July 13, 2022
Implantable medical devices have been saving lives since the first pacemaker was installed in 1958 – that’s over half a century. New breakthroughs are being made nearly every day. A few examples of implantable medical devices in use right now include deep brain stimulators for patients with epilepsy or Parkinson’s disease, drug delivery systems using infusion pumps and various sensors to collect and process vital signs
Increasingly, medical implants have connections to the internet. The connection allows healthcare providers to download data, and programmers to update the software.
That connection can make them vulnerable to attacks, which may be exacerbated by constraints of the device itself: limited computing power and battery capacity.
“We don’t want anyone to be able to hijack or to capture that transmission and get that data or interfere with what’s going on,” said IEEE Member Rebecca Herold.
TINY, ENCRYPTED COMMUNICATIONS
Communications between an implantable device and the laptop, phone, tablet, or device it is connected to often aren’t encrypted. The devices themselves are small, and may not have enough computing power to employ certain types of encryption.
But that may be changing as awareness of potential security risks grows.
Researchers are now actively exploring the use of the body’s own data to form the cryptographic key that both devices will use to establish secure communications. In an article in IEEE Access, for example, researchers discuss the use of electrocardiogram data as a benchmark for communications between medical sensors. The use of signals from the body, a form of biometrics, allows the establishment of a secure connection with limited computing resources.
BATTERY ATTACKS
Implants are also susceptible to attacks on their batteries, which can come in two forms.
An attacker can request the implant to establish a secure channel using incorrect credentials, which causes implants to run part of an energy-consuming authentication protocol. This drains the battery. In another attack, the bad actor generates electromagnetic noise in order to cause high error rates at the implant transceiver. This increases its energy consumption due to an increased number of free transmissions. The increased noise may also force the implant to increase its transmission power, which reduces battery life.
“The major risk is the interruption of the operation of the implant,” said IEEE Member Jéferson Nobre. “Since these attacks can be performed using legitimate tasks, defense can be performed using timeout or behavior anomaly detection.”
While these types of attacks are largely theoretical, they have been shown to be feasible through several demonstrations by security researchers. And in some cases, individuals have even had wireless connectivity to their implants disabled to prevent the attack.
“It’s one of the easiest to mount highly effective attacks,” said Shally Gupta, an IEEE Graduate Student Member.
Gupta said to defend against these attacks device makers are increasingly turning to zero-power defense strategies – defenses that don’t rely on the device’s battery power. One example turns the attack on its head.
The strategy was recently described in an article published on IEEE Access: “The Implantable Medical Device (IMD) first harvests energy from wireless messages received from the external entity and then performs the authentication operation using this free energy. The IMD does not switch to its main battery for subsequent operations until and unless the external entity is authenticated.”
“This ensures that the IMD does not deplete its battery responding to bogus messages from entities,” Gupta said.
LEARN MORE:
If you’d like to learn more about how cybersecurity vulnerabilities in medical devices are discovered and managed, check out this webinar from the IEEE Standards Association.
Video Transcript
What is a battery denial of service attack? How can they be defended against?
Rebecca Herold, IEEE Member: “Now, this type of attack is often launched by making continuous authentication requests from the adversary to the device itself. It’s effective because all these requests require power in order to respond to them, right … to check, to see if the authentication is valid and then to make sure that it gives the proper response back to it. So by doing this ongoing reaction to all these different types of authentication requests, it uses up the power in the device. The power runs out of energy. It goes down.
So the risk, well, if the attack is successful, the device will run out of energy and stop working. So imagine if that implantable is actually something that the patient is using, it depends upon for their health or to actually even live.”