power of the attacker the distance at which the attacker is able to communicatewith the IMD increases as well. This holds for an ideal theoretical situation where theIMD can receive these signals without clipping the signal or damaging the receiverdue to the high powers used to transmit these signals.

Figure 6.14: Number of bit errors in function of the distance for adversaries with60dBm transmit power while jamming

The adversary detection is still based on the power spectrum and the cross-correlation with the SoF. To find the thresholds for the power detection and the cross-correlation, the worst situation that has to be detected by the shield is considered.In this setup this consists of an adversary with 0dBm EIRP. Figure 6.12 showsthe number of bit errors for different distances for this transmit power without ajamming signal. The adversary can communicate with the IMD up to 9 meters,to make sure the number of bit errors is high enough we take a little margin anddecide that an adversary with this power has to be detected by the shield from 13meters. For this situation the additional 40dB between the shield and the IMD isnot included in the path loss since the shield is an external device, outside the body.The power spectrum’s mean values for noise and messages can again be plotted tofind a suitable value for the threshold. Figure 6.15 shows this and the value that ischosen corresponds with the threshold found by using the USRP. The threshold isagain tp = 1.0 × 10(−11). All messages transmitted at 0dBm and within a range of

30

6.2. Results

13 meters from the shield will be detected by using this threshold.

Figure 6.15: Power spectrum of noise and random messages

The threshold of the cross-correlation can also be found in the simulation. Theeffect of the sample clock offset has no influence on the result when the USRP isnot used. The cross-correlation between a signal containing the SoF and the SoF isshown in figure 6.16. The value for the cross-correlation will be between zero andone. One being the value at the position where the SoFs perfectly overlap with eachother. Checking each threshold for a lot of messages allows us to make a plot thatshows how well each threshold does. The messages are again send at 0dBm at adistance of 13 meter. Figure 6.17 shows the number of messages that are detectedfor each threshold. It also shows the same graph for messages that do not containa SoF. The probability to detect messages that contain a SoF should be as highas possible while it should not detect messages that do not contain the SoF. Thefigure clearly shows an interval of thresholds where all messages containing a SoFare detected and no false messages are detected. The threshold should be chosen inthis interval. A suitable choice which detects all messages is tc = 0.65.

31

6.2. Results

Figure 6.16: Cross-correlation with SoF

Figure 6.17: The detection probability and false alarm rate for a thousand randommessages

The last step of this implementation is combining all ten channels. The totalbandwidth used is now 3MHz and the sample rate should be chosen high enough tosupport this bandwidth. A sample rate of at least 6MHz is needed in this situation tobe able to recover all messages without aliasing. The adversary can now choose thechannel or channels that are being used to transmit messages to the IMD. In figure6.18 the seventh channel of the MICS band is being used (403.8MHz-404.1MHz).The frequencies on the graphs do not consider the carrier frequency which meansthat the first channel is around 0Hz and so on. Figure 6.19 shows the frequencyrepresentation of the seventh channel alone and figure 6.20 shows that the jamming

32

6.2. Results

signal has been added in the time domain. Observing the ten channels requires fivetimes more computations than observing only two. This makes it important to makethe detection as efficient as possible. If only one method to detect the messages wasimplemented the design would be less efficient.

Figure 6.18: Signal in the seventh channel of the MICS band (frequency domain)

Figure 6.19: Seventh channel of the MICS band (frequency domain)

33

6.3. Conclusion

Figure 6.20: Signal and jamming signal(time domain)

6.3 ConclusionWe looked at the results of the implementation with USRPs and the results ofthe simulations since not all situations could be shown with the USRPs. Theimplementation starts with defining the concepts for one channel and subsequentlyadding multiple channels. The results show that the implementation with the USRPsis feasible if the programs would run directly on the FPGA of the USRP.

In the simulations the FSPL model is used which allows us to model a realisticenvironment. We show how the different thresholds are found for detecting adversaries,how the ideal length for the jamming signal is decided and the effect of attackerstransmitting at different powers. The results show that this solution can protectIMDs against the adversaries that are considered.

34

Chapter 7

Conclusion

In this thesis the security of IMDs protected by a shield is analysed. The goal is toshow that adversaries can be detected in realtime and that the shield can jam itsmessages efficiently.

The thesis starts with an overview of the state of the art. It is clear that a lot ofsolutions proposed in the literature require some modifications to the IMD. Thesesolutions are not capable to protect legacy devices. This thesis considers the shieldto mitigate the existing problems of legacy devices. The capabilities of the shieldare limited by the requirement that the IMDs can not be modified. This is why thisapproach only mitigates the problems and does not provide a perfect solution.

In chapter 2 and 3 the protocols to communicate with the shield are described.The pairing protocol between the device programmer and the shield will use an OOBchannel to authenticate the public keys. When this is done a public key based estab-lishment protocol can set up a secret key that will be used for symmetric encryption.The important properties of this encrypted channel are mutual authentication andintegrity. The protocol between the shield and the IMD describes how all the tenchannels are monitored and how the jammer should react in different situations.

Chapter 4 describes the attacker that is considered. The main goal for the shieldis to defend against active adversaries with limited power and deny attackers theability to effectively drain the battery.

In chapter 5 and 6 the implementation and the results are represented. Theimplementation is divided in two parts. The first part shows that the design isfeasible by using USRPs to represent the different devices in the setup. This partshow how power measurements and cross-correlation can be used to detect maliciousmessages and the effect of jamming. The second part handles the simulations. Thesimulations analyse the situations that could not be handled fast enough with theUSRP setup. The FSPL model is used to model the environment. This makes itpossible to find the ideal jamming length, the ideal thresholds that need to be usedfor the detection and represent the effects of the jammer for different adversaries.

The results show that it is feasible to detect adversaries in real-time. The efficiencyof the jammer follows from only jamming when a SoF is detected and keeping thejamming signal as short as possible while making sure to deny the attacker access

35

to the IMD. This means that the shield can protect IMDs against the adversariesdescribed in chapter 4.

Future work for protecting legacy devices can include a real-time implementationon the USRPs of the situations considered in the simulations. This can be extendedto actually building a prototype of the shield. The general design of the shield allowsfor a cheap realisation so this would be realistic.

Another extension to the shield could be investigating the possibility to let theshield communicate with other devices like smart phones. This would allow thepatient to have more control over the IMD. Deciding what the capabilities are ofeach device that is able to communicate with the shield would also be necessary inthis situation. The smart phone could for example only be able to read data fromthe IMD while it would be unable to change the IMD’s settings.

36

Appendices

37

Appendix A

LabView files

This appendix contains all the relevant LabView files. The files that are used for theUSRP part are given in the first section and the files for the simulations

Documents

Medical Proxies: Protecting medical implants...Medical Proxies: Protecting medical implants Dimitri de Malaise Thesis submitted for the degree of Master of Science in Electrical Engineering,