Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

1. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses Authors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel Presenter: Raghu Rangan

2. What Are IMDs? • Implantable Medical Device • Can control heart rate, deliver medication, etc. • Sophisticated devices with radios • But are they secure?

3. ICDs Implantable Cardiac Devices Radio-enabled, wirelessly programmable Pacemaking, defibrillation (steady shocks vs. single large shock) Communicates with a device programmer

4. Adversaries Commercial ICD programmer Passive RF listener Active RF attacker

5. Related Work Most research has focused on preventing unintentional failures RC5 on WISP Work using software radios to receive transmissions from commercial wireless protocols

6. Insider Attack Device programmers can be used directly Programmers can read all ICD information, change all settings No technological controls to ensure authorized use

7. Reverse Engineering • Black box: watch communication between ICD and programmer • Done using inexpensive components: • Oscilloscope • Universal Software Radio Peripheral • Software: GNU Radio, Perl, Matlab • Cost: less than $1000

8. Passive Monitoring • Patient data transmitted cleartext • Challenge: modulation, encoding • Not so difficult, standard schemes are used. • Name, birth date, ID number, patient history, diagnosis, treating physician ...

9. Transaction Timeline In order to eavesdrop, need to establish timeline for bidirectional comms between ICD and programmer Do not need to decipher transmissions, can infer meanings and some content

10. Eavesdropping Setup

11. Active Attack: Replay • Replay attacks–attacker needs little knowledge • Trigger information disclosure • Change patient name, ICD clock • Change therapies • Can disable functions • Quitely change device state • Induce fibrillation • Patient safety at risk

12. Active Attack: Denial of Service Presence of strong magnet makes ICD transmit telemetry data Can also be triggered without magnet Radio use might run out battery faster DoScould be quite dangerous–replacing the battery requires surgery

13. Defense Goals Prevent attacks from insiders and outsiders Draw no power from primary battery Security events should be detectable by patient

14. Zero Power Defense • Use RFID tag (WISPer) to guard ICD communication • WISPerharvests power from reader, can perform computations • Three applications: • Notification • Authentication • Sensible key exchange

15. Zero Power Defense

16. Notification When WISPer is activated, beep via piezoelectric speaker After beep, notify ICD it can start using radio Patient aware when ICD is being programmed Can be deterrent for attacker

17. Authentication Challenge/response protocol using RC5 Only if authentication is successful will ICD be told to activate No power is used until authentication succeeds.

18. Key Exchange Use audio as a channel for crypto key exchange Modulate sound wave using same scheme as radio Audible to patient, hard to hear at a distance Also uses no power

19. Conclusion and Future Work Still many open problems: key management, failure modes Security problems can have life-threatening consequences IMDs should be treated as what they are computers

20. Questions/Comments/Discussion