One Heartfelt Security Solution
You may have seen my blog filed from this year's Black Hat show regarding an interesting demonstration by a pair of researchers about the potential security risks related to implanted medical devices.
The presentation, delivered by researchers Tadayoshi Kohno and Kevin Fu, outlined the lack of sufficient security controls built into today's implanted medical gizmos, including defibrillators and pacemakers, and concluded that as these types of devices become more ubiquitous they will need to be better protected.
Because, you know, if you could wirelessly command someone's defibrillator to shock their heart unnecessarily, well, that would not be very good for them, and then there's the whole issue of privacy.
And, wireless radios are being built into a far wider range of medical implants with the notion that someday, in addition to providing physicians with additional info about their patients, the devices could be designed to communicate with each other, which is a pretty neat idea.
I'm assuming I'm not the only one reading this that is dreaming of becoming a semi-cyborg someday after all my worn out parts are upgraded. Back and knees first please.
At the time of the presentation, the issue seemed like a troublesome quandary that would likely take some hard thinking and serious R&D to come up with a usable solution. Yet, low and behold, some pretty smart folks are already working on it, with some very intriguing results.
Last week, researchers at the Chinese University of Hong Kong presented a solution for the problem of implanted devices lacking encryption, one of the primary issues outlined by Kohno and Fu. And their idea is pretty darn cool.
According to the Hong Kong researchers, spearheaded by Carmen Poon (I'm assuming that's not a Comanche Indian name) it could be possible to use a patient's heartbeat itself to create an entirely unique 64-bit encryption key that could be used to lock-down access to the implants.
I guess that gives new meaning to the concept of "the answer to everything lies within."
So, the machines used to legitimately communicate with the devices would be set with the pulse-driven key and, in theory, no one else would be able send or retrieve information to the implants.
To account for minor fluctuations in heart rhythm, the parties responsible for programming the keys would record a set of beats, and then create a key that accounts for the recorded range.
I guess if you're already having a heart attack, the docs aren't going to stop to take any readings anyway.
Anyhow, this is a fantastic example of some truly innovative thinking being used to investigate answers to a problem that will likely become more substantial and significant over time.
Of course, there's still the issue of most of today's implanted medical devices lacking sufficient battery power to support encryption software.
But hey, it's a nice start.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.