Security and Privacy of Implantable Medical Devices

This thesis deals with the security and privacy of implantable medical devices (IMD). Specifically, we analyse the security of widely used IMDs, and propose practical and effective countermeasures to address the security issues we have identified.

We first propose a protocol that allows an IMD to establish an end-to-end secure channel with a hospital while preserving the patient's privacy. This enables remote monitoring and reprogramming of the patient's IMD through a base station installed in the patient's home. Our solution prevents unauthorised entities and adversaries from learning to whom the data belongs and to which hospital the medical data is sent, among others. We also present a key establishment protocol through which the base station and the IMD can agree on a symmetric session key without needing to share any prior secrets. These goals are achieved by using a physiological signal extracted from the patient's body in combination with fuzzy extractors.

Next, we perform a security analysis of an insulin pump system and we present various attacks. Furthermore, we study the feasibility of using cryptography to protect the wireless communication between the insulin pump and the remote control. To this end, we present a cryptographic AES-based solution with an updated message format that is optimised for energy consumption. We propose multiple alternatives of our solution and implement them in an openMSP430, a 16-bit micro-controller similar to the one used in the insulin pump. For each of these alternatives, we measure the extra computation and communication energy cost due to the use of cryptography both in the remote control and the insulin pump. Finally, we identify possible ways of decreasing the communication cost.

To the best of our knowledge, we are the first to document the reverse engineering and security analysis of the proprietary protocol between a device programmer and some of the latest generation of implantable cardioverter defibrillators (ICD) from one of the leading manufacturers over a long-range wireless channel. Our goal is to evaluate the feasibility of reverse-engineering the proprietary protocol by adversaries with limited resources who do not have physical access to the devices but can only eavesdrop on the wireless communications. Our work reveals the first attempt - known by the scientific community - to obfuscate the data that is transmitted over the air. In addition, we demonstrate attacks that can compromise the ICD's availability and the patient's privacy, and give evidence that replay and spoofing attacks are also possible. All our findings apply to at least 10 types of ICD that are currently on the market. We also discuss several ways of how adversaries can bypass the activation procedure - which requires to be in close proximity to the patient - to send maliciously crafted commands to the ICD from several meters away. Finally, several short-term and long-term countermeasures are proposed, including a novel semi-offline key agreement protocol that we formally verify using ProVerif.

Furthermore, we describe the process of how to reverse engineer the proprietary protocol between a device programmer and a neurostimulator to communicate over a short-range channel. Subsequently, we assess the feasibility and conduct several types of attacks on neurostimulators. To preclude these attacks, we present a complete security architecture that includes the generation and transportation of keys from the neurostimulator to the device programmer and the necessary cryptographic protocols to secure the communication flow. For generating the key on the neurostimulator, we investigate the potential of using a signal extracted from the patient's brain as a source of randomness. We also propose a novel technique for securely and reliably transporting the key from the neurostimulator to the device programmer. Our technique leverages the fact that both the patient's skin and the neurostimulator's case are conductive.

To conclude, we provide a critical evaluation of countermeasures that rely on patient's physiological signals for establishing a cryptographic key between two devices. Our work reveals serious security weaknesses in two pairing protocols proposed in the literature. Furthermore, we show that most of the existing countermeasures rely on unrealistic assumptions that underestimate the adversaries' capabilities. This work concludes by providing a set of recommendations on how to securely use physiological signals in cryptographic protocols.