Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses Zac Chupka Jeff Signore
Disclosure The researchers omit details that would act as a guide for someone to attack an implantable medical device Focuses more on the security and privacy vulnerabilities in implantable medical devices
Overview Technology Vulnerabilities Techniques Experiment Prevention Conclusions
Implantable Medical Devices (IMDs) Wireless reprogrammable medical devices that are implanted in a patient’s body Implantable Cardioverter Defibrillators (ICDs) Pacemakers Neurostimulators Drug pumps Between : 2.6 million IMDs implanted in US patients
ICDs Monitor and responds to heart activity Include modes for pacing and defibrillation Implanted in the chest with leads that connect to the chambers of the heart Practitioner can interact with ICD post surgery using an external commercial device programmer Perform diagnostics Read and write private data Adjust therapy settings
ICDs Self contained with respect to power and connectivity Non-rechargeable internal batteries No physical external connections Designed to last for many years
Other Equipment Used Oscilloscope Tests functionality of equipment that generates electrical signal Measures changing voltage of signal and displays as a waveform on a graph Antennas Universal Software Radio Peripheral device that interacts with open source GNU Radio libraries
Overview Technology Vulnerabilities Techniques Experiment Prevention Conclusions
Vulnerabilities Addressing the security and privacy issues with the communication between the ICD and the external ICD programmer used by practitioners Attacks classified as three types of adversary classes Commercial ICD programmer passive adversary active adversary
Adversaries Commercial ICD programmer No mechanisms in place to determine if the external programmer is being used by authorized personnel Passive adversary Eavesdrop on communications Record Radiofrequency messages output by devices Active adversary Generates arbitrary radiofrequency traffic
Overview Technology Vulnerabilities Techniques Experiment Prevention Conclusions
Reverse Engineering Transmissions Captured RF transmissions using the oscilloscope and USRP at 175 kHz Processed these signals using Matlab to determine the type of data it was transmitting
Reverse Engineering Transmissions Intercepting Programmer Directly connect to device carry raw bits from programmer to processing equipment Intercepting ICD Made dummy patient name Analyzed RF signal to determine the phase shift to determine the modulation scheme
Eavesdropping Used USRP to eavesdrop on the transmission data using the GNU radio Set up an eavesdropping timeline to determine the where and when to listen in on bidirectional conversations between devices
Overview Technology Vulnerabilities Techniques Experiment Prevention Conclusions
Passive Attacks (Eavesdropping) Replay attacks used to obtain information: First, auto-identification command used to retrieve limited device information Once identified, additional personal information is requested using interrogation command Cardiac data also obtained under certain conditions, such as with a strong magnet
Active Attacks (Changing Information) Replay attacks used with GNU radio to modify ICD information: Change patient name Change ICD clock - date and/or time Change therapies - programmed responses to cardiac events
Active Attacks (Other Attacks) Induce fibrillation Apply a ~1 Joule command shock to the patient’s heart at a precise point in the patient’s cardiac rhythm. Unconfirmed attacks Power denial of service Insecure software updates Buffer overflow vulnerabilities.
Overview Technology Vulnerabilities Techniques Experiment Prevention Conclusions
Notification for Patients: WISPer Wireless Identification and Sensing Platform: tiny embedded system with RFID circuitry and microcontroller After WISPer receives wireless requests, it chirps Tested with and without bacon
Authentication Challenge-response type authentication Programmers know master key IMD knows identity Both have to calculate IMD specific key based on master key and identity, and must match results for authentication to occur. Master key not suitable for large- scale deployment: too risky
Sensible Key Exchange A distribution of a symmetric cryptographic key over a human perceptible sensory channel IMD generates a key and broadcasts it as sound wave, only strong enough to be received by a patient in contact with the microphone
Conclusions Important that the authors have revealed the security and privacy risks These experiments aren’t practical or feasible in a real world situation These risks and prevention techniques for IMDs should be taken into account for future development
Inner Workings of an ICD Inside is a magnetic switch A close magnetic field allows the ICD to transmit telemetry data which includes EKG readings The magnetic field comes from a magnet in the external programmer when placed in proximity of the patient’s ICD The model of ICD used is intended for short range wireless communications