Practical Techniques for Limiting Disclosure of RF-Equipped Medical Devices

The use of radio for communication with medical devices provides important convenience and safety features. However, devices that respond to unauthorized queries may inadvertently disclose their presence. It is reasonable for users to expect that their devices' detectability by third parties to be limited, and thus even eavesdroppers to an authorized conversation (e.g. a command sent to an insulin pump) should observe an access code of minimal utility for triggering future transmissions. Access rights should be revocable in a manner that limits that harm that can be caused by authorized devices in the possession of unauthorized users. In order to detect inappropriate use, it may be desirable for access history to be available for audit. We describe a family of replay-attack resistant protocols suitable for embedding into query messages that can authorize users with a range of differentiated access rights. Implanted devices utilizing these techniques can evade detection by suppressing responses to queries that do not contain appropriate authorization. Techniques are described that can support revocation of authorization and audits of access history. Finally, we observe that the processing of unauthorized queries consumes power and thus can be used to mount a potentially devastating denial-of-service attack against the batteries of both conventional devices and devices that utilize the cryptographic protocols we describe. Since field-powered communication systems (e.g. HF-RFID) contain embedded general-purpose processors that operate using only power extracted from externally applied fields, they are substantially more robust against such forms of attack.