1. Pacemakers and Implantable
Cardiac Defibrillators:
Software Radio Attacks and
Zero-Power Defenses
CSE 727 - Spring 2014
Seminar in Wireless Network Security
Principles and Practices
Professor Shambhu Upadhyaya
Meenakshi Muthuraman & Bich Vu
2. ● D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S.
Clark, B. Defend, W. Morgan, K. Fu, T. Kohmo, and W.
H. Maisel. “Pacemakers and Implantable Cardiac
Defibrillators: Software Radio Attacks and Zero-Power
Defenses” in IEEE Symposium on Security and
Privacy, Oakland, CA, 2008, pp. 129-142.
4. Implantable Medical Devices (IMD)
Pacemakers
● Medical device used to restore heartbeat to
normal (uses electrodes)
● About the size of a small coin
● Placed under the skin - near the heart
● Between 1992 and 2006 2.6 Million pacemakers
and ICDs were implanted in patients in the US
5. Implantable Medical Devices (IMD)
Neurostimulators
● Delivers electric signals to the epidural space
near the spine
● About the size of a stop watch
● Reduces chronic pain
● Sends electronic signals to the brain faster
than the pain signal
6. ● Introduced in 2003
● Uses electric pulses or shocks to restore
heart beat
● Especially used during a cardiac arrest
● Typically include wires that pass through
a vein to the right chamber of the heart
● Communicates with external
programmer at 175 kHz frequency
Implantable Cardioverter Defibrillator (ICD)
Implantable Medical Devices (IMD)
8. Magnetic Switch
● Located within the ICD
● Used to send telemetry data and electrocardiogram
readings
Wireless Communications
● 175 kHz for short range communications
● 402 - 405 MHz (Medical Implant Communications
Band) for long range communications
9. Motivation
● ICD discloses sensitive information in clear
● Reprogramming attacks (attacks that change the
operation of the device) have been conducted
● Denial of service attacks have been performed
● Attacks can be performed within the range of a few
centimeters using a specially configured radio device
10.
11. Proposed Defence
● 3 different deterrence and prevention mechanisms
● Zero-power Defenses - draw no power from the
primary battery
● Zero-power Notification
● Zero-power Authentication
● Sensible Security
12. Wireless Identification and Sensing Platform
(WISP)
● WISP is a family of sensors that are powered and read
by UHF RFID readers
● They do not require batteries
● They harvest their power from RF signal generated by
the reader
● It is open source
13. Security Model
Possible types of attacks :
1. An adversary with an commercial ICD programmer
2. Passive Attacks
3. Active Attacks
14. Tools used to reverse-engineer attacks
● Commercial ICD programmer
● Software radio (Universal Software Radio Peripheral -
USRP)
● Oscilloscope
● Device Used for study
➢ Medtronic Maximo DR VVE-DDDR model #7278
ICD
● Threats
➢ Vital information life patient details and vital signals
of the patient are transmitted in clear
15.
16. Reverse Engineering Transmissions
● ICD and the programmer use the same encoding
scheme but different modulation schemes
● Programmer uses binary frequency shift keying (2-FSK)
for modulation
● ICD uses differential binary phase shift keying (DBPSK)
for modulation
● Encoded using Non-Return-to-Zero Inverted (NRZI)
with bit stuffing
18. Attacks Performed
Replay attacks
● ICD Identification
● Disclosing patient data
● Disclosing cardiac data (32 packets/second)
● Changing the patient's name (10 attempts)
● Setting ICD’s clock (10 attempts)
● Changing therapies (24 attempts)
● Denial of service (esp. with respect to power
consumption)
● Inducing Fibrillation (electro psychological test)
19. Test mode
● Safety mechanisms are enforced in the ICD
programmers software so that the physician can not
accidently active test mode
● But can be induced using USRP systems
● Solution Proposed : “we argue that if any
IMD exhibits a test procedure T for some property P, and
if there are no medical reasons for conducting
procedure T other than testing property P , then it
should be impossible to trigger T unless P is enabled.”
20. Zero Power Notification
● Cryptographic keys - hinders emergency response
● Must not consume a lot of energy
● Harvests power from RF energy
● Uses Piezo-elements to alert user
● Uses Wireless Identification and Sensing Platform
(WISP) that contains a RFID circuitry and a
microcontroller with 256 Bytes RAM and 8KB memory
21. Evaluation
● Standard - Sound Pressure Level
● Buzzing peaks at 67 dB SPL at
1m
● Simulation : Device implanted
beneath 1cm of Bacon and 4 cm
of 85% lean ground beef
● Measured 84 dB SPL at a
distance of 1m
23. Zero Power Authentication
● Harvests RF energy to power
a cryptographic protocol that
authenticates requests from
external device programmer
● Challenge response protocol
based on RC5-32/12/16
● Master Key - Km
● IMD identity I
● IMD specific key K = (Km
,I)
24. Zero Power Sensible Key Exchange
● Complements above 2 defence techniques
● Primary goal is to allow the user to know that a key exchange
is happening
● Programmer initiates the protocol by supplying unmodulated
RF signal
● IMD generates a random no to be used as session key and
modulates it as sound wave
● The sound wave can only be read and demodulated by a
reader with a microphone situated close to the patients body
● Can latter be used for long range communication
25. Future Work
● Access for previously unauthorized users during
emergency situations
● Next generation IMDs with more networking abilities
should not rely solely on external mechanisms for security.
● Device manufacturers must not view external devices like
external programmers as trusted computing base for
IMDs
● Ensure that all devices used do not harm the human body
26. References
● D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B.
Defend, W. Morgan, K. Fu, T. Kohmo, and W. H. Maisel.
“Pacemakers and Implantable Cardiac Defibrillators: Software
Radio Attacks and Zero-Power Defenses” in IEEE Symposium on
Security and Privacy, Oakland, CA, 2008, pp. 129-142.
● D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H.
Maisel. “Security and privacy for implantable medical devices. IEEE
Pervasive Computing, Special Issue on Implantable Electronics,
January 2008.”
● WISP - http://sensor.cs.washington.edu/WISP.html