This document discusses security vulnerabilities in implantable medical devices like pacemakers and defibrillators. Researchers were able to reverse engineer the communication protocols and perform attacks like changing settings and inducing fibrillation using inexpensive software-defined radios. To prevent such attacks, the researchers proposed zero-power defenses that do not rely on the device's battery, including using harvested RF energy to power notifications via sound or authenticate requests cryptographically. Evaluation showed these defenses could work using existing hardware without harming patients. Future work is needed to ensure security even with emergency access or advanced networked devices.

1. Pacemakers and Implantable
Cardiac Defibrillators:
Software Radio Attacks and
Zero-Power Defenses
CSE 727 - Spring 2014
Seminar in Wireless Network Security
Principles and Practices
Professor Shambhu Upadhyaya
Meenakshi Muthuraman & Bich Vu

2. ● D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S.
Clark, B. Defend, W. Morgan, K. Fu, T. Kohmo, and W.
H. Maisel. “Pacemakers and Implantable Cardiac
Defibrillators: Software Radio Attacks and Zero-Power
Defenses” in IEEE Symposium on Security and
Privacy, Oakland, CA, 2008, pp. 129-142.

3. Agenda
● Introduction to implantable medical devices
● Security attacks
● Security mechanisms

4. Implantable Medical Devices (IMD)
Pacemakers
● Medical device used to restore heartbeat to
normal (uses electrodes)
● About the size of a small coin
● Placed under the skin - near the heart
● Between 1992 and 2006 2.6 Million pacemakers
and ICDs were implanted in patients in the US

5. Implantable Medical Devices (IMD)
Neurostimulators
● Delivers electric signals to the epidural space
near the spine
● About the size of a stop watch
● Reduces chronic pain
● Sends electronic signals to the brain faster
than the pain signal

6. ● Introduced in 2003
● Uses electric pulses or shocks to restore
heart beat
● Especially used during a cardiac arrest
● Typically include wires that pass through
a vein to the right chamber of the heart
● Communicates with external
programmer at 175 kHz frequency
Implantable Cardioverter Defibrillator (ICD)
Implantable Medical Devices (IMD)

7. ICD
Post Surgery medical
practitioner can use external
programmer for :
● Perform diagnostics
● Read/Write private data
● Adjust therapy settings

8. Magnetic Switch
● Located within the ICD
● Used to send telemetry data and electrocardiogram
readings
Wireless Communications
● 175 kHz for short range communications
● 402 - 405 MHz (Medical Implant Communications
Band) for long range communications

9. Motivation
● ICD discloses sensitive information in clear
● Reprogramming attacks (attacks that change the
operation of the device) have been conducted
● Denial of service attacks have been performed
● Attacks can be performed within the range of a few
centimeters using a specially configured radio device

11. Proposed Defence
● 3 different deterrence and prevention mechanisms
● Zero-power Defenses - draw no power from the
primary battery
● Zero-power Notification
● Zero-power Authentication
● Sensible Security

12. Wireless Identification and Sensing Platform
(WISP)
● WISP is a family of sensors that are powered and read
by UHF RFID readers
● They do not require batteries
● They harvest their power from RF signal generated by
the reader
● It is open source

13. Security Model
Possible types of attacks :
1. An adversary with an commercial ICD programmer
2. Passive Attacks
3. Active Attacks

14. Tools used to reverse-engineer attacks
● Commercial ICD programmer
● Software radio (Universal Software Radio Peripheral -
USRP)
● Oscilloscope
● Device Used for study
➢ Medtronic Maximo DR VVE-DDDR model #7278
ICD
● Threats
➢ Vital information life patient details and vital signals
of the patient are transmitted in clear

16. Reverse Engineering Transmissions
● ICD and the programmer use the same encoding
scheme but different modulation schemes
● Programmer uses binary frequency shift keying (2-FSK)
for modulation
● ICD uses differential binary phase shift keying (DBPSK)
for modulation
● Encoded using Non-Return-to-Zero Inverted (NRZI)
with bit stuffing

17. Conversation between ICD and programmer

18. Attacks Performed
Replay attacks
● ICD Identification
● Disclosing patient data
● Disclosing cardiac data (32 packets/second)
● Changing the patient's name (10 attempts)
● Setting ICD’s clock (10 attempts)
● Changing therapies (24 attempts)
● Denial of service (esp. with respect to power
consumption)
● Inducing Fibrillation (electro psychological test)

19. Test mode
● Safety mechanisms are enforced in the ICD
programmers software so that the physician can not
accidently active test mode
● But can be induced using USRP systems
● Solution Proposed : “we argue that if any
IMD exhibits a test procedure T for some property P, and
if there are no medical reasons for conducting
procedure T other than testing property P , then it
should be impossible to trigger T unless P is enabled.”

20. Zero Power Notification
● Cryptographic keys - hinders emergency response
● Must not consume a lot of energy
● Harvests power from RF energy
● Uses Piezo-elements to alert user
● Uses Wireless Identification and Sensing Platform
(WISP) that contains a RFID circuitry and a
microcontroller with 256 Bytes RAM and 8KB memory

21. Evaluation
● Standard - Sound Pressure Level
● Buzzing peaks at 67 dB SPL at
1m
● Simulation : Device implanted
beneath 1cm of Bacon and 4 cm
of 85% lean ground beef
● Measured 84 dB SPL at a
distance of 1m

22. Evaluation

23. Zero Power Authentication
● Harvests RF energy to power
a cryptographic protocol that
authenticates requests from
external device programmer
● Challenge response protocol
based on RC5-32/12/16
● Master Key - Km
● IMD identity I
● IMD specific key K = (Km
,I)

24. Zero Power Sensible Key Exchange
● Complements above 2 defence techniques
● Primary goal is to allow the user to know that a key exchange
is happening
● Programmer initiates the protocol by supplying unmodulated
RF signal
● IMD generates a random no to be used as session key and
modulates it as sound wave
● The sound wave can only be read and demodulated by a
reader with a microphone situated close to the patients body
● Can latter be used for long range communication

25. Future Work
● Access for previously unauthorized users during
emergency situations
● Next generation IMDs with more networking abilities
should not rely solely on external mechanisms for security.
● Device manufacturers must not view external devices like
external programmers as trusted computing base for
IMDs
● Ensure that all devices used do not harm the human body

26. References
● D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B.
Defend, W. Morgan, K. Fu, T. Kohmo, and W. H. Maisel.
“Pacemakers and Implantable Cardiac Defibrillators: Software
Radio Attacks and Zero-Power Defenses” in IEEE Symposium on
Security and Privacy, Oakland, CA, 2008, pp. 129-142.
● D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H.
Maisel. “Security and privacy for implantable medical devices. IEEE
Pervasive Computing, Special Issue on Implantable Electronics,
January 2008.”
● WISP - http://sensor.cs.washington.edu/WISP.html