Security for Implanted Medical Devices
Worried about someone hacking your implanted medical devices? Here’s a signal-jamming device you can wear.
Worried about someone hacking your implanted medical devices? Here’s a signal-jamming device you can wear.
Clive Robinson • August 23, 2011 8:33 AM
I’m not sure what the legality of the jammer is in the US but I suspect the FCC would have something to say about it. Also not all implants work at 400Mhz some work down in the HF band with a coil placed just under the skin over the ribs etc.
As for the way it works there are a number of products already out there thhat inject a phase and amplitude controled “anti-phase” signal into the RX path.
One way to do it is with a bit of Weaver line or other stripline technology. The signal causes a low frequency signal to be produced (ie just like Direct Convertion) this signal is used to null both the phase and amplitude.
If you do it right then you can actually use the Direct Conversion in an IQ receiver to pick up the wanted signal, you then have to do a second set of nulling to deal with any modulation you might apply to the jaming signal.
Such systems have been used for VHF and UHF tactical on frequency repeaters.
vwm • August 23, 2011 8:38 AM
What if I’m worried about my implanted medical devices being confused by defective signal-jamming devices?
Danny Moules • August 23, 2011 8:38 AM
There’s also nothing stopping people from maliciously using a signal-jamming device in a hospital and stopping the functionality from working or (worse) potentially corrupting the data.
With ongoing trials of devices that regulate intake of medicine which rely on external control the use of jammers (maliciously or unintentionally) could easily result in the death of patients, too. This is an area I’ve been watching with some concern.
Clive Robinson • August 23, 2011 8:39 AM
Oh I forgot to mention, if your attacker is aware that you have such a device there are ways they can use it to get past the security.
I won’t go into implementation details because it might give people ideas how to attack alsorts of other systems.
However to put it in crypto speak, it can be used in just the same way bitflipping can be used to attack a stream cipher that does not have appropriate plaintext level MACs etc.
Clive Robinson • August 23, 2011 8:52 AM
“What if I’m worried about my implanted medical devices being confused by defective signal-jamming devices?”
The bad new is they don’t have to be defective to do that.
They can be working perfectly normaly but convert the front end of the implant into a harmonic mixer.
That is the front end of the implant works at 400MHz, the jammer also works at 400MHz, a signal at 800MHz will be down converted in any nonlinear circuit in the implant front end. As will many other harmonics and subharmonics of the 400MHz signal. All the other frequency has to have is modulation that aproximates the wanted signal.
The design of the front end of most of these implants is going to be for low voltage and low power consumption therefore their dynamic rang will be fairly bad and as a consiquence will be suseptable to this.
By the way there are two basic types of jamming CW and modulated. A receiver with a high dynamic range is difficult to jam with just CW, therefore you add a modulation signal that aproximates the desired signal for the receiver such that it mucks up or jams the demodulation circuits further down the receiver chain inside the receiver.
PrometheeFeu • August 23, 2011 9:01 AM
Their system seems like overkill. They use some sort of adaptive jamming in order to allow your doctor to bypass the jamming device in read-only mode. But, why do you need your doctor to bypass the jammer. Just turn off your jammer when your doctor needs to communicate with your device. And if you think that this is when the terrorists will get you, you need to realize that your doctor will need to turn off the jammer to reprogram your implant anyways.
Furthermore, the authors of the research are opposed to encryption because you might be in a foreign country and your doctor might not be available to give the secret key. That’s a very simple problem to solve. Give those who wear such a device a small bracelet on the inside of which is a barcode with the key. When someone needs to access your implant, you give them the bracelet, they scan it and then you’re done.
Clive Robinson • August 23, 2011 9:03 AM
@ Danny moules,
“This is an area I’ve been watching with some concern.”
Yup me to.
There are whole heap of problems with radio controled implants not least of which is the two hundred odd ways of getting data in and out of these devices with “custom console” devices.
Hospitals cannot aford to have so many different consoles in the A&E Dept or up on wards. So a set of standards are needed to make it possible to have just one console type work with all implants.
If you like it would be a bit like having USB over WiFi. You would have a physical layer standard for the radio and modulation method and basic signalling system. On top of this you would have standards for each class of implant.
However we know from the early days of WiFi it is easy to get the security wrong when engineers sit down with the best of intentions when designing interoperability standards. Which is why those with an indepth knowledge of designing robust security protocols should be involved from day zero.
Albireo • August 23, 2011 9:24 AM
Implementation issues aside, shouldn’t the usage of a PKI or certificate based encryption solve the issue?
Each implant has the public key encoded and each user is given a smart card with the private key, then to upload or download data one needs to provide the smart card.
This way even if the WiFi connection is not protected an attacker can’t tamper with the device.
Poster of Brucedom Currently Being Tracked by the DHS • August 23, 2011 9:26 AM
There won’t be a demand for med device jammers until erectile dysfunction prosthetics have receivers. Then all hell’s gonna break loose.
EdT. • August 23, 2011 9:42 AM
I have an easier (and far more legal) way of preventing this: I simply turn off all remote access methods (of which there are several) for my device.
Clive Robinson • August 23, 2011 10:21 AM
“Implementation issues aside, shouldn’t the usage of a PKI or certificate based encryption solve the issue?”
In theory yes in practice no
It’s a question of power consumption, PK crypto tends to chew lots of CPU cycles or need dedicated hardware. All of which adds a considerable power drain on the batteries compared to the rest of the system and a designed battery life of fifteen years or so.
“I simply turn off all remote access methods”
Err logic would dictate if you turned them “all” off and the implant was fully embedded in you, you would have to make a hole in yourself to turn atleast one on to enable the others as and when required…
And if you leave only “one” on, on a fully embedded implant then an attacker could remotly turn the rest on…
As I said earlier we need standards for the physical layer, one of which needs to be an inductive power port embedded just below the surface such that the implant can be externaly powered whilst power hungry activities are going on. It would also help out when the battery starts to go bad as it helps take some of the time preasure off (however such systems have disadvantages as well).
Captain Obvious • August 23, 2011 11:33 AM
If you’re less than “10s of meters away” you can probably find an easier way to kill someone. Or is this intended only for billionaires and diplomats?
Tin foil body armor would be cheaper, cooler, and give the hat makers a much needed inventory boost.
It seems to me that a “jamming” technology must always be big. As you miniaturize it, you decrease its power. An attacker malicious enough to want to kill someone with their pacemaker isn’t going to stop at 100 times the power (a mere 20dB? c’mon guys). I’m going to walk up to you with entire bandaliers of batteries under my coat, and hit at 30-50dB. Lets see you miniaturize the batteries and deal with that!
He mentioned a really complicated relaying system to allow the doctor to work… what about just turning the device off when the doctor is working?
I’d like a solution one step further than Clive’s. Not only offer PKI by powering the device with induction, but simply have the terminals turned off unless you are exposed to a sufficiently powerful magnetic field. Anyone who can bring a powerful field close enough to your chest to trigger the mechanism could have simply brought a knife instead.
In my mind, the doctor would put a decent sized rare earth magnet on your chest before starting the data link.
John Campbell • August 23, 2011 11:54 AM
This got me to smile: “There won’t be a demand for med device jammers until erectile dysfunction prosthetics have receivers. Then all hell’s gonna break loose.”
I can just imagine that there’d be a market for a “pop-up blocker” when the spouse wants an uninterrupted nap.
BF Skinner • August 23, 2011 12:15 PM
I WASN’T but then I began reading “Schneier on Security A blog covering security and security technology.”
Richard Steven Hack • August 23, 2011 3:26 PM
“Anyone who can bring a powerful field close enough to your chest to trigger the mechanism could have simply brought a knife instead.”
A nitpick from me: Sometimes you don’t want anyone to know the guy was assassinated. A “natural” heart attack is much cleaner.
Watch Charles Bronson’s original “The Mechanic” for how he does in a guy with a heart condition by frightening him enough to make him run up a steep hill. Then he just comes in, covers the guy’s nose and waits for his heart to explode.
So, why will a paranoid pacemaker patient be confident that no one has hacked his jammer, or worse yet installed an app on it that won’t come on until a massively inconvenient time and then erases itself after the arrhythmia is over?
M.V. • August 23, 2011 4:17 PM
“A nitpick from me: Sometimes you don’t want anyone to know the guy was assassinated. A “natural” heart attack is much cleaner.”
A nitpick on the nitpick: If you are wearing a heart pacemaker, you are vunerable to this even if the device is using the best security or has no access at all. I am sure Clive can explain in detail how to do it.
Even with GSM Phones you have to be careful as pacemaker wearer.
Clive Robinson • August 23, 2011 5:04 PM
“I am sure Clive can explain in detail how to do it”
Yes I can there are a number of ways.
Thhe particular one you are hinting at with GSM is something that should not be possible but is because medical electronics are effectivly excluded from the EMC requirments.
To get a simple practical understanding of the effect you just need to put a GSM phone next to an audio amplifier where there is no input connected. Every so often you will hear a strange buzzing rasp, this is the phone transmitting a “keep alive” signal back to the base station. You will also hear the same noise for about a second just before the phone starts to ring.
What is happening is the transmited RF is getting into the very sensitive front end of the amplifier where one or more transistors “envelop rectify” the signal and this envelope being well within the audio band (unlike the RF carrier) will get amplified by the following circuits.
The problem with pacemakers is that the pacing lead in your chest connect at one end to your heart and at the other end to the electronics depending on where the pace maker is these leads can be quit long and thus will be resonant in the VHF or UHF band. A pacemaker actually senses as well as paces and to do the sensing it has a very sensitive amplifier feeding into the pacemaker electronics.
Thus any RF carrier at a frequency near resonance of a lead will be easily picked up, if it is modulated with a wave form that looks sufficiently like a heart waveform then it will “pull” the pacemaker or make it think you have an abnormal rhythm etc. Im told the results can be quite unpleasant.
Now for those of you living in the US you should be aware that the mass implanting of pacemakers in patients is not realy driven by medical need but insurance need. And this greatly worries me because it means potentialy each pacemaker fitted is a ticking timebomb just waiting to be triggered…
It’s why I want standards at the physical layer that are thought out properly because it’s not just the security of the comms on the control console that is an issue.
And yes I’m being “selfish” as I’m of an age where they might consider putting one in me and as I have occassion to work with high power transmitters for the broadcast industry from MF through to microwaves with rapidly increasing complexity of envelope modulation schemes it kind of scares the 5h1t out of me when I think about it…
Richard Steven Hack • August 23, 2011 5:51 PM
M.V.: “If you are wearing a heart pacemaker, you are vunerable to this even if the device is using the best security or has no access at all.”
Yes, but my point was there is a difference between using some method of inducing a heart attack and using an obvious weapon like a knife.
Which does bring up the question of forensic evidence if one messes with the pacemaker using an external means. I assume if there is wireless access that there might be some digital leavings left behind, depending on the method of stealth access.
The real question is: If someone dies wearing one of these externally accessible devices, does an autopsy have to be performed which includes a forensic examination of the device? Presumably the device WILL be examined by the maker or surgeon who implanted it just to make sure the device was not at fault. But does that – or even can that – include looking for signs of tampering as would be the case with a physical attack?
My guess is not.
Brianary • August 23, 2011 6:08 PM
There is some question as to whether this is hysterical or not:
M.V. • August 23, 2011 6:51 PM
“Clive: The particular one you are hinting at with GSM is something that should not be possible but is because medical electronics are effectivly excluded from the EMC requirments.”
Problem with the pacemaker (and some diagnostic devices like EKG) is, that it is impossible to properly shield it.
“Clive:And yes I’m being “selfish” as I’m of an age where they might consider putting one in me and as I have occassion to work with high power transmitters for the broadcast industry from MF through to microwaves with rapidly increasing complexity of envelope modulation schemes it kind of scares the 5h1t out of me when I think about it…”
I fear when you ever get a pacemaker the fun with high power transmitters is over.
“RSH:The real question is: If someone dies wearing one of these externally accessible devices, does an autopsy have to be performed which includes a forensic examination of the device? Presumably the device WILL be examined by the maker or surgeon who implanted it just to make sure the device was not at fault. But does that – or even can that – include looking for signs of tampering as would be the case with a physical attack?”
This can and should be a matter of regulations. The surgeon or the maker of the device may not be impartial in case of malfunctions.
However with pacemakers (as the most common implant) it may be impossible to detect any traces at all. Other attacks like changing parameters, i.e. dayly insulin dosis should be documented and in case of a malfunction compared with the last setting made.
RobertT • August 24, 2011 4:35 AM
To get an idea how big the potential problems are for implantables, lookup the details on QF72 (7oct2008).
I cant go into it, but I certainly wouldn’t be going anywhere near Learmonth WA, if I had a dodgy heart pace maker.
The problem with protecting sensitive electronics against high power RF attacks, is that the absorbed RF power still needs to be dissipated somewhere. Usually you want to prevent it feeding back into the power-supply or though the input protection diodes, so this means the Rx signal amplitude must be constrained to be less than the Rx protection supply.
To protect the antenna you usually add 2 diodes (one each way) across the Antenna and a FET shorting the antenna (de Q-ing), which is controlled by the output of an internal Rx signal strength indicator. That works great for intentional Antenna’s, but as Clive pointed out, every piece of wire is a good antenna at some frequency, so every other input to the pace-maker needs to be viewed as a potential antenna / rectifier and treated accordingly.
Once you prevent the RF energy from getting onto the chip, you can start to think about adding some form of encryption to protect against unauthorized access.
Clive Robinson • August 24, 2011 8:14 AM
For those that want to go into the subject of security at the physical layer a good course on EmSec, TEMPEST, EMC would be a good place to start. Or ask Nick P for a list of our back posts on the subject on this blog 8)
As Robert T notes it is the RF power that is the problem, or more correctly the energy and the rise time (power = energy / time).
In effect there are two types of energy “wanted” and “unwanted” energy the trick is to accept the wanted energy and reject the unwanted energy without causing unwanted disturbance to the delicate electronics.
What most people don’t realise is that even the best of pasive filters have defficiency in terms of parasitic components of resistance, capacitance and inductance not least of which are those due to physical layout. Further few consider what happens to energy that does not pass through the filter, that is where it goes and where it ends up.
In the case of some fast rising high energy signals (EMP etc) the circuit can end up looking like a potential divder or ladder network thus unwanted energy makes it through the filter to the sensitive electronics, other paths often occure due to poor circuit layout and “grounding” issues. Sadly the use of detectors and de-Qing circuits take time thus have dificulties with very fast rise times. Thus reliance on balanced design and high speed diode devices in proffessional systems where EMP type interferance is to be expected in the environment.
Outside of clasified documentation for the likes of EmSec and TEMPEST the next best source on the basics is EMC and RF Design documentation.
However the best documentation that covers the basics of the problem and some of the soloutions to the issues was a document called “The care and feeding of double balanced mixers” however it does not appear to be up on the web currently.
However you can start by reading,
You can also hunt around for information using
[diplexer “double balanced mixer”]
Diplexers are circuits that can work from “Dc-Daylight” and maintain a constant impedence and broad band return loss both of which are desirable properties when dealing with unwanted energy. Put simply they are two or more filters that get terminated in the correct load. In the case of unwanted energy this is a resistor.
Good Return loss is important because it represents energy bouncing backwards and forwards between the source (antenna wire) and the diplexer resistive load. This energy can create “standing waves” causing voltage peaks well above the signal level (see VSWR or Voltage Standing Wave Ratio) or worse if there are any nonlinear circuit elements (limiting diodes etc) convert the energy from one frequency to another.
Unfortunatly few electronic designers these days have a good proffesional understanding of RF and analog circuit design, nor do those laying out their designs on Printed Circuit Boards (PCBs).
And if you want an idea of what’s involved with an “amateur” level interest in RF design have a look at,
As I said a lot of people designing electronics in general don’t get to even this Amateur level of skill in RF which along with EMC design is usually seen as a “Black Art” like much like most analog electronics design. The result is they tend to copy from other designs hoping that it all works at the end of the day to get them past EMC testing…
M.V. • August 24, 2011 8:23 AM
To protect the antenna you usually add 2 diodes (one each way) across the RobertT:”Antenna and a FET shorting the antenna (de Q-ing), which is controlled by the output of an internal Rx signal strength indicator. That works great for intentional Antenna’s, but as Clive pointed out, every piece of wire is a good antenna at some frequency, so every other input to the pace-maker needs to be viewed as a potential antenna / rectifier and treated accordingly.”
The problem with the pacemaker is the other end of that wire, with enough energy comming from the RF it may stimulate the heart muscle.
RobertT • August 24, 2011 10:23 AM
“The problem with the pacemaker is the other end of that wire, with enough energy comming from the RF it may stimulate the heart muscle.”
Exactly, hence Clive is saying forget about fixing the Crypto layer until you have fixed the Physical layer.
The heart will contract if the unintentional signal at the SA is above the Action-potential of the heart muscle. The heart is a very special muscle because it continuously depolarizes until it generates it’s own Trigger signal, so the longer you wait the smaller the required signal. This Action potential signal is relative to the Heart muscle so the GND of the pacemaker is the Heart muscle itself, however when the pacemaker is subjected to high strength RF fields it acts like an antenna so the whole packmaker voltage moves “common mode” to the heart, this alone can cause false triggering of the heart muscle, without any signal being induced through any electronic “hacking” path.
I’m way out of the loop on heart pacemakers design, I worked on them 30 years ago but there have been a lot of advancements since those days.
RobertT • August 24, 2011 10:42 AM
“What most people don’t realise is that even the best of pasive filters have defficiency in terms of parasitic components of resistance, capacitance and inductance not least of which are those due to physical layout. Further few consider what happens to energy that does not pass through the filter, that is where it goes and where it ends up.”
Floating systems like a heartpace maker are a little different to normal RF because trying to limit the “out of band” energy with LC filters does not really work. All that happens is the Antenna impedance gets mismatched and a standing wave grows on the wire until the voltage peaks reach a level where it forward-biases some parasitic (unintentional path). So you have to keep both the differential and common mode impedances low which is why the antenna inputs need fets that shunt the RF energy and dissipate the received power.
The design of the antenna regulator is fairly complex because it must deal with very fast rise time envelopes, generally a fast diode is used to directly charge the FET gate for fast envelops and slow envelops are regulated with a combination of internal voltage shunt regulator and antenna differential and common mode Rx signal strength shunts.
As you point out it is a waste of time and breath trying to explain this topic to most young engineers, especially these days. They are so caught up with complex DSP’s and fancy analog circuits that this bread and butter RF and EMsec stuff is completely lost on them. Oh well, I guess thats why they keep me around…..
Clive Robinson • August 24, 2011 6:50 PM
“Floating systems like a heartpace maker are a little different to normal RF because trying to limit the”out of band” energy with LC filters does no really work.”
Not with the antenna, however it should with the device electronics if properly sheilded etc.
And thereby hangs the problem with pacemakers and the newer IED type devices that US medical insurance companies are pushing. At one end of the antenna is the device electronics, at the other the patients heart.
Now this is where I tred very carefully because my experiance with the design of medical electronics was not with pacemakers or other implantable devices (I’m actually squeamish about such things and always have been)
As far as I’m aware the human heart is very insensitive to LF and above frequency energy (other than the heating effect) where as it is extreamly sensitive to DC and upto low audio range frequencies and waveforms.
If this is true then to a certain extent RF energy on the heart end of the wire can be ignored upto a much greater level than could any DC or low frequency signal.
However as we both know many modulation systems effectivly “envelope modulate” the RF carrier even if it is just sending packets of data every so often by turning an FM/PM modulated carrier on and off.
As we also know envolope modulation is very easy to recover it just requires a diode to rectify the RF.
So we end up having a piece of wire acting as an antenna that in of it’s self does not appear to represent much of a threat even if it is connected at one end to the heart because it is effectivly only an effective antenna at VHF and above and the heart is (I’m assuming) insensitive to this at low energy levels.
However at the other end of this wire we have a bunch of electronics that is going to be sensitive to VHF and above frequencies and worse due to the use of square law and other nonlinear devices will convert part of that energy into DC or low frequency if it can.
To do this the electronics must be able to see the RF energy at a level that is sufficient to cause the rectification of the RF.
Now two solutions would normaly present themselves to this problem a Farady Shield and making the antenna very inefficient.
So the first aproximation is the one often used in audio electronics, which is to put the electronics in a shielded box, and put the wires that would act as an antenna into a shield as well which is only terminated at the electronics box end not the heart end.
This is fine from the electronics perspective but is it also fine from the hearts end ie to the heart does it represent no more of a threat than a piece of wire of equivalent size…
Well sadly no because the case and outer screen of the wire will still act as an antenna even though the electronics is inside, the wire attached to the heart spoils the model because it breaches the shield and the heart it’s self will end up acting as an antinodal refrence to the shield which is not good if the wire alows the transfer of the energy.
Thus the second aproximation is to replace the low impeadence wire to the heart with a high impedance which limits the amount of energy that can be transfered between the heart and the electronics.
However this has a disadvantage, although it can still be used for sensing the heart waveform it is not of much use when it comes to providing either the pacing pulse or defib pulse.
Is there a solution to this problem well yes there is and it’s called galvanic issolation. And oddly you turn the problem back on it’s self.
Two tuned circuits where the inductors are effectivly a transformer provide galvanic issolation between one side and the other. The fact they are made tuned circuits means that there is a narrow frequency band in which energy can cross from one tuned circuit to another.
If the electronics side is an oscillator which is envelope modulated and the other side is a fullwave rectifier then only energy in the passband of the tuned circuits should cross.
So we then need to review the model again…
I’m guessing with care the issue can be brought to within managable proportion.
M.V. • August 25, 2011 12:31 PM
I think you underestimate the sensitivity of heart muscle. A short DC Pulse (arround 1 msec) of 100 µA applied to the wire is enough to cause fibrilation.
BTW you need to get in contact with the makers now, so when you need one there is one which satifies your requirements. When the doctors start to threaten you with one it is to late.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment