Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses Authors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel Presenter: Raghu Rangan

Implantable Medical Device Can control heart rate, deliver medication, etc. Sophisticated devices with radios But are they secure? What Are IMDs?

Implantable Cardiac Devices Radio-enabled, wirelessly programmable Pacemaking, defibrillation (steady shocks vs. single large shock) Communicates with a device programmer ICDs

Commercial ICD programmer Passive RF listener Active RF attacker Adversaries

Most research has focused on preventing unintentional failures RC5 on WISP Work using software radios to receive transmissions from commercial wireless protocols Related Work

Device programmers can be used directly Programmers can read all ICD information, change all settings No technological controls to ensure authorized use Insider Attack

Black box: watch communication between ICD and programmer Done using inexpensive components:  Oscilloscope  Universal Software Radio Peripheral  Software: GNU Radio, Perl, Matlab Cost: less than $1000 Reverse Engineering

Patient data transmitted cleartext Challenge: modulation, encoding  Not so difficult, standard schemes are used. Name, birth date, ID number, patient history, diagnosis, treating physician... Passive Monitoring

In order to eavesdrop, need to establish timeline for bidirectional comms between ICD and programmer Do not need to decipher transmissions, can infer meanings and some content Transaction Timeline

Eavesdropping Setup

Replay attacks–attacker needs little knowledge Trigger information disclosure Change patient name, ICD clock Change therapies  Can disable functions  Quitely change device state Induce fibrillation  Patient safety at risk Active Attack: Replay

Presence of strong magnet makes ICD transmit telemetry data Can also be triggered without magnet Radio use might run out battery faster DoS could be quite dangerous–replacing the battery requires surgery Active Attack: Denial of Service

Prevent attacks from insiders and outsiders Draw no power from primary battery Security events should be detectable by patient Defense Goals

Use RFID tag (WISPer) to guard ICD communication WISPer harvests power from reader, can perform computations Three applications:  Notification  Authentication  Sensible key exchange Zero Power Defense

When WISPer is activated, beep via piezoelectric speaker After beep, notify ICD it can start using radio Patient aware when ICD is being programmed Can be deterrent for attacker Notification

Challenge/response protocol using RC5 Only if authentication is successful will ICD be told to activate No power is used until authentication succeeds. Authentication

Use audio as a channel for crypto key exchange Modulate sound wave using same scheme as radio Audible to patient, hard to hear at a distance Also uses no power Key Exchange

Still many open problems: key management, failure modes Security problems can have life-threatening consequences IMDs should be treated as what they are computers Conclusion and Future Work

Questions/Comments/Discussion