Secure medical implants with encrypted heartbeats

Summary:To prevent wirelessly connected defibrillators and insulin pumps from being hijacked, researchers suggest using a heartbeat reading along with an encryption step.

encrypt your heartbeat.jpg
Security researchers have shown that they can reprogram a wireless implant to stay inactive in an emergency, deliver an unnecessary 700-volt jolt, or drain its battery.

One way to help secure implants is to use a heartbeat reading to confirm that whoever is trying to reprogram or download data is in direct contact with the patient, and not a remote hacker. Technology Review reports.

Over 300,000 of these wireless devices -- like defibrillator and insulin pumps -- are implanted each year in the U.S. Doctors or device makers can update software and download information (such as about heart-shocks or the timing of insulin doses) without surgery. But it opens the door to malicious wireless attacks.

Researchers at Rice University and security company RSA have designed a solution:

  1. A doctor or paramedic holds a device against the patient’s body that takes a direct reading of the heartbeat.
  2. The device reads the patient’s heartbeat and compares it to one relayed in a wireless signal from the implant. That’ll confirm if the signals match.
  3. The wireless exchange of the heartbeat signal is encrypted, thwarting attempts to hijack the communications during the exchange.

This fix could work, they say, even in emergency situations where there’s no time for delay since doctors or paramedics wouldn’t need to authenticate themselves with a password.

A future emergency responder wouldn’t need to know the identity of a heart-attack victim, for example, before gaining access and downloading information from the victim’s implanted device.

“The heart is very conveniently producing this stream of random bits, and we tap into the stream of bits and make sure we are getting the same signal at the same time,” says Ari Juels at RSA Laboratories in Cambridge, Massachusetts. “Our approach doesn’t rely on a registration of a biometric -- all it does is check that the signals are identical.”

The encryption step prevents a theoretical attacker in, say, a hospital or a battlefield from hijacking the signal in order to issue life-threatening instructions.

[Technology Review]

Image: Manu_H via Flickr

This post was originally published on Smartplanet.com

Topics: Innovation

About

Janet Fang has written for Nature, Discover and the Point Reyes Light. She is currently a lab technician at Lamont-Doherty Earth Observatory. She holds degrees from the University of California, Berkeley and Columbia University. She is based in New York. Follow her on Twitter.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.