Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and

Zero-Power DefensesAuthors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel

Presenter: Raghu Rangan

• Implantable Medical Device

• Can control heart rate, deliver medication, etc.

• Sophisticated devices with radios

• But are they secure?

What Are IMDs?

• Implantable Cardiac Devices

• Radio-enabled, wirelessly programmable

• Pacemaking, defibrillation (steady shocks vs. single large shock)

• Communicates with a device programmer

ICDs

• Commercial ICD programmer

• Passive RF listener

• Active RF attacker

Adversaries

• Most research has focused on preventing unintentional failures

• RC5 on WISP• Work using software radios to

receive transmissions from commercial wireless protocols

Related Work

• Device programmers can be used directly

• Programmers can read all ICD information, change all settings

• No technological controls to ensure authorized use

Insider Attack

• Black box: watch communication between ICD and programmer

• Done using inexpensive components: Oscilloscope Universal Software Radio

Peripheral Software: GNU Radio,

Perl, Matlab

• Cost: less than $1000

Reverse Engineering

• Patient data transmitted cleartext

• Challenge: modulation, encoding Not so difficult, standard schemes are used.

• Name, birth date, ID number, patient history, diagnosis, treating physician ...

Passive Monitoring

• In order to eavesdrop, need to establish timeline for bidirectional comms between ICD and programmer

• Do not need to decipher transmissions, can infer meanings and some content

Transaction Timeline

Eavesdropping Setup

• Replay attacks–attacker needs little knowledge

• Trigger information disclosure

• Change patient name, ICD clock

• Change therapies Can disable functions Quitely change device state

• Induce fibrillation Patient safety at risk

Active Attack: Replay

• Presence of strong magnet makes ICD transmit telemetry data

• Can also be triggered without magnet

• Radio use might run out battery faster

• DoS could be quite dangerous–replacing the battery requires surgery

Active Attack: Denial of Service

• Prevent attacks from insiders and outsiders

• Draw no power from primary battery

• Security events should be detectable by patient

Defense Goals

• Use RFID tag (WISPer) to guard ICD communication

• WISPer harvests power from reader, can perform computations

• Three applications: Notification Authentication Sensible key exchange

Zero Power Defense

Zero Power Defense

• When WISPer is activated, beep via piezoelectric speaker

• After beep, notify ICD it can start using radio

• Patient aware when ICD is being programmed

• Can be deterrent for attacker

Notification

• Challenge/response protocol using RC5

• Only if authentication is successful will ICD be told to activate

• No power is used until authentication succeeds.

Authentication

• Use audio as a channel for crypto key exchange

• Modulate sound wave using same scheme as radio

• Audible to patient, hard to hear at a distance

• Also uses no power

Key Exchange

• Still many open problems: key management, failure modes

• Security problems can have life-threatening consequences

• IMDs should be treated as what they are computers

Conclusion and Future Work

Questions/Comments/Discussion