IMD Security - How ETH Research Prevents Hacker-Caused Heart Attacks

22 November 2009

dieser Artikel existiert nur in Englisch

Prof. Srdjan Capkun’s group at ETH, in collaboration with Dr. Claude Castellucia from INRIA in France, has succeeded at making a promising contribution within the area of Implantable Medical Devices (IMDs) such as heart pacemakers and defibrillators. Their experiments might increase the security of the manifold implantable devices under development today. On one hand, the today’s advanced technology often includes wireless communication functions on such devices – on the other hand, this makes them potentially vulnerable to attacks by hackers. While this might seem just an evident technical fact in the context of wireless communication, it takes the sensitive foresight and responsibility of those researchers who take this problem seriously and painstakingly refine more differentiated strategies to prevent this risk before hackers fully exploit it.

by Irena Kulka

First prototype tests in a cow meat implant

Some equally chilling as entertaining scenarios have been highlighted in a recent MIT Technology Review article on the original work of Fu and Kohno (3), demonstrating how in the medical context security becomes a literally vital issue. Using off-the-shelf hardware components and a student’s engineering skills, they were able to enter an implantable device’s communication channel and they explored a curious range of ‘malicious doctor’ operations: They gleaned personal information from such a device, set it to a constant awake state thus draining the battery and completely reprogrammed a patient’s IMD, instructing a cardioverter defibrillator to become irresponsive to heart attacks or even produce them, by delivering fatal electroshocks to the heart whenever they wanted.

The imagery of such scenarios equals the script of a horror movie and the implant experiment pictures from Prof. Capkun’s Lab might allude to Frankenstein ready  to revive his Sunday roast - but actually these are real steps within today’s medical reality. The now published and patented results coming from the group of Prof. Capkun, members of his group Kasper Rasmussen and Tom Heydt-Benjamin (ETH Zurich), and Dr. Claude Castelluccia (INRIA) already include a realistic secure prototype. Their recent paper (1) attracted international attention - it was published at one of the best conferences in the field, ACM CCS (ACM Conference on Computer and Communications Security), and was also mentioned in an MIT Technical Review article (2).

The proposed approach considers the inherently contradictory requirements of the accessibility vs. access control system. Any strategy to protect wireless medical devices has to balance preventing unauthorized access with ease of use for medical staff. Doctors estimate an easy access to the device as it allows them to read out data easily, or to reprogram the device without an additional heart operation. Namely the emergency cases call for an even more eased access which would allow for immediate intervention by any medical personal, without having to use pre-shared keys.

The ETH/INRIA team takes a differentiated view upon the practical needs of the user in different situations and tackles the specific scenarios of attack prevention / normal use / emergency in separate ways. As a result, they come up with the solution to restrict access to the IMD depending on the condition of  physical proximity of the two communicating devices. They make the access space more secure on one end and more free on the other end. The work leverages the seminal research achieved by Prof. Capkun and his group over the recent years, namely their expertise on secure positioning and security protocols, that enables this cutting edge applied research.

Thus, (a) under normal, not urgent conditions, the system requires normal authentication steps before allowing access. By using ultrasound rather than radio frequency, the researchers actually enhance the security of this step. (b) In an emergency the device will paradoxically ‘open this access’, under the condition that the person is very close. The person would then literally open the heart to anyone who is close and in that case rather risk a close enemy than waiting  for a distant friend who might have lost his access key.

This approach assumes that only ‘friends’ will get very close in a situation of emergency and defenselessness. Paradoxically this a viable assumption (…to undermine it, the enemy needs to embrace you first and get your heart in a headlock and escape before the ambulance catches him). Essentially, the ETH/INRIA solution solves a less visible, but the more probable and more dangerous scenario, as it prevents malignant attackers from passing by unnoticed  at some distance using an automated handheld device and it hinders them from sending signals too easily, such as sending automated signals over a long period of time in an attempt to drain the batteries of random people or specifically addressed victims.

Concretely, the ETH/INRIA researchers use ‘distance-bounding’ a cryptographic protocol, based on distance estimation and access restriction to a critical ‘bound’ distance resp. proximity between the medical device and the wireless reader attempting to communicate with it.  The method uses time delay of acoustic signals and the speed of sound to determine the distance. Their use of ultrasound in this medical and safety-critical context is innovative and more secure, since radio signals which are frequently used in IMD’s could be tricked by stronger radio transmitters that mimic a proximity. Moreover the innovation lies in the way they combine specially adapted technologies for a practical context-dependent strategy to solve various real-world security scenarios in different ways.

The first attempts of electrical heart stimulations date back to the 18th century, however only in the late 1950’s such devices could be first implanted so to be worn under the skin. In Switzerland, the number of such operations has increased from around 1000 per year by the end of the 1970’s to around 5000 new patients per year today. Worldwide there are around half a million of new pacemaker and defibrillator users every year, with programmable devices including wireless communication interfaces becoming standard.

Looking ahead to the future communicative interfaces in medical implant applications will become more and more widespread: Already today there are pacemakers controlling respiration, bladder contraction or preterm birth. There are devices for deep brain stimulation of patients with Parkinson’s, epilepsy, Tourette Syndrome, depression, neurosis and severe headaches and there are sophisticated Brain Computer Interfaces (BCIs) under development as well as brain-controlled or otherwise interactive prosthetic devices. Moreover, the innovative proximity-based and context-sensitive approach might be relevant not only in the medical field but as an anticipation of the more and more widespread use of wearable and possibly implantable devices used for identification and communication - wherever space and  presence may be a security-critical factor. Eventually, real world physical closeness is at the heart of wireless world security.

References:
(1) Original Paper by ETH/INRIA:
K.B.Rasmussen, C.Castellucia, T.Heydt-Benjamin and S.Capkun,  Proximity-based Access Control for Implantable Medical Devices, Proceedings of CCS 2009 »
(2) MIT Technology Review Article on the above ETH/INRIA work:
Keeping Pacemakers Safe from Hackers, MIT TR November 2009 »
(3) MIT Technology Review Article on Fu and Kohno’s Work:
TR35 2009 Young Innovator - Kevin Fu, MIT TR August 2009  »