Improving implantable medical device security and privacy with the IMD Shield

We researchers at the MDSC spend a lot of time thinking about vulnerabilities in implantable medical devices (IMDs), but it's über-exciting when we can also work on emerging technology that improves the security and privacy of medical devices. The IMD Shield, presented at ACM SIGCOMM 2011, takes a fresh look at IMD communications and offers somewhat unorthodox solutions to several hard security problems:

1. How can we protect an IMD without requiring that it be surgically replaced?
2. How should an IMD's security and privacy mechanisms fail open—that is, protect the device by default but allow emergency responders to bypass them?
3. How can we prevent eavesdroppers from receiving sensitive patient information from an IMD?
4. How can we prevent an IMD from obeying commands from unauthorized transmitters?

The secret sauce is friendly jamming, applied judiciously. The IMD Shield takes advantage of the specific properties of medical communications (in the MICS band) to protect IMDs from passive and active adversaries, to fail open when appropriate, and to reduce the risks related to surgical replacement.

Sidebar: Overview of the IMD Shield from a USENIX Security 2011 poster.

On to the paper's details: A shield is a wearable electronic device that acts as a proxy for an IMD's communications. In a future form, the shield might resemble a locket or necklace. It has two antennas inside, designated TX (transmit) and RX+TX (receive and transmit). It listens on a certain set of wireless channels for messages to or from the IMD. When it hears a message destined for the IMD, the shield transmits a random jamming signal that prevents the IMD from receiving the message. Only after authenticating the message's sender does the shield stop jamming. In the other direction, the shield jams every message sent by the IMD to foil eavesdroppers: it transmits a random jamming signal while simultaneously transmitting an antidote signal that cancels the jamming only at the shield's RX+TX antenna. The shield and an authorized IMD programmer (e.g., one in a doctor's clinic, or a bedside monitor) establish an encrypted channel out of band and exchange messages over it.

Sidebar: The IMD Shield's jamming strategy provides information-theoretic security akin to that of a one-time pad. The shield fails open when off or absent. (From a USENIX Security 2011 poster.)

Mapping the shield's operations to the four key problems above: (1) None of the shield's protection mechanisms require IMD replacement. (2) When the shield is powered off or removed by an emergency responder, it does not jam any signals; the system fails open. (3) The shield's jamming of IMD transmissions foils eavesdroppers, who cannot distinguish IMD transmissions from junk. (4) The shield prevents the IMD from obeying—or even hearing—unauthorized commands.

The shield is currently implemented as a prototype on USRP boards controlled by GNU Radio.

["They Can Hear Your Heartbeats: Non-Invasive Security for Implanted Medical Devices"
by Shyamnath Gollakota, Haitham Hassanieh, Ben Ransford, Dina Katabi and Kevin Fu received the Best Paper Award at ACM SIGCOMM 2011.]