A group of researchers from KU Leuven, Belgium, have proposed a practical security scheme that would allow secure communications between a widely used implantable neurostimulator – an electrical brain implant used to treat a number of medical issues – and its external device programmer.
Other researchers have already noted that motivated attackers could find ways to hack brain implants due to their poor or inexistent security, and have pointed out that, while the current risk of that happening is low, it is better to consider this issue seriously now rather than in a several years’ time when the sophistication of these implants is far greater.
The Belgian researchers showed that reverse engineering the proprietary protocols used by the neurostimulator and device programmer to communicate is relatively easy and that the transmissions sent over the air are not encrypted and not authenticated.
This allowed them to prove that a variety of software radio-based attacks – replay, spoofing, message interception/eavesdropping and DDoS – can be performed, and could lead to serious consequences for the patients.
To prevent these attacks from being executed and potential attackers from tampering with implantable medical devices (IMDs), manufacturers have to make sure that only authorized individuals are capable of instructing the implants what to do.
Securing the communication between IMDs and device programmers is a non-trivial task, the researchers noted.
“Firstly, IMDs are resource-constrained devices with tight power and computational constraints, and a limited battery capacity. Furthermore, IMDs lack input and output interfaces, such as a keyboard or a screen, and cannot be physically accessed once they are implanted. Secondly, IMDs need to satisfy several important requirements for proper functioning, such as reliability, availability and safety. Adding security mechanisms into IMDs is challenging due to inherent tensions between some of these requirements and the desirable security and privacy goals. For example, IMDs should provide permissive access control such that doctors can access the IMD in emergencies,” they explained.
A possible solution
The researchers’ solution is as follows:
- The neurostimulator would use a physiological signal from the patient’s brain to create a random 128-bit symmetric key. This key would be valid for only one session.
- The key is transported securely from the neurostimulator to the device programmer through a secret out-of-band channel, and access to the neurostimulator is granted only to device programmers that can touch the patient’s skin for a few seconds.
- The devices demonstrate knowledge of the key during the first communication session, and the scheme uses a new optimized encrypted message format that adds little communication overhead compared to the original one.
The fact that the brain signal used for the key can’t be measured remotely should prevent would-be attackers from pulling off the compromise.
“Our solution allows the device programmer and the neurostimulator to agree on a symmetric session key without these devices needing to share any prior secrets; offers an effective and practical balance be-tween security and permissive access in emergencies; requires only minor hardware changes in the devices; adds minimal computation and communication overhead; and provides forward and backward security,” the researchers concluded.