they can hear your heartbeats
TRANSCRIPT
They Can Hear Your Heartbeats:Non-Invasive Security forImplantable Medical Devices
Jacob Blake2/10/2015
Shyamnath Gollakota † Haitham Hassanieh† Benjamin Ransford⋆ Dina Katabi† Kevin Fu⋆
†Massachusetts Institute of Technology ⋆University of Massachusetts, Amherst{gshyam, haithamh, dk}@mit.edu {ransford, kevinfu}@cs.umass.edu
Implantable Medical Devices (IMDs)
Wireless implanted medical devices.
Low-power medical radios such as pacemakers, cardiac defibrillators, insulin pumps, and neurostimulators.
Wireless connectivity allows for remote monitoring of patients.
Wireless monitoring allows for rapid-response, statistics gathering and better quality of service for health-care professionals.
The problem IMDs have been installed over decades and much of the signal
monitoring, depending on the device can be easily intercepted. Most IMDs have shown to exhibit exploits that allows for commands
from compromised sources to executed. The solution to this problem can not easily be solved by adding
cryptography methods directly to the IMDs for three main reasons: Inalterability: Replacing IMDs requires surgery, which is costly and
potentially fatal. Safety: If the cryptographic cipher is lost, malfunctioning, forgotten,
deleted or unable to be transferred to another hospital; this could prove fatal since no one could adjust the IMD until it was replaced
Maintainability: Between 1999 and 2005 the number of recalls due to software related issues on IMDs was 11%. Due to this, it is logical to limit the scope of the software to minimal (i.e. by not adding additional layers of cryptography).
A Solution Don’t make any modifications to the IMDs themselves, instead,
use an external module to protect the IMDs from being compromised.
This paper purposes the idea of “The Shield”. Basic premise:
The shield acts as an interposer between the IMD’s signals and the intended receipt of those signals.
The shield would be worn in close proximity, on the person, with the IMD.
The shield would defend against both passive eavesdropping (confidentially threats) as well as command threats issued by unauthorized parties.
The shield would simultaneously receives the IMDs data whilst jamming it at the same time. The jamming prevents passive threats.
Once the signal is intercepted from the IMD, the shield retransmits the signal after encrypting it.
The protect against active threats, the shield listens for any unauthorized transmissions and jams them from ever reaching the victim.
The Shield:Introduction Must be a full-duplex radio (able to send and receive simultaneously). Both antennas should have ½ wavelength of separation. Since The Shield is simultaneously jamming the signal’s that it must
retransmit (to prevent eaves-dropping), the transmit antenna must be able to transmit an “Antidote Signal” (seen later). The antidote signal will effectively cancels the previous jamming signal of the
IMD and allows the transmitted message to be correctly received by the IMD. Known as Jammer-cum-receiver design (more later).
Has been evaluated on two of the most popular IMD manufactures. Medtronic Virtuoso implantable cardiac defibrillator (ICD). Concerto cardiac resynchronization therapy device (CRT).
IMD Communications Older IMDs operating in the 175KHz band. In 1999 the FCC set aside a special frequency band for IMDs operation within the
402-405MHz spectrum. This is known as the “Communicate Medical Information Band” (MICS).
Most modern communicate in the MICS band. However, they may still use other frequency bands for activation (i.e. 2.4GHz or 175KHz).
The FCC chose the band for its international availability as well as for its signal propagation characteristics within the human body.
The band is broken up into multiple channels of 300 KHz in width. A Pair of communication devices uses one of these channels.
IMDB Communications:The Programmer Typically IMDs communicate with a “Programmer”. The Programmer initiates the session with the IMD, it
then, either queries the IMD for data or sends commands.
Due to FCC regulations, the IMD does not normally initiate the session.
Before a 300 KHz communication pair is chosen, the programmer must first listen to make sure the channel is not occupied.
The session between the programmer and the IMB can begin once no interference has been detected for 10ms.
The Threat Model:Shield Defense Considering two different types of threats.
Passive eavesdropping (i.e. man-in-the-middle). An adversary is attempting to listen to the communication Typically this is carried out by the adversary attempting different decoding strategies. However, basic results in multi-user information theory show that decoding multiple
signals is impossible if the total information rate is outside the capacity region. For the Shield’s defense, it’s jamming signal is random and aperiodic.
Active adversary (i.e. command sending). The adversary attempts to send commands to the IMD. May attempt to transmit with a commercial IMD programmer. This way the adversary
does not need to reverse engineer the protocol. Alternatively, the adversary could reverse engineer the protocol allowing him/her to
bypass FCC regulations and transmit with much higher power. The shield can overcome this problem so long as it is kept in close proximity to the
IMD (less than ½ a wavelength).
The Shield:System Overview Prevents attacks by acting as a proxy to the IMD. The shield prevents any device other than itself from communicating with the IMD. It utilizes a method known as “Jammer-cum-receiver”. For confidentiality the shield operates at a very high bit-error-rate (BER). Utilizes a full-duplex, twin antenna design to both monitor and transmit at the same
time. It shapes the jamming signal’s profile to that of the IMD’s. It only begins jamming once it detects a signal on its transmission band. Can identify the IMDs unique ID and FSK modulation. Can listen to the entire 3 MHz MICS band and transmit on all subsets of that band. Compliance with FCC standards for jamming power limits.
The Shield:Jamming-cum-receiver design Must transmit and receive simultaneously. This requires an “Antidote Signal” to cancel
the jamming signal. The antidote signal can be computed as
follows. Let j(t) be the jamming signal and x(t) be
the antidote. Let Hself be the self-looping channel on the receive antenna (i.e., the channel from the transmit chain to the receive chain on the same antenna) and Hjam->rec the channel from the jamming antenna to the receive antenna. The signal received by the shield’s receive antenna is:
y(t) = Hjam->rec * j(t) + Hself * x(t). The antidote must satisfy:
x(t) = (-Hjam->rec\Hself) * j(t)
The Shield:Jamming-cum-receiver design cont. The antidote signal cancels the jamming signal only at the shield’s
antenna and no other location. Transmit and receive chains are connected to the same antenna.
When the jamming signal and the antidote signal cancel each other, the interference is cancelled and the antenna can continue to receive from other nodes while transmitting.
Channel Estimation The shield measures the channels before jamming the IMD. It accomplishes
this by periodically sending out a probe, every 200ms. Wideband channels
The shield can be easily extended to accommodate wideband frequencies by making use of the OFDM method used on these channels.
The Shield:Jamming-cum-receiver design cont.
Without Jamming With Jamming
Jamming-cum-receiver cont.:Shaping The Signals Profile
Profile of an IMD Signal Most energy is consecrated
around +/- 50KHz.
Shaped Jamming Profile The shaped profile focuses it’s
energy to match the IMD FSK profile.
Passive Eavesdroppers:Sub-goals Maximize jamming efficiency for a given power budget.
This is accomplished by shaping the jamming frequency profile. Allows the jamming signal to concentrate its energy in areas of where the most
probabilistic attempted decoding would take while conserving power. One computationally inexpensive way to shape the signal is to take the IFFT
foreach Gaussian signal and generate a time-domain jamming signal (must rescale after this approach).
Ensure independence of eavesdropper location: Accomplished by maintaining a high BER. The Signal-to-noise ration of interference (SNR) is independent of the
adversaries location, which also implies that the BER rate should be location independent as well.
SINR tradeoff between the shield and the adversary During experimentation an SINR gap of 32dB provides 50% BER at the
adversary.
Active AdversariesSub-goals: Choosing identifying sequences:
For each IMD, a unique identifier is attached to that device (mostly pre-existing). For each newly decoded bit, the shield checks the bit against an identifying sequence. It is possible for the shield to lookup the unique ID for each IMD in the FCC database.
Setting the threshold: One issue could arise if an adversary was able to transmit signal that forced the shield to
experience a BER higher than the BER of the IMD. This could overwhelm the jamming signal, bypassing the protection.
However, this problem is rendered null due to the fact that the IMD requires all bits to pass the checksum, whereas, the shield will tolerate a much higher BER.
Customizing for the MISC band: This is accomplished by processing signal from all channels in the MICS band simultaneously
with a 3 MHz radio front-end. The shield can then jam any signal matching the constraints of the active jamming
algorithm.
The Shield:Implementation The top layer of the prototype is
a GNU Radio and USRP2 hardware.
Inside the prototype was implemented using USRP’s RFX400 daughterboards (for MSIC bands).
The USPR is capable of full-duplex with a switch.
Two antennas are used (not shown).
The Shield:Testing Environment Medtronic Virtuoso DR implantable
cardiac defibrillators (ICDs). A Medtronic Concerto cardiac
resynchronization therapy device. A Medtronic Vitatron Carelink 2090
Programmer. USRP2 software radio boards. Offline programmer to act as an
adversary. Tested at 18 different adversary
locations.
The Shield:Evaluation Both Virtuoso ICD and Concerto CRT were
evaluated. The experiments were combined because the
differences were negligible. First, the antenna was designed to cancel out
32dB of the jamming signal at the receive antenna.
The BER rate for a passive eavesdropper is nearly 50% at all tested locations.
With jamming present, only 0.2% packet loss was seen.
No elicited response from the IMD was present even at ranges as close as 20cm.
With 100x the normal signal strength, a response could be elicited under 5 meters.
The next slide slows the tradeoff between increasing the jamming power to BER next to the corresponding packet loss rate.
Tradeoff between BER at the eavesdropper and reliabledecoding at the shieldJamming power vs IMD power
Jamming Power vs IMD power
The Shield:Protecting from Passive Adversaries:Setup IMD Sends 1000 packets. The adversary attempts to decode the IMD’s packets using an
‘optimal’ FSK decoder. Recording of the BER for all locations.
The ShieldProtecting from Passive Adversaries:Results
Adversaries' BER (CDF)Packet loss at shield (CDF)
The ShieldProtecting from Passive Adversaries:Results cont. Highest packet loss observed was 0.2% even with the adversary was
within 20cm. At all locations, the eavesdropper’s BER is nearly 50%.
Decoding would be a random guess. The low variance in the CDF shows that an eavesdropper’s BER is
independent of its location (as stated before).
The Shield:Protecting from Active Adversaries:Setup Two types of active adversaries are considered:
Adversaries using a commercial IMD programmer. These test conditions will fall within the FCC regulations for transmissions. Transmit commands to the IMD from unauthorized locations. Both line-of-sight and non-line-of-site are considered. Tested at multiple locations from 20cm to 30m
Adversaries with custom, higher powered, reversed engineered devices. These test conditions will exceed all FCC regulations. Device is engineered with the same USRP daughter boards. The adversary will transmit at 100 times the shield’s power. Even if the shield becomes overwhelmed by the transmission power, it can raise
an “Alarm” signal.
The shield:Protecting from Active Adversaries:Results
Active adversary is using 100 times the power that the FCC limits. The high powered adversary is only successful from line-of-sight locations
less than 5 meters away. Even when this condition is met, the shield still raises an Alarm signal.
The Shield:Protecting from Passive vs Active Adversaries Results
Passive Adversary Active Adversary
The Shield:Coexistence with existing IMDs Vaisala digital radiosonde RS92-AGP that uses GMSK modulation. USRP’s alternate between intercepting one packet to the IMD and one
cross-traffic packet. The shield logs all packets it detects and reports which of them it jammed.
The shield did not jam any of the cross-traffic packets. The shield jammed all of the packets that it detected were addressed to the IMD.
The table below shows Jamming behavior and turn around time in the presence of simulated meteorological cross-traffic.
Probability of Jamming
Cross-Traffic 0Packets that trigger IMD
1
Turn-around Time Average 270μsStd Deviation 23μs
Conclusion and related work
The shield would be an effective defense for both passive and active adversary attacks.
The shield is cost-effective to implement and does not require modifying pre-existing IMDs.
The shield could save lives and protect private medical data. The shield is based on pre-existing work to a system known as
“iJam”. The goal of iJam was to jam signals attempting to read RFID tags. iJame used OFDM-based tequniques for jamming while the Shield uses FSK
jamming. The Shield could be expanded to make use of wide-band and OFDM
jamming if desired.
Questions and Answers
Frequency-shift-keying (FSK)
Orthogonal frequency-division multiplexing(OMFD)
Team that made the Shield
For the jamming signal to be cancelled out at location l, the followingmust be satisfied:
Author: Jacob Blake