Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses Authors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel Presenter: Raghu Rangan
Implantable Medical Device Can control heart rate, deliver medication, etc. Sophisticated devices with radios But are they secure? What Are IMDs?
Implantable Cardiac Devices Radio-enabled, wirelessly programmable Pacemaking, defibrillation (steady shocks vs. single large shock) Communicates with a device programmer ICDs
Commercial ICD programmer Passive RF listener Active RF attacker Adversaries
Most research has focused on preventing unintentional failures RC5 on WISP Work using software radios to receive transmissions from commercial wireless protocols Related Work
Device programmers can be used directly Programmers can read all ICD information, change all settings No technological controls to ensure authorized use Insider Attack
Black box: watch communication between ICD and programmer Done using inexpensive components: Oscilloscope Universal Software Radio Peripheral Software: GNU Radio, Perl, Matlab Cost: less than $1000 Reverse Engineering
Patient data transmitted cleartext Challenge: modulation, encoding Not so difficult, standard schemes are used. Name, birth date, ID number, patient history, diagnosis, treating physician... Passive Monitoring
In order to eavesdrop, need to establish timeline for bidirectional comms between ICD and programmer Do not need to decipher transmissions, can infer meanings and some content Transaction Timeline
Eavesdropping Setup
Replay attacks–attacker needs little knowledge Trigger information disclosure Change patient name, ICD clock Change therapies Can disable functions Quitely change device state Induce fibrillation Patient safety at risk Active Attack: Replay
Presence of strong magnet makes ICD transmit telemetry data Can also be triggered without magnet Radio use might run out battery faster DoS could be quite dangerous–replacing the battery requires surgery Active Attack: Denial of Service
Prevent attacks from insiders and outsiders Draw no power from primary battery Security events should be detectable by patient Defense Goals
Use RFID tag (WISPer) to guard ICD communication WISPer harvests power from reader, can perform computations Three applications: Notification Authentication Sensible key exchange Zero Power Defense
When WISPer is activated, beep via piezoelectric speaker After beep, notify ICD it can start using radio Patient aware when ICD is being programmed Can be deterrent for attacker Notification
Challenge/response protocol using RC5 Only if authentication is successful will ICD be told to activate No power is used until authentication succeeds. Authentication
Use audio as a channel for crypto key exchange Modulate sound wave using same scheme as radio Audible to patient, hard to hear at a distance Also uses no power Key Exchange
Still many open problems: key management, failure modes Security problems can have life-threatening consequences IMDs should be treated as what they are computers Conclusion and Future Work
Questions/Comments/Discussion