Benjamin Ransford

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Our study analyzes the security and privacy properties of an implantable cardioverter defibrillator (ICD). Introduced to the U.S. market in 2003, this model of ICD includes pacemaker technology and is designed to communicate wirelessly with a nearby external programmer in the 175 kHz frequency range. After partially reverse-engineering the ICDs communications protocol with an oscilloscope and a software radio, we implemented several software radio-based attacks that could compromise patient safety and patient privacy. Motivated by our desire to improve patient safety, and mindful of conventional trade-offs between security and power consumption for resource-constrained devices, we introduce three new zero-power defenses based on RF power harvesting. Two of these defenses are human-centric, bringing patients into the loop with respect to the security and privacy of their implantable medical devices (IMDs). Our contributions provide a scientific baseline for understanding the potential security and privacy risks of current and future IMDs, and introduce human-perceptible and zero-power mitigation techniques that address those risks. To the best of our knowledge, this paper is the first in our community to use general-purpose software radios to analyze and attack previously unknown radio communications protocols.

Mementos: system support for long-running computation on RFID-scale devices

Transiently powered computing devices such as RFID tags, kinetic energy harvesters, and smart cards typically rely on programs that complete a task under tight time constraints before energy starvation leads to complete loss of volatile memory. Mementos is a software system that transforms general-purpose programs into interruptible computations that are protected from frequent power losses by automatic, energy-aware state checkpointing. Mementos comprises a collection of optimization passes for the LLVM compiler infrastructure and a linkable library that exercises hardware support for energy measurement while managing state checkpoints stored in nonvolatile memory. We evaluate Mementos against diverse test cases in a trace-driven simulator of transiently powered RFID-scale devices. Although Mementoss energy checks increase run time when energy is plentiful, they allow Mementos to safely suspend execution when energy dwindles, effectively spreading computation across zero or more power failures. This papers contributions are: a study of the runtime environment for programs on RFID-scale devices; an energy-aware state checkpointing system for these devices that is implemented for the MSP430 family of microcontrollers; and a trace-driven simulator of transiently powered RFID-scale devices.

Powering the next billion devices with wi-fi

We present the first power over Wi-Fi system that delivers power to low-power sensors and devices and works with existing Wi-Fi chipsets. Specifically, we show that a ubiquitous part of wireless communication infrastructure, the Wi-Fi router, can provide far field wireless power without significantly compromising the networks communication performance. Building on our design, we prototype battery-free temperature and camera sensors that we power with Wi-Fi at ranges of 20 and 17 feet respectively. We also demonstrate the ability to wirelessly trickle-charge nickel---metal hydride and lithium-ion coin-cell batteries at distances of up to 28 feet. We deploy our system in six homes in a metropolitan area and show that it can successfully deliver power via Wi-Fi under real-world network conditions without significantly degrading network performance.

WISPCam: A battery-free RFID camera

Energy-scavenging devices with general-purpose microcontrollers can support arbitrarily complex sensing tasks in theory, but in practice, energy limitations impose severe constraints on the application space. Richer sensing such as image capture would enable many new applications to take advantage of energy scavenging. Richer sensing faces two key challenges: efficiently retaining the necessary amount of harvested energy, and storing and communicating large units of sensor data. This paper presents the WISPCam, a passive UHF RFID camera tag based on the Wireless Identification and Sensing Platform that overcomes these two challenges to support reliable image capture and transmission while powered by an RFID reader. The WISPCam uses a novel charge-storage scheme designed specifically to match the image sensors needs. This scheme optimally balances capacitance and leakage to improve the sensitivity and efficiency of the power harvester. The WISPCam also uses a novel data storage and communication scheme to reliably support the transfer of complete images to an RFID reader application. The WISPCam makes battery-free image capture practical for applications such as mechanical gauge reading and surveillance, both demonstrated in this paper, and opens the door to richer sensing applications on battery-free devices.

A simpler, safer programming and execution model for intermittent systems

Energy harvesting enables novel devices and applications without batteries, but intermittent operation under energy harvesting poses new challenges to memory consistency that threaten to leave applications in failed states not reachable in continuous execution. This paper presents analytical models that aid in reasoning about intermittence. Using these, we develop DINO (Death Is Not an Option), a programming and execution model that simplifies programming for intermittent systems and ensures volatile and nonvolatile data consistency despite near-constant interruptions. DINO is the first system to address these consistency problems in the context of intermittent execution. We evaluate DINO on three energy-harvesting hardware platforms running different applications. The applications fail and exhibit error without DINO, but run correctly with DINO’s modest 1.8–2.7× run-time overhead. DINO also dramatically simplifies programming, reducing the set of possible failure- related control transfers by 5–9×.

Clinically significant magnetic interference of implanted cardiac devices by portable headphones

BACKGROUND Little is known about the magnetic field strength of portable headphones and their potential to cause magnetic interference with implanted pacemakers (PMs) and implantable cardioverter-defibrillators (ICDs). OBJECTIVE The purpose of this study was to evaluate the magnetic field strength of portable headphones and to determine if they can cause clinically relevant magnetic interference. METHODS PM or ICD function was assessed in 100 patients during exposure to eight different models of portable headphones to determine the incidence of clinically relevant magnetic interference. The magnetic field strength of the headphones also was measured in vitro. RESULTS Clinically relevant magnetic interference from portable headphones occurred in 30 (30%) of 100 patients and more commonly affected ICD than PM patients (21/55 [38.2%] vs 9/45 [20.0%]; P = .048). All patients affected by magnetic interference experienced a magnet response, characterized by asynchronous pacing in PM patients and by inhibition of tachyarrhythmia detection in ICD patients. In all but one of the 30 cases of magnetic interference, removal of the headphones from the patients chest immediately restored normal device function. Headphones with a measured magnetic field strength > or =10 gauss at 2 cm were much more likely to cause magnetic interference than were those with lower magnetic field strength (30/100 [30%] patients vs 0/100 [0%] patients; P <.0001). Magnetic interference was not observed when headphones were placed > or =3 cm from the skin surface. CONCLUSION Clinically significant magnetic interference can occur when portable headphones are placed in close proximity to implanted PMs and ICDs. Patients with such a device should be advised to keep portable headphones at least 3 cm from their device.

Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance

Background Medical devices increasingly depend on computing functions such as wireless communication and Internet connectivity for software-based control of therapies and network-based transmission of patients’ stored medical information. These computing capabilities introduce security and privacy risks, yet little is known about the prevalence of such risks within the clinical setting. Methods We used three comprehensive, publicly available databases maintained by the Food and Drug Administration (FDA) to evaluate recalls and adverse events related to security and privacy risks of medical devices. Results Review of weekly enforcement reports identified 1,845 recalls; 605 (32.8%) of these included computers, 35 (1.9%) stored patient data, and 31 (1.7%) were capable of wireless communication. Searches of databases specific to recalls and adverse events identified only one event with a specific connection to security or privacy. Software-related recalls were relatively common, and most (81.8%) mentioned the possibility of upgrades, though only half of these provided specific instructions for the update mechanism. Conclusions Our review of recalls and adverse events from federal government databases reveals sharp inconsistencies with databases at individual providers with respect to security and privacy risks. Recalls related to software may increase security risks because of unprotected update and correction mechanisms. To detect signals of security and privacy problems that adversely affect public health, federal postmarket surveillance strategies should rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware.

Current Events: Identifying Webpages by Tapping the Electrical Outlet

Computers plugged into power outlets leak identifiable information by drawing variable amounts of power when performing different tasks. This work examines the extent to which this side channel leaks private information about web browsing to an observer taking measurements at the power outlet. Using direct measurements of AC power consumption with an instrumented outlet, we construct a classifier that correctly identifies unlabeled power traces of webpage activity from a set of 51 candidates with 99% precision and 99% recall. The classifier rejects samples of 441 pages outside the corpus with a false-positive rate of less than 2%. It is also robust to a number of variations in webpage loading conditions, including encryption. When trained on power traces from two computers loading the same webpage, the classifier correctly labels further traces of that webpage from either computer. We identify several reasons for this consistently recognizable power consumption, including system calls, and propose countermeasures to limit the leakage of private information. Characterizing the AC power side channel may help lead to practical countermeasures that protect user privacy from an untrustworthy power infrastructure.

Nonvolatile memory is a broken time machine

Energy harvesting enables intermittently powered devices to compute without built-in power. But frequent power failures, combined with nonvolatile memory intended to protect computational state, introduce strange control flow that turns sequential code into unwieldy concurrent code: programs must grapple with their own state from previous interrupted runs. This paper describes the broken time machine problem for these devices and outlines potential solutions from the perspective of safe concurrent programming.

BAT: Backscatter Anything-to-Tag Communication

Computational RFID prototypes are limited by networking abstractions that impose narrow preconceptions about topologies and applications. These prototypes support programmability and integrate a wide array of sensors, which open the door to more varied applications. Implementing these on constrained platforms will need primitives that seamlessly support communication among tags and also with other devices. While overlays on top of existing protocols are possible, they introduce in ef?ciency because of packet formats designed explicitly for the tag inventory paradigm. This paper presents BAT, a networked system designed from the ground up to enable non-supply-chain RFID applications while carefully considering the unique constraints under which these platforms operate.