September 24, 2013
Heartbeat Passwords May Make Implanted Medical Devices Unhackable
[ Watch the Video: Securing Your Implanted Device With A Heartbeat Password ]
redOrbit Staff & Wire Reports - Your Universe Online
Implantable devices such as defibrillators and insulin pumps typically come with wireless connectivity that allows doctors to update software or download data. However, this wireless capability also gives hackers an opportunity to remotely alter the device in potentially life-threatening ways.
Masoud Rostami, one of the Rice University researchers involved in the current study, said IMDs generally lack the kind of password security found on home Wi-Fi networks because emergency medical technicians often need quick access to the information the devices store to save a life.
The downside of this, however, it that it leaves the IMDs open to attack, he said.
“If you have a device inside your body, a person could walk by, push a button and violate your privacy, even give you a shock,” he said in a statement.
To address this vulnerability, the researchers developed a new security feature that uses the patient’s own heartbeat as a kind of password that could only be accessed through touch.
A hacker “could make (an insulin pump) inject insulin or update the software of your pacemaker. But our proposed solution forces anybody who wants to read the device to touch you," Rostami said.
The new system, dubbed Heart-to-Heart, would require software in the IMD to talk to the "touch" device, called the programmer. When a medical technician touches the patient, the programmer would pick up an electrocardiogram (EKG) signature from the beating heart. The internal and external devices would compare minute details of the EKG and execute a "handshake." If signals gathered by both at the same instant match, they become the password that grants external access to the device.
“The signal from your heartbeat is different every second, so the password is different each time,” Rostami said. "You can't use it even a minute later."
Rostami compared the EKG to a chart of a financial stock.
“We’re looking at the minutia. If you zoom in on a stock, it ticks up and it ticks down every microsecond. Those fine details are the byproduct of a very complex system and they can’t be predicted.”
A human heartbeat is the same, in that every beat has unique characteristics that can be read and matched, he said.
“We treat your heart as if it were a random number generator.”
Rice electrical and computer engineer Farinaz Koushanfar said the system could potentially be used with the millions of IMDs already in use.
“To our knowledge, this is the first fully secure solution that has small overhead and can work with legacy systems,” she said. "Like any device that has wireless access, we can simply update the software."
Koushanfar said the software would require very little of an IMD’s power, unlike other security solutions that require computationally intensive – and battery draining – cryptography.
“We’re hopeful,” she said, adding that implementation would require cooperation with device manufacturers, and approval by the Food and Drug Administration (FDA). "We think everything here is a practical technology."
Rostami said the need for technology such as Heart-to-Heart will only grow over time.
“People will have more implantable devices, not fewer,” he said.
Indeed, there are more than 300,000 wireless electronic medical devices implanted in people every year in the United States alone.
“We already have devices for the heart and insulin pumps, and now researchers are talking about putting neuron stimulators inside the brain. We should make sure all these things are secure.”
Koushanfar and Rostami worked with Ari Juels, former chief scientist at RSA, to develop the new technology. The researchers will present their findings at the Association for Computing Machinery’s Conference on Computer and Communications Security in Berlin in November.
A paper describing the Heart-to-Heart authentication system can be viewed here.