They Can Hear Your Heartbeats: Non-Invasive Security For Implantable Medical Devices
They Can Hear Your Heartbeats: Non-Invasive Security For Implantable Medical Devices
They Can Hear Your Heartbeats: Non-Invasive Security For Implantable Medical Devices
Shyamnath Gollakota Haitham Hassanieh Benjamin Ransford Dina Katabi Kevin Fu
Massachusetts Institute of Technology University of Massachusetts, Amherst
{gshyam, haithamh, dk}@mit.edu {ransford, kevinfu}@cs.umass.edu
Transmit Chain
n
eive Chain
n
H
parable, i.e., | Hjaml
recl
| 1 (see Chapter 7 in [53] for a detailed anal-
H
Decoder Encoder Encoder ysis). In contrast, | jamrec
Hself
| 1; |Hself | is the attenuation on the
short wire between the transmit and receive chains in the receive
Figure 2The jammer-cum-receiver design uses two antennas: antenna, which is significantly less than the attenuation between
a jamming antenna that transmits the jamming signal, and a receive
antenna. The receive antenna is connected to both a transmit and the two antennas that additionally have to go on the air [17]. For
H
receive chain. The antidote signal is transmitted from the transmit example, in our USRP2 prototype, the ratio | jamrec Hself
| 27 dB.
chain to cancel out the jamming signal in the receive chain. Thus, the above condition is physically infeasible, and cancelling
without requiring patients to interact directly with the shield, our the jamming signal at the shields receive antenna does not cancel
design aligns with IMD industry trends toward wireless, time- and it at any other location.
location-independent patient monitoring. We note several ancillary properties of our design:
The next sections explain the jammer-cum-receivers design, im-
plementation, and use against passive and active adversaries. Transmit and receive chains connected to the same antenna: Off-
the-shelf radios such as the USRP [9] have both a receive and a
transmit chain connected to the same antenna; they can in prin-
5. JAMMER-CUM-RECEIVER ciple transmit and receive simultaneously on the same antenna.
A jammer-cum-receiver naturally needs to transmit and receive Traditional systems cannot exploit this property, however, be-
simultaneously. This section presents a design for such a full- cause the transmit signal overpowers the receive chain, prevent-
duplex radio. Our design has two key features: First, it imposes no ing the antenna from decoding any signal but its own transmis-
size restrictions and hence can be built as a small wearable device. sion. When the jamming signal and the antidote signal cancel
Second, it cancels the jamming signal only at the devices receive each other, the interference is cancelled and the antenna can re-
antenna and at no other point in spacea necessary requirement ceive from other nodes while transmitting.
for our application. Antenna cancellation vs. analog and digital cancellation: Can-
Our design, shown in Fig. 2, uses two antennas: a jamming an- celling the jamming signal with an antidote is a form of an-
tenna and a receive antenna. The jamming antenna transmits a ran- tenna cancellation. Thus, as in the antenna cancellation scheme
dom jamming signal. The receive antenna is simultaneously con- by Choi et al. [3], one can improve performance using hardware
nected to both a transmit and a receive chain. The transmit chain components such as analog cancelers [43]. In this case, the input
sends an antidote signal that cancels the jamming signal at the re- to the analog canceler will be taken from points a and b in Fig. 2;
ceive antennas front end, allowing the receive antenna to receive the output will be fed to the passband filter in the receive chain.
any signal without disruption from its own jamming signal. Channel estimation: Computing the antidote in equation 2 re-
The antidote signal can be computed as follows. Let j(t) be the quires knowing the channels Hself and Hjamrec . The shield esti-
jamming signal and x(t) be the antidote. Let Hself be the self- mates these channels using two methods. First, during a session
looping channel on the receive antenna (i.e., the channel from with the IMD, the shield measures the channels immediately be-
the transmit chain to the receive chain on the same antenna) and fore it transmits to the IMD or jams the IMDs transmission.
Hjamrec the channel from the jamming antenna to the receive an- In the absence of an IMD session the shield periodically (ev-
tenna. The signal received by the shields receive antenna is: ery 200 ms in our prototype) estimates this channel by sending a
y(t) = Hjamrec j(t) + Hself x(t). (1) probe. Since the shields two antennas are close to each other, the
probe can be sent at a low power to allow other nodes to leverage
To cancel the jamming signal at the receive antenna, the antidote spatial reuse to concurrently access the medium.
must satisfy: Wideband channels: Our discussion has been focused on narrow-
Hjamrec band channels. However, the same description can be extended
x(t) = j(t). (2) to work with wideband channels which exhibit multipath effects.
Hself
Specifically, such channels use OFDM, which divides the band-
Thus, by transmitting a random signal j(t) on its jamming antenna width into orthogonal subcarriers and treats each of the subcarri-
Virtuoso ICD Power Profile
(a) Without jamming
To preserve the confidentiality of an IMDs transmissions, the Figure 5Shaping the jamming signals profile to match an
shield jams the IMDs signal on the channel. Since the wireless IMDs allows the shield to focus its jamming power on the fre-
quencies that matter for decoding, as opposed to jamming across
channel creates linear combinations of concurrently transmitted the entire 300 KHz channel.
signals, jamming with a random signal provides a form of one-time
pad, where only entities that know the jamming signal can decrypt
While jamming, the shield receives the signal on the medium using
the IMDs data [50]. The shield leverages its knowledge of the jam- its receive antenna. The shield jams for (T2 T1 ) + P milliseconds.
ming signal and its jammer-cum-receiver capability to receive the Additionally, to deal with scenarios in which the IMD may trans-
IMDs data in the presence of jamming. mit in response to an unauthorized message, the shield uses its abil-
To realize our design goal, the shield must ensure that it jams ev- ity to detect active adversaries that might succeed at delivering a
ery packet transmitted by the IMD. To this end, the shield leverages
message to the IMD (see 7(d)). Whenever such an adversary is
two properties of MICS-band IMD communications [13, 24]:
detected, the shield uses the same algorithm above, as if the mes-
An IMD does not transmit except in a response to a message sage were sent to the IMD by the shield itself.
from a programmer. The shield can listen for programmer trans- We note that each shield should calibrate the above parameters
missions and anticipate when the IMD may start transmitting. for its own IMD. In particular, for the IMDs tested in this paper, the
An IMD transmits in response to a message from a programmer above parameters are as follows: T1 = 2.8 ms, T2 = 3.7 ms, and
without sensing the medium. This allows the shield to bound the P = 21 ms.
interval during which the IMD replies after receiving a message. Our design of the shield sets three sub-goals:
(a) Maximize jamming efficiency for a given power budget: It
Fig. 3 shows an example exchange between a Medtronic Virtu- is important to match the frequency profile of the jamming signal
oso implantable cardiac defibrillator (ICD) and a programmer (in to the frequency profile of the jammed signal [30]. To understand
this case, a USRP). Fig. 3(a) shows that the Virtuoso transmits in this issue, consider the example of the Virtuoso cardiac defibrilla-
response to a programmers message after a fixed interval (3.5 ms). tor. This device operates over a channel bandwidth of 300 KHz.
To check that the Virtuoso indeed does not sense the medium, we However, it uses FSK modulation where a 0 bit is transmitted at
made the programmer USRP transmit a message to the Virtuoso and one frequency f0 and a 1 bit is transmitted at a different frequency
within 1 ms transmit another random message. Fig. 3(b) plots the f1 . Fig. 4 shows the frequency profile of the FSK signal captured
resulting signal and shows that the Virtuoso still transmitted after from a Virtuoso cardiac defibrillator. A jammer might create a jam-
the same fixed interval even though the medium was occupied. ming signal over the entire 300 KHz. However, since the frequency-
Given the above properties, the shield uses the following algo- domain representation of the received FSK signal has most of its
rithm to jam the IMDs transmissions. Let T1 and T2 be the lower energy concentrated around f0 and f1 , an adversary can eliminate
and upper bounds on the time that the IMD takes to respond to a most of the jamming signal by applying two band-pass filters cen-
message, and let P be the IMDs maximum packet duration. When- tered on f0 and f1 .
ever the shield sends a message to the IMD, it starts jamming the Therefore, an effective jammer should consider the structure of
medium exactly T1 milliseconds after the end of its transmission. the IMDs signal when crafting the jamming signal, shaping the
2 amount of energy it puts in each frequency according to the fre-
More generally, one could compute the multi-path channel and apply an equal-
izer [18] on the time-domain antidote signal that inverts the multi-path of the jamming quency profile of the IMD signal. Fig. 5 compares the power profile
signal. of a jamming signal that is shaped to fit the signal in Fig. 4 and an
oblivious jamming signal that uses a constant power profile. The the BER at the adversary while maintaining a low BER at the shield,
figure shows that the shaped signal has increased jamming power one needs to increase G, which is the amount of jamming power
in frequencies that matter for decoding. cancelled at the shields receive antenna. We refer to G as the SINR
To shape its jamming signal appropriately, the shield generates gap between the shield and the adversary.
the jamming signal by taking multiple random white Gaussian We show in 10.1 that for the tested IMDs, an SINR gap of
noise signals and assigning each of them to a particular frequency G = 32 dB suffices to provide a BER of nearly 50% at the adver-
bin in the 300 KHz MICS channel. The shield sets the variance of sary (reducing the adversary to guessing) while maintaining reliable
the white Gaussian noise in each frequency bin to match the power packet delivery at the shield.
profile resulting from the IMDs FSK modulation in that frequency
bin. We then take the IFFT of all the Gaussian signals to generate
the time-domain jamming signal. This process generates a random
7. VERSUS ACTIVE ADVERSARIES
jamming signal that has a power profile similar to the power pro- Next, we explain our approach for countering active adversaries.
file generated by IMD modulation. The shield scales the amplitude At a high level, the shield detects unauthorized packets and jams
of the jamming signal to match its hardwares power budget. The them. The jamming signal combines linearly with the unauthorized
shield also compensates for any carrier frequency offset between its signal, causing random bit flips during decoding. The IMD ignores
RF chain and that of the IMD. these packets because they fail its checksum test.
The exact active jamming algorithm follows. Let Sid be an identi-
(b) Ensure independence of eavesdropper location: To ensure fying sequence, i.e., a sequence of m bits that is always used to iden-
confidentiality, the shield must maintain a high bit error rate (BER) tify packets destined to the IMD. Sid includes the packets physical-
at the adversary, independent of the adversarys location. The layer preamble and the subsequent header. When the shield is not
BER at the adversary, however, strictly depends on its signal-to- transmitting, it constantly monitors the medium. If it detects a sig-
interference-and-noise ratio, SINRA [17]. To show that the BER at nal on the medium, it proceeds to decode it. For each newly decoded
the adversary is independent of its location, we show that the SINR bit, the shield checks the last m decoded bits against the identifying
at the adversary is independent of its location. sequence Sid . If the two sequences differ by fewer than a thresh-
Suppose the IMD transmits its signal at a power Pi dB and the old number of bits, bthresh , the shield jams the signal until the signal
shield transmits the jamming signal at a power Pj dB. The IMDs stops and the medium becomes idle again.
signal and the jamming signal will experience a pathloss to the ad- The shield also uses its receive antenna to monitor the medium
versary of Li and Lj , respectively. Thus, the SINR at the adversary while transmitting. However, in this case, if it detects a signal con-
can be written in dB as: current to its transmission, it switches from transmission to jam-
SINRA = (Pi Li ) (Pj Lj ) NA , (6) ming and continues jamming until the medium becomes idle again.
The reason the shield jams any concurrent signal without checking
where NA is the noise in the adversarys hardware. Since equation 6 for Sid is to ensure that an adversary cannot successfully alter the
is written in a logarithmic scale, the pathlosses translate into sub- shields own message on the channel in order to send an unautho-
tractions. rized message to the IMD.
The pathloss from the IMD to the adversary can be expressed We note five subtle design points:
as the sum of the pathloss that the IMDs signal experiences in the
body and on the air, i.e., Li = Lbody + Lair [39]. Since the shield and (a) Choosing identifying sequences: Our algorithm relies on the
the IMD are close together, the pathlosses they experience on the air identifying sequence Sid in order to identify transmissions destined
to the adversary are approximately the samei.e., Lair Lj [53]. for the protected IMD. We therefore desire a method of choosing a
Thus, we can rewrite equation 6 as: per-device Sid based on unique device characteristics. Fortunately,
IMDs already bear unique identifying characteristics. For example,
SINRA = (Pi Lbody ) Pj NA . (7) the Medtronic IMDs that we tested (the Virtuoso ICD and the Con-
certo CRT) use FSK modulation, a known preamble, a header, and
The above equation shows that SINRA is independent of the adver-
the devices ID, i.e., its 10-byte serial number. More generally, each
sarys location and can be controlled by setting the jamming power
wireless device has an FCC ID, which allows the designer to look
Pj to an appropriate value. This directly implies that the BER at the
up the device in the FCC database and verify its modulation, cod-
adversary is independent of its location.
ing, frequency and power profile [12].3 One can use these specifica-
(c) SINR tradeoff between the shield and the adversary: Sim- tions to choose an appropriate identifying sequence. Furthermore,
ilarly to how we computed the SINR of an eavesdropper, we can once in a session, the IMD locks on to a unique channel, to receive
compute the SINR of the shield (in dB) as: any future commands. Since other IMDprogrammer pairs avoid
SINRS = (Pi Lbody ) (Pj G) NG , (8) occupied channels, this channel ID can be used to further specify
the target IMD.
where NG is the thermal noise on the shield and G is the reduction in (b) Setting the threshold bthresh : If an adversary can transmit a sig-
the jamming signal power at the receive antenna due to the antidote. nal and force the shield to experience a bit error rate higher than
The above equation simply states that SINRS is the IMD power the IMDs, it may prevent the shield from jamming an unautho-
after subtracting the pathloss due mainly to in-body propagation, rized command that the IMD successfully decodes and executes.
the residual of the jamming power (Pj G), and the noise. However, we argue that such adversarial success is unlikely, for
Note that if one ignores the noise on the shields receive an- two reasons. First, because the signal goes through body tissue, the
tenna and the adversarys device (which are negligible in compar- IMD experiences an additional pathloss that could be as high as
ison to the other terms), one can express the relation between the 40 dB [47], and hence it naturally experiences a much weaker signal
two SINRs using a simple equation: than the shield. Second, the IMD uses a harder constraint to accept
SINRS = SINRA + G. (9) a packet than the constraint the shield uses to jam a packet. Specif-
ically, the IMD requires that all bits be correct to pass a checksum,
This simplified view reveals an intrinsic tradeoff between the SINR
3
at the shield and the adversary, and hence their BERs. To increase For example, the FCC ID LF5MICS refers to Medtronic IMDs we tested.
while the shield tolerates some differences (up to bthresh bits) be- Shield
tween the identifying sequence and the received one. We describe
our empirical method of choosing bthresh in 10.1(c). 10
6
IMD
all or any subset of the channels in this band, and further continue 3
1
6.92 in
4
to listen to the whole band as it is transmitting in any subset of the 11
9
7
radio front end as wide as 3 MHz and equipping the device with 12
The shield uses this capability to monitor the entire 3 MHz MICS 16 15 17
band because an adversary can transmit to the IMD on any channel 8.92
8. 9 in
n
in the band. This monitoring allows the shield to detect and counter Figure 6Testbed setup showing shield, IMD, and adversary lo-
adversarial transmissions even if the adversary uses frequency hop- cations. We experiment with 18 adversary locations, numbered here
ping or transmits in multiple channels simultaneously to try to con- in descending order of received signal strength at the shield.
fuse the shield. The shield jams any given 300 KHz channel if the
channel contains a signal that matches the constraints described in Our design for a two-antenna jammer-cum-receiver requires the
the active jamming algorithm. receive antenna to be always connected to both a transmit and a
(d) Complying with FCC rules: The shield must adhere to the receive chain. To enable the shields receive antenna to transmit
FCC power limit even when jamming an adversary. However, as and receive simultaneously, we turn off the USRP RX/TX switch,
explained in 3, a sophisticated adversary may use a transmission which leaves both the transmit and receive chains connected to the
power much higher than the FCC limit. In such cases, the adver- antenna all the time. Specifically, we set atr_txval=MIX_EN
sary will be able to deliver its packet to the IMD despite jamming. and atr_rxval=ANT_SW in the TX chain, and we set
However, the shield is still useful because it can detect the high- atr_txval=MIX_EN and atr_rxval=MIX_EN in the RX
powered adversary in real time and raise an alarm to attract the chain, in the USRP2s firmware and FPGA code. Finally, we equip
attention of the patient or a caregiver. Such alarms may be similar the shield with FSK modulation and demodulation capabilities so
to a cell phone alarm, i.e., the shield may beep or vibrate. It is de- that it can communicate with an IMD.
sirable to have a low false positive rate for such an alarm. To that
end, we calibrate the shield with an IMD to find the minimum ad- 9. TESTING ENVIRONMENT
versarial transmit power that can trigger a response from the IMD Our experiments use the following devices:
despite jamming. We call this value Pthresh . When the shield detects
a potentially adversarial transmission, it checks whether the signal Medtronic Virtuoso DR implantable cardiac defibrillators
power exceeds Pthresh , in which case it raises an alarm. (ICDs) [37].
Finally, we note that when the shield detects a high-powered ac- A Medtronic Concerto cardiac resynchronization therapy device
tive adversary, it also considers the possibility that the adversary (CRT) [36].
will send a message that triggers the IMD to send its private data. A Medtronic Vitatron Carelink 2090 Programmer [35].
In this case, the shield applies the passive jamming algorithm: in USRP2 software radio boards [9].
addition to jamming the adversarys high-powered message, it jams
the medium afterward as detailed in 6. In our in vitro experiments, the ICD and CRT play the role of the
protected IMD. The USRP devices play the roles of the shield, the
(e) Battery life of the shield: Since jamming consumes power, one adversary, and legitimate users of the MICS band. We use the pro-
may wonder how often the shield needs to be charged. In the ab- grammer off-line with our active adversary; the adversary records
sence of attacks, the shield jams only the IMDs transmissions, and the programmers transmissions in order to replay them later. Ana-
hence transmits approximately as often as the IMD. IMDs are typ- log replaying of these captured signals doubles their noise, reducing
ically nonrechargeable power-limited devices that do not transmit the adversarys probability of success, so the adversary demodu-
frequently [11]. Thus, in this mode of operation, we do not expect lates the programmers FSK signal into the transmitted bits to re-
the battery of the shield to be an issue. When the IMD is under an move the channel noise. The adversary then re-modulates the bits
active attack, the shield will have to transmit as often as the adver- to obtain a clean version of the signal to transmit to the IMD.
sary. However, since the shield transmits at the FCC power limit Fig. 6 depicts the testing setup. To simulate implantation in a hu-
for the MICS band, it can last for a day or longer even if transmit- man, we followed prior work [22] and implanted each IMD beneath
ting continuously. For example, wearable heart rate monitors that 1 cm of bacon, with 4 cm of 85% lean ground beef packed under-
continuously transmit ECG signals can last 2448 hours [57]. neath. We placed the shield next to the IMD on the bacons surface
to simulate a necklace. We varied the adversarys location between
8. IMPLEMENTATION 20 cm and 30 m, as shown in the figure.
We implement a proof-of-concept prototype shield with GNU
Radio and USRP2 hardware [9, 16]. The prototype uses the USRPs 10. EVALUATION
RFX400 daughterboards, which operate in the MICS band [13]. We evaluate our prototype of a shield against commercially avail-
The USRP2 does not support multiple daughterboards on the same able IMDs. We show that the shield effectively protects the con-
motherboard, so we implement a two-antenna shield with two fidentiality of the IMDs messages and defends the IMD against
USRP2 radio boards connected via an external clock [25] so that commands from unauthorized parties. We experiment with both the
they act as a single node. The two antennas are placed right next to Virtuoso ICD and the Concerto CRT. However, since the two IMDs
each other. did not show any significant difference, we combine the experimen-
1 0.6
0.3
0.4
0.2
0.2 0.1
0 0
20 22 24 26 28 30 32 34 36 38 40 0 5 10 15 20 25
Nulling of the Jamming Signal (dB) Jamming Power relative to IMD Power (dB)
(a) Adversarys BER vs. jamming power
Figure 7Antenna cancellation: The antidote signal reduces the
jamming signal by 32 dB on average. 0.2
Table 1Adversarial RSSI that elicits IMD responses despite the 0.6
CDF
shields jamming. 0.4
0.2
power of the signal it receives from the IMD. The figure shows
that if the shields jamming power is 20 dB higher than the IMDs 0
power, the packet loss rate is no more than 0.2%. We conclude that 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
this jamming power achieves both a high error rate at the eaves- BER at the Adversary
dropper and reliable decoding at the shield. Figure 9CDF of an eavesdroppers BER over all eavesdrop-
We note that the shields increased power, described above, still per locations in Fig. 6: At all locations, the eavesdroppers BER
complies with FCC rules on power usage in the MICS band because is nearly 50%, which makes its decoding task no more successful
the transmit power of implanted devices is 20 dB less than the max- than random guessing. The low variance in the CDF shows that an
imum allowed transmit power for devices outside the body [40, 41]. eavesdroppers BER is independent of its location.
(c) Setting the jamming parameters: Next we calibrate the jam- 1
ming parameters for countering active adversaries. The shield must
0.8
jam unauthorized packets sent to the IMD it protects. It must jam
these packets even if it receives them with some bit errors, because 0.6
CDF
they might otherwise be received correctly at the IMD. We there-
0.4
fore empirically estimate an upper bound, bthresh , on the number of
bit flips an IMD accepts in an adversarys packet header. The shield 0.2
uses this upper bound to identify packets that must be jammed. 0
To estimate bthresh , we perform the following experiment. First, 0 0.005 0.01 0.015 0.02 0.025
a USRP transmits unauthorized commands to the IMD to trigger Packet Loss at the Shield
it to send patient data. We repeat the experiment for all locations
in Fig. 6. The shield stays in its marked location in Fig. 6, but its Figure 10Packet loss at the shield: When the shield is jamming,
jamming capability is turned off. However, the shield logs all of the it experiences an average packet loss rate of only 0.2% when re-
ceiving the IMDs packets. We conclude that the shield can reliably
packets transmitted by the IMD as well as the adversarial packets decode the IMDs transmissions despite jamming.
that triggered them. We process these logs offline and, for packets
that successfully triggered an IMD response despite containing bit
IMDs transmissions from an eavesdropper regardless of the eaves-
errors, we count the number of bit flips in the packet header. Our
droppers location.
results show that it is unlikely that a packet will have bit errors at
For the same experiment, Fig. 10 plots a CDF of the packet loss
the shield but still be received correctly by the IMD. Out of 5000
rate of IMD-transmitted packets at the shield. Each point on the
packets, only three packets showed errors at the shield but still trig-
x-axis refers to the packet loss rate over 1000 IMD packets. The
gered a response from an IMD. The maximum number of bit flips
average packet loss rate is about 0.2%, considered low for wireless
in those packets was 2, so we conservatively set bthresh = 4.
systems [8]. Such a low loss rate is due to two factors. First, we
Next, we measure Pthresh , the minimum adversary RSSI at the
locate the shield fairly close to the IMD, so it receives the IMDs
shield that can elicit a response from the IMD in the presence of
signal at a relatively high SNR. Second, the jamming cancellation
jamming. To do so, we fix the location of the IMD and the shield
is sufficient to maintain a high SNR that ensures a low packet loss
as shown in Fig. 6. Again we use a USRP that repeatedly sends
rate. We conclude that the shield can decode the IMDs packets
a command to trigger the IMD to transmit. We fix the adversary in
reliably, even while jamming.
location 1 and vary its transmit power. Table 1 reports the minimum
and average RSSI at the shields receive antenna for all packets that 10.3 Protecting from Active Adversaries
succeeded in triggering the IMD to transmit. We set Pthresh 3 dB
We distinguish between two scenarios representing different lev-
below the minimum RSSI in the table and use that value for all
els of adversarial sophistication. In the first, we consider scenarios
subsequent experiments.
in which the adversary uses an off-the-shelf IMD programmer to
send unauthorized commands to the IMD. In the second, a more so-
10.2 Protecting from Passive Adversaries phisticated adversary reverse-engineers the protocol and uses cus-
To evaluate the effectiveness of the shields jamming, we run an tom hardware to transmit with much higher power than is possible
experiment in which the shield repeatedly triggers the IMD to trans- in the first scenario.
mit the same packet. The shield also uses its jammer-cum-receiver
capability to jam the IMDs packets while it decodes them. We set (a) Adversary that uses a commercial IMD programmer: The
the shields jamming power as described in 6. In each run, we po- simplest way an adversary can send unauthorized commands to an
sition an eavesdropper at a different location shown in Fig. 6 and IMD is to obtain a standard IMD programmer and use its built-in
make the IMD send 1000 packets. The eavesdropping adversary radio. Since commercial programmers abide by FCC rules, in this
attempts to decode the IMDs packets using an optimal FSK de- scenario, the adversarys transmission power will be comparable to
coder [38]. We record the BER at the eavesdropper and the packet that of the shield.
loss rate at the shield. Using an IMD programmer we obtained via a popular auction
Fig. 9 plots a CDF of the eavesdroppers BER taken over all website, we play the role of such an active adversary. We use the
locations in Fig. 6. The CDF shows that the eavesdroppers BER setup in Fig. 6, fixing the IMDs and shields locations and trans-
is nearly 50% in all tested locations. We conclude that our design mitting unauthorized commands from all the marked locations. As
of the shield achieves the goal of protecting the confidentiality of shown in the figure, we experiment with both line-of-sight and non-
Probability the IMD Changes Treatment
1 1 1 1 1 1
0.94 1 1 1 1 1 0.95
Probability the IMD Replies Shield Absent Shield Absent
Shield Present 0.84 Shield Present
0.77 0.78
0.8 0.8 0.70
0.59
0.6 0.6
0.4 0.4
0.2 0.2
0.01 0.02 0.01
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Location Location
Figure 11Without the shield, triggering an IMD to transmit and Figure 12Without the shield, an adversary using an off-the-shelf
deplete its battery using an off-the-shelf IMD programmer succeeds programmer to send unauthorized commands (in this case, to mod-
with high probability. With the shield, such attacks fail. ify therapy parameters) succeeds with high probability. The shield
materially decreases the adversarys ability to control the IMD.
line-of-sight locations as well as nearby (20 cm) and relatively far
locations (30 m). rized commands that trigger the IMD to transmit and those that
To test whether the shields jamming is effective against unautho- change its therapy parameters, we show results only for the therapy
rized commands, regardless of which unauthorized command the modification command.
adversary chooses to send, we experiment with two types of ad- Fig. 13 shows the results of this experiment in terms of the ob-
versarial commands: those that trigger the IMD to transmit its data served probability of adversarial success, with the shield both on
with the objective of depleting its battery, and those that change and off. It also shows the observed probability that the shield raises
the IMDs therapy parameters. In each location, we play each com- an alarm, which is how the shield responds to a high-powered
mand 100 times with the shield on and 100 times with the shield off. (above Pthresh ) adversarial transmission. The figure further shows:
After each attempt, we check whether the command was successful. When the shield is off, the adversarys increased transmission
To determine whether the first type of command was successful power allows it to elicit IMD responses from as far as 27 meters
i.e., whether it elicited a replywe sandwiched a USRP observer (location 13) and from non-line-of-sight locations.
along with the IMD between the two slabs of meat. To allow the When the shield is on, the adversary elicits IMD responses only
USRP observer to easily check whether the IMD transmitted in from nearby, line-of-sight locations. Thus, the shields presence
response to the adversarys command, we configure the shield to raises the bar even for high-powered adversaries.
jam only the adversarys packets, not the packets transmitted by the Whenever the adversary elicits a response from the IMD in the
IMD. To determine whether a therapy modification command was presence of the shield, the shield raises an alarm. The shield also
successful, we use the IMD programmer to read the therapy param- raises an alarm in response to unsuccessful adversarial transmis-
eters before and after the attempt. sions that are high powered and emanate from nearby locations
Fig. 11 and Fig. 12 show the results of these experiments. They (e.g., location 6). While this conservative alert results in false
plot the probability that adversarial commands succeed with the positives, we believe it is reasonable to alert the patient that an
shield off (absent) and on (present), each as a function of adver- adversary is nearby and may succeed at controlling the IMD.
sary locations. The locations are ordered by decreasing SNR at the
USRP observer. The figures show the following:
0.87
1 1 1 1 1 0.98 1 0.92 1 1 1
1 0.92 Prob. Shield Raises Alarm
0.74
0.72
Prob. IMD responds, Shield Absent
0.8 Prob. IMD responds, Shield Present
Probability
0.6
0.3
0.4
0.1
0.2 0.1
0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Location
Figure 13High-powered adversary: Without the shield, an adversary transmitting at 100 times the shields power can change the IMDs
therapy parameters even from non-line-of-sight locations up to 27 m away. With the shield, the adversary is successful only from line-of-sight
locations less than 5 m away, and the shield raises an alarm.
Cross-Traffic 0 but differs from it in that our jammer can transmit and receive at
Probability of Jamming
Packets that trigger IMD 1 the same time; this allows it to decode IMD messages while pro-
Average 270 s tecting their confidentiality.
Turn-around Time
Standard Deviation 23 s Our work is related to prior work on physical-layer information-
theoretic security. Past work in this area has shown that if the chan-
Table 2Coexistence results: Jamming behavior and turn-around nel to the receiver is better than the channel to an eavesdropper, the
time in the presence of simulated meteorological cross-traffic.
sender-receiver pair can securely communicate [5, 52, 54]. Also,
our prior work proposes iJam, an OFDM-based technique that jams
transmissions. This delay is mainly due to the shields being im- while receiving to prevent unauthorized receivers from obtaining
plemented in software. A hardware implementation would have a a protected signal [20]. iJam, however, is not applicable to IMDs
more efficient turn-around time of tens of microseconds. (Note, for because it relies on the intrinsic characteristics of OFDM signals,
example, that a 802.11 card can turn around in a SIFS duration of which differ greatly from IMDs FSK signals. Further, iJam re-
10 s.) The low turn-around time shows that the shield does not quires changes to both the transmitter and receiver, and hence does
continuously jam the medium (thereby denying others access to it). not immediately apply to IMDs that are already implanted.
Finally, our work also builds on past work on full-duplex ra-
12. RELATED WORK dio [3, 7, 4]. Ours, however, differs from all past works in that it
Recent innovations in health-related communication and net- is the first to demonstrate the value of using full-duplex radios for
working technologies range from low-power implantable radios security. Furthermore, we implement a radio where the antennas
that harvest body energy [27] to medical sensor networks for in- are placed next to each other so that it can be built as a small device
home monitoring and diagnosis [51, 55]. Past work has also studied and show both empirically and analytically that our design secures
the vulnerabilities of these systems and proposed new designs that IMDs using only 30 dB cancellation which is significantly less than
could improve their security [21, 22]. Our work builds on this foun- the 60-80 dB cancellation required by prior work [7, 3].
dation, but it differs from all past works in that it presents the first
system that defends existing commercial IMDs against adversaries
who eavesdrop on transmissions or send unauthorized commands. 13. CONCLUSION
Our design is motivated by the work of Halperin et al., who The influx of wireless communication in medical devices brings
analyzed the security properties of an implantable cardiac device a number of domain-specific problems that require the expertise of
and demonstrated its vulnerability to adversarial actions that com- both the wireless and security communities. This paper addresses
promise data confidentiality or induce potentially harmful heart the problem of communication security for implantable medical de-
rhythms [21, 22]. They also suggested adding passively powered vices. The key challenge in addressing this problem stems from the
elements to implantable devices to allow them to authenticate their difficulty of modifying or replacing implanted devices. We present
interlocutors. Along similar lines, Denning et al. propose a class of the design and implementation of a wireless physical-layer solution
devices called cloakers that would share secret keys with IMDs [6]; that delegates the task of protecting IMD communication to an ex-
an IMD would attempt to detect an associated cloakers presence ternal device called the shield. Our evaluation shows that the shield
either periodically or when presented with an unknown program- effectively provides confidentiality for IMDs transmitted data and
mer. Unlike these three proposals, our technique does not require shields IMDs from unauthorized commands, both without requiring
cryptographic methods and is directly applicable to IMDs that are any changes to the IMDs themselves.
already implanted.
Other work has focused on the problem of key distribution for Acknowledgments: We thank Arthur Berger, Ramesh Chandra, Rick
cryptographic security. Cherukuri et al. propose using consistent Hampton, Steve Hanna, Dr. Daniel Kramer, Swarun Kumar, Nate Kush-
man, Kate Lin, Hariharan Rahul, Stefan Savage, Keith Winstein, and Nick-
human biometric information to generate identical secret keys at
olai Zeldovich for their insightful comments. The authors acknowledge the
different places on a single body [2]. Schechter suggests that key financial support of the Interconnect Focus Center, one of the six research
material could be tattooed onto patients using ultraviolet micro- centers funded under the Focus Center Research Program, a Semiconduc-
pigmentation [48]. tor Research Corporation program. This research is also supported by NFS
Our work builds on a rich literature in wireless communica- CNS-0831244, an NSF Graduate Research Fellowship, a Sloan Research
tion. Specifically, past work on jamming focuses on enabling wire- Fellowship, the Armstrong Fund for Science, and Cooperative Agreement
No. 90TR0003/01 from the Department of Health and Human Services. Its
less communication in the presence of adversarial jamming [29,
contents are solely the responsibility of the authors and do not necessarily
42]. Some past work, however, has proposed to use friendly jam- represent the official views of the DHHS or NSF. K. Fu is listed as an inven-
ming to prevent adversarial access to RFID tags, sensor nodes, and tor on patent applications pertaining to zero-power security and low-power
IMDs [33, 44, 56]. Our work is complementary to this past work flash memory both with assignee UMass.
14. REFERENCES Jamming-resistant wireless broadcast communication. In Proc. IEEE
INFOCOM, 2010.
[1] J. kerberg. State-of-the-art radiosonde telemetry. In Proc. Symp. [30] J. Lopatka. Adaptive generating of the jamming signal. In Proc. IEEE
Integrated Observing and Assimilation Systems for Atmosphere, Military Communications Conference (MILCOM), 1995.
Oceans, and Land Surface. American Meterological Society, 2004. [31] W. H. Maisel. Safety issues involving medical devices: Implications
[2] S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupta. Biosec: of recent implantable cardioverter-defibrillator malfunctions. Journal
A biometric based approach for securing communication in wireless of the American Medical Association, 2005.
networks of biosensors implanted in the human body. In [32] W. H. Maisel and T. Kohno. Improving the security and privacy of
International Conference on Parallel Processing Workshops, 2003. implantable medical devices. New England Journal of Medicine,
[3] J. Choi, M. Jain, K. Srinivasan, P. Levis, and S. Katti. Achieving 362(13):11641166, 2010.
single channel, full duplex wireless communication. In Proc. ACM [33] I. Martinovic, P. Pichota, and J. Schmitt. Jamming for good: A fresh
MobiCom, 2010. approach to authentic communication in WSNs. In Proc. ACM Conf.
[4] J. Choi, M. Jain, K. Srinivasan, P. Levis, and S. Katti. A working on Wireless Network Security (WiSec), 2009.
single channel, full duplex wireless system. In Mobicom Demo, 2010. [34] Medtronics Paradigm Veo wireless insulin pump helps prevent
[5] I. Csiszar and J. Korner. Broadcast channels with confidential hypoglycemia. MedGadgetInternet Journal for emerging medical
messages. IEEE Trans. Inf. Theory, 24(3):339348, 1978. technologies, 2009.
[6] T. Denning, K. Fu, and T. Kohno. Absence makes the heart grow [35] Medtronic Inc. CareLink Programmer. http://www.medtronic.com/.
fonder: New directions for implantable medical device security. In [36] Medtronic Inc. Concerto II CRT-D digital implantable cardioverter
Proc. USENIX Workshop on Hot Topics in Security (HotSec), 2008. defibrillator with cardiac resynchronization therapy.
[7] M. Duarte and A. Sabharwal. Full-duplex wireless communications http://www.medtronic.com/.
using off-the-shelf radios: Feasibility and first results. In Asilomar [37] Medtronic Inc. Virtuoso DR/VR implantable cardioverter
Conference on Signals, Systems, and Computers, 2010. defibrillator systems. http://medtronic.com/.
[8] D. Eckhardt and P. Steenkiste. Measurement and analysis of the error [38] H. Meyr, M. Moeneclaey, and S. A. Fechtel. Digital Communication
characteristics of an in-building wireless network. In Proc. ACM Receivers: Synchronization, Channel Estimation, and Signal
SIGCOMM, 1996. Processing. Wiley, 1998.
[9] Ettus Inc. Universal Software Radio Peripheral. http://ettus.com/. [39] D. Panescu. Wireless communication systems for implantable
[10] European Telecommunications Standard Institute. ETSI EN 301 medical devices. IEEE Eng. in Medicine and Biology Mag., 2008.
839-1 V1.3.1, 2009. [40] PCTest Engineering Labs, Inc. Certificate of compliance, fcc part 95
[11] C. Falcon. Inside implantable devices. Medical Design Tech., 2004. certification, test report number: 95.220719375.lf5, 2002.
[12] Federal Communications Commission. FCC ID number search. [41] PCTest Engineering Labs, Inc. Certificate of compliance, fcc part 95
http://www.fcc.gov/searchtools.html. and en 301 839-2, test report number: 0703090168.med, 2007.
[13] Federal Communications Commission. MICS Medical Implant [42] C. Ppper, M. Strasser, and S. Capkun. Jamming-resistant broadcast
Communication Services, FCC 47CFR95.601-95.673 Subpart E/I communication without shared keys. In USENIX Security Sym., 2009.
Rules for MedRadio Services. [43] B. Radunovic, D. Gunawardena, P. Key, A. Proutiere, N. Singh, H. V.
[14] K. Fu. Inside risks: Reducing the risks of implantable medical Balan, and G. Dejean. Rethinking indoor wireless: Low power, low
devices: A prescription to improve security and privacy of pervasive frequency, full-duplex. Technical report, Microsoft Research, 2009.
health care. Communications of the ACM, 52(6):2527, 2009. [44] M. Rieback, B. Crispo, and A. Tanenbaum. RFID Guardian: A
[15] K. Fu. Trustworthy medical device software. In Public Health battery-powered mobile device for RFID privacy management. In
Effectiveness of the FDA 510(k) Clearance Process: Measuring Proc. Australasian Conf. on Information Security and Privacy, 2005.
Postmarket Performance and Other Select Topics: Workshop Report. [45] D. Sagan. Rf integrated circuits for medical applications: Meeting the
IOM (Institute of Medicine), National Academies Press, 2011. challenge of ultra low power communication. Zarlink Semiconductor.
[16] GNU Radio. http://gnuradio.org/. http://stf.ucsd.edu/presentations.
[17] A. Goldsmith. Wireless Communications. Cambridge University [46] N. Santhapuri, R. R. Choudhury, J. Manweiler, S. Nelakuduti, S. Sen,
Press, 2005. and K. Munagala. Message in message mim: A case for reordering
[18] S. Gollakota, F. Adib, D. Katabi, and S. Seshan. Clearing the RF transmissions in wireless networks. In ACM HotNets-VII, 2008.
smog: Making 802.11 robust to cross-technology interference. In [47] K. Sayrafian-Pour, W. Yang, J. Hagedorn, J. Terrill, K. Yazdandoost,
ACM SIGCOMM, 2011. and K. Hamaguchi. Channel models for medical implant
[19] S. Gollakota, N. Ahmed, N. Zeldovich, and D. Katabi. Secure communication. Inter. Journal of Wireless Info. Networks, 2010.
in-band wireless pairing. In USENIX Security Sym., 2011. [48] S. Schechter. Security that is meant to be skin deep: Using ultraviolet
[20] S. Gollakota and D. Katabi. Physical layer security made fast and micropigmentation to store emergency-access keys for implantable
channel-independent. In Proc. IEEE INFOCOM, 2011. medical devices. In USENIX Workshop HealthSec, 2010.
[21] D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. [49] M. Scheffler, E. Hirt, and A. Caduff. Wrist-wearable medical devices:
Maisel. Security and privacy for implantable medical devices. IEEE Technologies and applications. Medical Device Technology, 2003.
Pervasive Computing, 7(1), 2008. [50] C. E. Shannon. Communication theory of secrecy systems. Bell
[22] D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, System Technical Journal, 28(4):656715, 1949.
B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. [51] V. Shnayder, B. Chen, K. Lorincz, T. R. F. Fulford-Jones, and
Pacemakers and implantable cardiac defibrillators: Software radio M. Welsh. Sensor networks for medical care. Technical Report
attacks and zero-power defenses. In Proc. IEEE Symposium on TR-08-05, Harvard University, 2005.
Security and Privacy, 2008. [52] M. J. Siavoshani, U. Pulleti, E. Atsan, I. Safaka, C. Fragoulia,
[23] Industry Canada. Radio Standards Specification RSS-243: Medical K. Argyraki, and S. Diggavi. Exchanging secrets without using
Devices Operating in the 401406 MHz Frequency Band. Spectrum cryptography. arXiv:1105.4991v1, 2011.
Management and Telecommunications, 2010. [53] D. Tse and P. Vishwanath. Fundamentals of Wireless
[24] International Telecommunications Union. ITU-R Recommendation Communications. Cambridge University Press, 2005.
RS.1346: Sharing between the meteorological aids service and [54] A. Wyner. The wire-tap channel. Bell Sys. Technical Journal, 1975.
medical implant communication systems (MICS) operating in the [55] S. Xiao, A. Dhamdhere, V. Sivaraman, and A. Burdett. Transmission
mobile service in the frequency band 401406 MHz, 1998. power control in body area sensor networks for healthcare
[25] Jackson Labs. Fury GPSDO. http://www.jackson-labs.com/. monitoring. IEEE Journal on Selected Areas in Comm., 2009.
[26] W. C. Jakes. Microwave Mobile Communications. Wiley, 1974. [56] F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. IMDGuard: Securing
[27] M. Koplow, A. Chen, D. Steingart, P. Wright, and J. Evans. Thick implantable medical devices with the external wearable guardian. In
film thermoelectric energy harvesting systems for biomedical Proc. IEEE INFOCOM, 2011.
applications. In Proc. Symp. Medical Devices and Biosensors, 2008. [57] Zephyr Inc. BioHarness BT. http://www.zephyr-technology.com.
[28] C. Kuo, J. Walker, and A. Perrig. Low-cost manufacturing, usability [58] C. Zhan, W. B. Baine, A. Sedrakyan, and S. Claudia. Cardiac device
and security: An analysis of bluetooth simple pairing and wi-fi implantation in the US from 1997 through 2004: A population-based
protected setup. In Usable Security Workshop, 2007. analysis. Journal of General Internal Medicine, 2007.
[29] Y. Liu, P. Ning, H. Dai, and A. Liu. Randomized differential DSSS: