Abstract

In this paper, we propose a novel security framework to protect Implantable Cardioverter Defibrillators (ICDs) using Smartphones. ICDs are small battery powered Implantable Medical Devices (IMDs) that are introduced in the patient’s body to treat irregular heartbeats known as arrhythmias. These devices are programmed and accessed wirelessly for diagnosis and therapy by a programming device known as External Programmer (EP). Previous studies have demonstrated that ICDs are susceptible to attacks via unauthorized EPs. These attacks may not only pose privacy concerns, but can also do serious physical harm to a patient. While it is crucial that these devices need to be secured by all means possible, a medical practitioner should be allowed to access ICDs when needed, especially under emergency situations. In this paper, we investigate techniques for using a patient’s smartphone for authenticated and authorized communication between the patient’s ICD and the EP operated by a physician treating the patient. An application running in the smartphone serves two major purposes. (1) mediates secure communication, and (2) keeps the patient in-the-loop by providing an audiovisual interface, to be aware of and take control over the communication occurring between the ICD and EP. Due to the fact that smartphones are becoming more cheaper and their versatility becoming greater, using smartphones as a security device is a feasible option. As a proof-of-concept, the proposed Kerberos based security scheme is implemented using simulated EP, ICD, and an Androidbased smartphone.