Vibration-based secure side channel for medical devices

Implantable and wearable medical devices are used for monitoring, diagnosis, and treatment of an ever-increasing range of medical conditions, leading to an improved quality of life for patients. The addition of wireless connectivity to medical devices has enabled post-deployment tuning of therapy and access to device data virtually anytime and anywhere but, at the same time, has led to the emergence of security attacks as a critical concern. While cryptography and secure communication protocols may be used to address most known attacks, the lack of a viable secure connection establishment and key exchange mechanism is a fundamental challenge that needs to be addressed. We propose a vibration-based secure side channel between an external device (medical programmer or smartphone) and a medical device. Vibration is an intrinsically short-range, user-perceptible channel that is suitable for realizing physically secure communication at low energy and size/weight overheads. We identify and address key challenges associated with the vibration channel, and propose a vibration-based wakeup and key exchange scheme, named SecureVibe, that is resistant to battery drain attacks. We analyze the risk of acoustic eavesdropping attacks and propose an acoustic masking countermeasure. We demonstrate and evaluate vibration-based wakeup and key exchange between a smartphone and a prototype medical device in the context of a realistic human body model.

[1]  Erkki Oja,et al.  Independent component analysis: algorithms and applications , 2000, Neural Networks.

[2]  Chunliu Zhan,et al.  Cardiac Device Implantation in the United States from 1997 through 2004: A Population-based Analysis , 2007, Journal of General Internal Medicine.

[3]  Niraj K. Jha,et al.  Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system , 2011, 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services.

[4]  Meng Zhang,et al.  Trustworthiness of Medical Devices and Body Area Networks , 2014, Proceedings of the IEEE.

[5]  K.K. Venkatasubramanian,et al.  EKG-based key agreement in Body Sensor Networks , 2008, IEEE INFOCOM Workshops 2008.

[6]  Fengyuan Xu,et al.  IMDGuard: Securing implantable medical devices with the external wearable guardian , 2011, 2011 Proceedings IEEE INFOCOM.

[7]  Colleen Swanson,et al.  SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks , 2014, 2014 IEEE Symposium on Security and Privacy.

[8]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Srivaths Ravi,et al.  Analyzing the energy consumption of security protocols , 2003, ISLPED '03.

[10]  Farinaz Koushanfar,et al.  Heart-to-heart (H2H): authentication for implanted medical devices , 2013, CCS.

[11]  Songhwai Oh,et al.  Privacy-Aware Communication for Smartphones Using Vibration , 2012, 2012 IEEE International Conference on Embedded and Real-Time Computing Systems and Applications.

[12]  Kevin Fu,et al.  They can hear your heartbeats: non-invasive security for implantable medical devices , 2011, SIGCOMM.

[13]  Romit Roy Choudhury,et al.  Ripple: Communicating through Physical Vibration , 2015, NSDI.

[14]  N. Asokan,et al.  Vibrate-to-unlock: Mobile phone assisted user authentication to multiple personal RFID tags , 2011, 2011 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[15]  T. Kohno,et al.  Clinically significant magnetic interference of implanted cardiac devices by portable headphones. , 2009, Heart rhythm.

[16]  Yih-Chun Hu,et al.  Body Area Network Security: Robust Key Establishment Using Human Body Channel , 2012, HealthSec.

[17]  Blake Hannaford,et al.  "Are You with Me?" - Using Accelerometers to Determine If Two Devices Are Carried by the Same Person , 2004, Pervasive.

[18]  Darko Kirovski,et al.  The Martini Synch: Device Pairing via Joint Quantization , 2007, 2007 IEEE International Symposium on Information Theory.

[19]  Nitesh Saxena,et al.  Acoustic Eavesdropping Attacks on Constrained Wireless Device Pairing , 2013, IEEE Transactions on Information Forensics and Security.

[20]  Lin Zhong,et al.  User evaluation of lightweight user authentication with a single tri-axis accelerometer , 2009, Mobile HCI.

[21]  Nitesh Saxena,et al.  On pairing constrained wireless devices based on secrecy of auxiliary channels: the case of acoustic eavesdropping , 2010, CCS '10.

[22]  Nitesh Saxena,et al.  Treat 'em like other devices: user authentication of multiple personal RFID tags , 2009, SOUPS.

[23]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .