New password in a heartbeat: Researchers propose touch-to-access security for implanted devices

Sep 23, 2013
Rice University engineers have created a system to secure wireless implantable medical devices like pacemakers and insulin pumps. Their system requires the medical worker to touch the patient with a programmer device to gain access to information on the implant. The patient's unique heartbeat serves as a temporary password. Credit: Masoud Rostami/Rice University

Pacemakers, insulin pumps, defibrillators and other implantable medical devices often have wireless capabilities that allow emergency workers to monitor patients. But these devices have a potential downside: They can be hacked.

Researchers at Rice University have come up with a secure way to dramatically cut the risk that an implanted medical device (IMD) could be altered remotely without authorization.

Their technology would use the patient's own heartbeat as a kind of password that could only be accessed through touch.

Rice electrical and computer engineer Farinaz Koushanfar and graduate student Masoud Rostami will present Heart-to-Heart, an for IMDs, at the Association for Computing Machinery's Conference on Computer and Communications Security in Berlin in November. They developed the technology with Ari Juels, former chief scientist at RSA Laboratories, a security company in Cambridge, Mass.

IMDs generally lack the kind of password security found on a home Wi-Fi router because emergency medical technicians often need quick access to the information the devices store to save a life, Rostami said. But that leaves the IMDs open to attack.

"If you have a device inside your body, a person could walk by, push a button and violate your privacy, even give you a shock," he said. "He could make (an ) inject insulin or update the software of your pacemaker. But our proposed solution forces anybody who wants to read the device to touch you."

The system would require software in the IMD to talk to the "touch" device, called the programmer. When a medical technician touches the patient, the programmer would pick up an electrocardiogram (EKG) signature from the . The internal and external devices would compare minute details of the EKG and execute a "handshake." If signals gathered by both at the same instant match, they become the password that grants the external device access.

"The signal from your heartbeat is different every second, so the password is different each time," Rostami said. "You can't use it even a minute later."

He compared the EKG to a chart of a financial stock. "We're looking at the minutia," Rostami said. "If you zoom in on a stock, it ticks up and it ticks down every microsecond. Those fine details are the byproduct of a very complex system and they can't be predicted."

A human heartbeat is the same, he said. It seems steady, but on closer view every beat has unique characteristics that can be read and matched. "We treat your heart as if it were a random number generator," he said.

The system could potentially be used with the millions of IMDs already in use, Koushanfar said. "To our knowledge, this is the first fully secure solution that has small overhead and can work with legacy systems," she said. "Like any device that has wireless access, we can simply update the software."

Koushanfar noted the software would require very little of an IMD's precious power, unlike other suggested secure solutions that require computationally intensive – and battery draining – cryptography. "We're hopeful," she said. "We think everything here is a practical technology."

Implementation would require cooperation with device manufacturers who, Koushanfar said, hold their valuable, proprietary secrets very close to the chest, as well as approval by the Food and Drug Administration.

But the time to pursue IMD security is here, Rostami insisted. "People will have more implantable devices, not fewer," he said. "We already have devices for the heart and as insulin pumps, and now researchers are talking about putting neuron stimulators inside the brain. We should make sure all these things are secure."

Explore further: New technology to help users combat mobile malware attacks

More information: Read the paper at www.aceslab.org/sites/default/files/H2H.pdf

add to favorites email to friend print save as pdf

Related Stories

After insulin pump hacking, lawmakers seek review

Aug 20, 2011

(AP) -- Two lawmakers are requesting a review of the government's security standards for wireless medical devices after a diabetic discovered how to remotely reprogram his and other people's insulin pumps.

Security experts sound medical device malware alarm

Oct 19, 2012

(Phys.org)—Speakers at a government gathering revealed more reasons for nervous patients to get out their worry beads over future hospital stays. Besides staph infections, wrong-side surgeries and inaccurate ...

Recommended for you

Does your password pass muster?

Mar 25, 2015

"Create a password" is a prompt familiar to anyone who's tried to buy a book from Amazon or register for a Google account. Equally familiar is that red / yellow / green bar that rates the new password's strength. ...

Beijing behind Internet security violation: group

Mar 25, 2015

China's cyberspace administration is "complicit" in attacks on major Internet companies including Google, an anti-censorship group said Wednesday, calling on firms worldwide to strengthen their defences.

House unveils cyber bill and signals bipartisan compromise

Mar 24, 2015

House intelligence committee leaders unveiled a bipartisan cybersecurity bill Tuesday amid signs of broad agreement on long-sought legislation that would allow private companies to share with the government details of how ...

The ongoing war against cybercrime

Mar 24, 2015

Cybercrime is estimated to cost the global economy upwards of US$400 billion a year, and these costs are expected to continue to rise. ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.