Implanted medical devices like defibrillators and insulin pumps now include wireless connections to let doctors or technicians update software or download data—but such improvements could open the door to life-threatening wireless attacks.
Security researchers have shown that they can surreptitiously reprogram an implanted defibrillator to stay inactive despite a cardiac emergency, deliver a 700-volt jolt when not required, or drain its battery.
A solution from researchers at Rice University and the security company RSA uses a heartbeat reading as a way to confirm that whoever is trying to reprogram or download data from a device is in direct contact with the patient and is not a remote hacker. This fix could work, the researchers say, even in emergency situations where no delay can be tolerated.
Using the new method, a doctor holds a device against the patient’s body, and takes a direct reading of the heartbeat. The device reads the patient’s heartbeat and compares it to one relayed in a wireless signal from the implant, and then confirms that the signals match. The wireless exchange of the heartbeat signal is encrypted, thwarting any attempt to hijack the communications during the exchange.
“This addresses a serious problem that has few existing solutions,” says Shane Clark, a research scientist at BBN Technologies and a former grad student in the lab of Kevin Fu, a leading medical device security researcher who is now at the University of Michigan (see “Innovators Under 35: Kevin Fu”). “Given the unique constraints that implantable medical devices face, it is important to tailor security approaches specifically for them, and that’s what this technology does.”
Clark says the solution avoids making things too cumbersome for a doctor or paramedic to access the device in an emergency. They would not, for example, need to individually authenticate themselves with a password, for example, or confirm a patient’s identity. Such traditional approaches “have the potential to endanger the lives of patients in an emergency situation where authentication fails,” Clark says.
While various research efforts show that a person’s heartbeat can be used as a biometric identifier, this one only seeks to ensure that two devices are listening to the same thing at the same time. A future emergency responder wouldn’t need to know the identity of a heart-attack victim, for example, before gaining access and downloading information from the victim’s implanted device. “The heart is very conveniently producing this stream of random bits, and we tap into the stream of bits and make sure we are getting the same signal at the same time,” says Ari Juels, chief scientist at RSA Laboratories in Cambridge, Massachusetts, and a co-author of the paper. (In particular, it simply looks at the pause between beats to find a match.) “Our approach doesn’t rely on a registration of a biometric—all it does is check that the signals are identical.”
But the encryption step is important, he says. This prevents a theoretical attacker in, say, a hospital or a battlefield setting from hijacking the signal in order to issue malicious instructions. In addition, “the fact that you are reading a random changing symbol means the attacker can’t profile the heartbeat at one time and use the information later to attack the device,” he adds.
Right now, doctors or medical device makers will use wireless communication to update software on the device, and to download information about events (such as about heart-shocks or the timing of insulin doses issued) without requiring surgery.
But it’s a system based on trust, says Masoud Rostami, a PhD candidate at Rice who co-wrote the paper on the heartbeat method. “Unfortunately, manufacturers have not implemented any security mechanisms in [implanted medical devices]. They didn’t or couldn’t even use simple passwords, since they rightfully fear that the password can be lost or stolen.”
Right now, paramedics don’t generally interact with implanted devices. But in the future, it might be valuable for them to have the ability to download data from implanted devices in order to diagnose a condition in an emergency.
However, implementing any changes would take a long time, due to the need for U.S. Food and Drug Administration approval. “Given the long product lifecycles, it would probably take years to reach the market even if a manufacturer wanted to start implementing it today,” Clark says.