Many medical implants, such as insulin pumps and pacemakers, are equipped with wireless radios that let doctors download data about the patient’s condition and adjust the behavior of the implant. But these devices are vulnerable to hackers who can eavesdrop on stored data or even reprogram the implant, causing, for example, a pacemaker to shock a heart unnecessarily. While it may be possible to engineer new, more secure implants, millions of people are walking around with vulnerable devices that can’t be replaced without surgery. An anti-hacking device presented this week at the annual SIGCOMM communications conference in Toronto may offer them a solution.
Created by researchers from MIT and the University of Massachusetts, Amherst, the laptop-sized device, called “the shield,” emits a jamming signal whenever it detects an unauthorized wireless link being established between an implant and a remote terminal (which can be out of sight and tens of meters away). Although no attack of this kind is known to have occurred , “it’s important to solve these kinds of problems before the risk becomes a tenable threat,” says Kevin Fu, an associate professor of computer science at UMass and one of the developers of the shield. Fu was Technology Review’s Young Innovator of the Year in 2009 for his work in uncovering the previously unsuspected danger that hackers pose to implant wearers.
The key innovation is the new radio design that the shield uses for jamming. “If you just do simple jamming [broadcasting radio noise on a given frequency], then the attacker doesn’t get the information, but the doctor doesn’t either,” says Dina Katabi, another developer of the shield and an associate professor of electrical engineering and computer science at MIT. Instead, the shield allows a jamming signal to be broadcast while it simultaneously receives data signals from the implant and relays them over a secure link. So doctors can still download data and confirm adjustments even while the shield is jamming an attacker.
Normally, trying to get a radio to detect data while it’s broadcasting on the same frequency is like attaching a hearing aid to a megaphone on full blast and expecting the hearing aid to pick up a nearby conversation. Earlier attempts to make radios capable of simultaneously transmitting and receiving on the same frequency relied on a carefully spaced trio of antennas. But at the frequencies used in medical devices (about 400 megahertz), this spacing would result in a jamming device far too big for a person to carry. Instead, the researchers worked out how to use two closely spaced antennas: one for receiving and the other for broadcasting the jamming signal. The trick is to feed an “antidote” signal to the jamming signal into the receiving antenna, canceling out the jamming noise.
In tests with cardiac implants in an environment meant to simulate the human body (a one-centimeter-thick layer of bacon placed on top of the implant, and four centimeters of lean ground beef below), the shield was able to completely block unauthorized communications with standard medical terminals, such as a hacker might buy secondhand from an online auction site. Even if the hacker builds his own terminal capable of transmitting a signal 100 times as powerful as the shield’s jamming broadcast, the shield can still block communications until the terminal gets within five meters of the implant. Then the shield can’t ward off attacks—but it can at least alert a patient that an attack is happening.
Although the prototype shield, built out of two off-the-shelf software radios, is cumbersome, it could be miniaturized into something that could be worn around the neck or as a bracelet. The researchers are discussing possible commercialization of the technology with one medical-device manufacturer. A problem yet to be overcome is that telecommunications regulations in the United States and elsewhere generally discourage jamming equipment. Katabi hopes the U.S. Federal Communications Commission would be flexible: “They are a relatively agile agency, and they’ve generated waivers before for medical devices to encourage innovation and solve problems,” she says.
The researchers believe that the shield may be a better alternative to building encryption directly into implants. “Imagine you have an implant with a secret decryption key,” says Katabi. “Your doctor knows the secret key, but you’re traveling and there’s an emergency and you’re taken into a foreign hospital. The doctor there doesn’t have access to the secret key.” However, with a wearable jammer, the hospital could remove the shield, allowing unencrypted access during the emergency.
Not all security researchers agree with that analysis. “There are security methods that don’t require a doctor to have the key,” says Jay Radcliffe, a security researcher who has also studied wireless attacks on implanted devices. Rather than trying to “bolt on security as an afterthought,” Radcliffe argues, the burden should fall on device manufacturers to design in security from the beginning. Still, for existing devices, Radcliffe thinks the shield could offer an interim solution.