An Implantable Cardioverter Defibrillator (ICD) is a medical device for the detection and treatment of potentially fatal heart conditions such as ventricular tachycardia (VT) and ventricular fibrillation (VF). ICDs run embedded software that processes intracardiac signals, called electrograms (EGMs), to detect arrhythmias and deliver appropriate therapy in the form of electrical shocks. ICD software implements so-called discrimination algorithms which comprise multiple discrimination criteria (discriminators) for the detection and classification of arrhythmia episodes based on the analysis of EGM features such as ventricular intervals and signal morphology.
ICD discriminators feature a number of programmable parameters that, if adequately configured, ensure minimal rates of mis-classification and inappropriate/missed therapy (Moss et al., 2012). In contrast, wrongly configured parameters can result in unnecessary shocks, which are painful and damage the cardiac tissue, and even worse can prevent required therapy, leading to sudden cardiac death.
An ICD reprogramming attack is one that alters the device’s parameters to induce mis-classification and inappropriate therapy. Reprogramming attacks can significantly compromise patient safety, with high-profile patients being obvious targets (e.g. former US Vice President Cheney had his pacemaker’s wireless access disabled to prevent assassination attempts (Peterson, 2013)). Seminal work by Halperin et al. (Halperin et al., 2008) demonstrated that ICDs can be accessed and reprogrammed by unauthorized users using off-the-shelf software radios. More recently, over half a million cardiac devices have been recalled by the FDA for security risks related to wireless communication (Food and Drug Administration, 2017), and researchers managed to gain control of a pacemaker/ICD by exploiting vulnerabilities in the device’s remote monitoring infrastructure (Rios and Butts, 2018). These incidents confirm that vulnerabilities in implantable cardiac devices exist, and a thorough investigation of cyber-attacks on ICDs is needed to improve device safety and security.
In this paper, we present a formal approach for the automated synthesis of ICD reprogramming attacks that are both effective, i.e., lead to fundamental changes in the required therapy, and stealthy, i.e., involve minimal changes to the nominal ICD parameters. Stealthy attacks are therefore difficult to detect and even if detected, would most likely be attributed to a clinician’s error in configuring the device.
We follow a model-based approach, as the attacks are not evaluated on the actual hardware but on a model of the ICD algorithm. We focus on the Rhythm ID algorithm implemented in Boston Scientific ICDs (one of the principal ICD manufacturers), which was compiled from device manuals and the medical literature (Boston Scientific Corporation, 2017; Zanker et al., 2016). The discriminators used and computations performed by Rhythm ID are also found in the algorithms of the three other major ICD manufacturers. Thus, focusing on Rhythm ID does not limit the applicability of our approach.
Our method, illustrated in Figure 1, synthesizes device parameters that are optimal with respect to the effectiveness-stealthiness tradeoff (i.e., lie along the corresponding Pareto front). We formulate this synthesis problem as one of multi-objective optimization, and solve it using optimization modulo theories (OMT) techniques (Bjørner et al., 2015), an extension of SMT for finding models that optimize given objectives. OMT is uniquely suited to solve this problem, because the problem is combinatorial in nature (parameters can be configured from a finite set of values), and is also constrained by the behavior of the ICD algorithm, which can be adequately encoded as SMT constraints.
The synthesized reprogramming attacks yield optimal effectiveness and stealthiness with respect to a set of training EGM signals. We employ the method of (Jiang et al., 2016) to generate synthetic EGMs with prescribed arrhythmia. This allows the attacker to synthesize malicious parameters tailored to the victim’s cardiac condition.
In summary, our main contributions are the following.
We introduce, to the best of our knowledge, the first method for the derivation of systematic reprogramming attacks on cardiac devices designed to maximize therapy disruption while minimizing the likelihood of detection.
We formulate the problem of synthesizing malicious parameters as a multi-objective optimization problem.
We present a method, based on OMT techniques and an efficient SMT encoding of the ICD algorithm, for precisely solving this optimization problem.
We evaluate the method by synthesizing attacks tailored to 19 different arrhytmias (i.e., condition-specific attacks), as well as more generic attacks (condition-agnostic) that are suitable when the attacker has little knowledge of the victim’s condition. Our results demonstrate that arrhythmogenic conditions are particularly vulnerable as only minor changes to the detection thresholds are sufficient to prevent the required therapy.
We show that our approach is suitable for real-world attacks as it readily generalizes to unseen signals (i.e., test EGMs), representing the unknown EGMs of the victim patient.
ICDs are battery-powered devices implanted under the pectoral muscles in the chest and connected to the cardiac muscle through one (in single-chamber ICDs) or two (dual-chamber) leads that sense the electrical activity of the heart and deliver life-saving electrical defibrillation shocks when dangerous arrhythmia is detected (see Figure 2). Shocks are delivered through shocking coils located along the ventricular lead. To improve the battery lifetime and the discomfort to the patient, modern ICDs first attempt a so-called anti-tachycardia pacing (ATP), consisting of a burst of low-voltage impulses to the ventricle, resorting to a high-energy shock only if ATP fails. ICDs also incorporate the functionality of pacemakers, i.e., they detect slow heart rhythm and correct it by delivering low-voltage electrical impulses, but in this work, we focus only on the component responsible for detecting and terminating tachycardia.
Sensed electrical signals are called intracardiac electrograms (EGMs), which in a dual-chamber ICD are of three types (see Figure 2): atrial and ventricular EGMs, describing the local, near-field electrical activity in the right atrium and ventricle, respectively; and the shock EGM, a far-field signal that gives a global view of the electrical activity, measured from the shock coil to the ICD can.
ICD discrimination algorithms are responsible for detecting tachycardia episodes and initiating adequate therapy based on the sensed EGMs. These algorithms are embedded in the device and employ signal-processing methods such as peak detection to identify cardiac events; viz. electrical activation of the atria and ventricles (heart beats). Therapy delivery depends on a number of discrimination criteria, or discriminators, used to distinguish between potentially fatal Ventricular Tachy-arrhythmias (VT) and non-fatal Supra-Ventricular Tachy-arrhythmias (SVTs).
Since an ICD only has three signals, there are a limited number of features that can be used as discriminators. Atrial rate, ventricular rate, and far-field ventricular morphology are the core features that all major ICD manufacturers employ; see (Singer, 2001)
for further details on the physiological meaning of these features. To generalize to a large variety of physiological conditions and to avoid ”over-fitting” the algorithm to known conditions, device manufacturers have adopted simple decision tree-like structures and simple discriminators to distinguish between SVT and VT.
2.1. ICD Discrimination Algorithm
Figure 3 illustrates the Rhythm ID algorithm implemented in Boston Scientific (BSc) ICDs. The algorithm consists of a number of discriminators arranged in a decision tree-like structure, where each discriminator depends on one or more programmable parameters. Leaves of the tree determine whether or not therapy is delivered during the current heart cycle.
The parameters of the algorithm are given in Table 1. We consider the description of the Rhythm ID algorithm by Jiang et al. (Jiang et al., 2016), where the authors provided a MATLAB implementation of the algorithm based on the manufacturer’s manuals and the medical literature (Boston Scientific Corporation, 2017; Zanker et al., 2016). This implementation faithfully captures the behavior of the Rhythm ID algorithm, as it was validated by demonstrating conformance to a BSc commercial ICD device on 11 test cases. The algorithm and its discriminators, described next, are executed at each ventricular event, which marks the end of the corresponding heart cycle.
D1, 8/10 faster that VF: this discriminator is true iff at least eight out of the last ten ventricular intervals (i.e., the time between two consecutive ventricular beats) are shorter than the programmable threshold . This discriminator detects the onset of arrhythmia (VF in this case), as a high ventricular rate is a strong indication of VF. If D1 is true, therapy is delivered only if the VF episode is sustained. To check if VF persists, the algorithm starts the so-called VF duration timer, as described in discriminator D2.
D2, VFduration: when in VF duration mode, the algorithm checks that at least six out of the last ten ventricular intervals are below , and that the last interval is below . If this criterion is not met, the algorithm exits the VF duration mode as the episode did not persist, and thus requires no therapy. If this criterion stays true for the entire VF duration (parameter ), then therapy is given.
D3, 8/10 faster that VT: this criterion is analogous to D1, but uses the VT threshold .
D4, VTduration: this criterion is analogous to D2, but uses the VT threshold and the duration parameter . The difference with D2 is that in this case, therapy is not given immediately at the end of the duration timer; rather, the algorithm ensures that the episode is not mistaken for SVT, as illustrated below.
D5, V rate A rate: it is true iff over the last ten heart cycles, the average ventricular rate is at least 10 BPM faster the average atrial rate. If true, D5 indicates that tachycardia originated in the ventricles and thus must be treated. Otherwise, the algorithm inspects D6 and D7.
D6, NSR correlation: this criterion, also called Rhythm Match, compares the morphology of the far-field shock EGM with that of a pre-computed normal sinus rhythm (NSR) template. The two signals being similar suggests that the arrhythmia originated in the atria, indicating SVT (no therapy). In particular, for at least three out of the last ten heart cycles, the two signals should have a so-called feature correlation coefficient (FCC) greater than parameter . The FCC is computed by looking at the voltages of the two signals at prescribed time-points. See (Boston Scientific Corporation, 2017) for more details on the computation of the FCC.
D7, AFib rate and stable Vrate: if D6 does not hold, D7 makes the final decision on the therapy. In particular, the device diagnoses SVT if at least six out of the last ten atrial intervals are shorter than threshold
(suggesting that the tachycardia originated in the atria) and the ventricular rhythm is stable, i.e., the last ten ventricular intervals have variance below parameter. Otherwise, VT is diagnosed and therapy is initiated.
|(BPM)||VF detection threshold||( )|
|(BPM)||VT detection threshold||()|
|(BPM)||AFib detection threshold||()|
|(s)||Sustained VF duration||()|
|(s)||Sustained VT duration||( )|
|Rhythm Match score||()|
The algorithm presented in Figure 3 considers two tachycardia zones (VF and VT branches). BSc ICDs can actually be configured to work with one, two, or three zones. With three zones, the algorithm would have an additional branch (called VT-1) with discriminators identical to those found in the VT branch but with different parameters (lower detection rate and longer VT duration). We focus on two zones because it is the most common configuration, and the two-zone attack can easily be extended to handle one more or one less zone.
BSc ICDs support setting a separate post-therapy configuration of the parameters to check if therapy was successful. This is not part of the discrimination algorithm we consider because our reprogramming attacks are not concerned with post-therapy analysis. We could have easily incorporated the post-therapy phase, as it uses the same discriminators described above but with possibly different parameter values.
We reiterate that discriminators D1–D7, or slight variations thereof, are found in other ICD manufacturers’ algorithms. Thus, the attack-synthesis method presented below apply to other devices as well.
2.2. Generation of Synthetic EGMs
Discrimination algorithms utilize two elements of EGMs for feature extraction: timing of atrial and ventricular events, and morphology of far-field ventricular events. Jiang et al.(Jiang et al., 2016) have developed a heart model that can generate realistic synthetic EGMs that can be used to evaluate the safety and efficacy of discrimination algorithms.
The timing of heart events is generated by a timed-automata model of the electrical conduction system of the heart (Jiang et al., 2012), which allows simulating cardiac dynamics under different parameter settings. The morphology of far-field ventricular events is sampled from a large database of real patient EGM records (Electrogram, 2018). EGM signals are then synthesized by overlaying the sampled EGM morphology templates on the sequence of cardiac events generated by the timed model.
Finally, different heart conditions are reproduced by running the timed-automaton model on different parameters. For example, a generic SVT condition has ventricular intervals in the range of ms; then, EGMs for a specific SVT condition are synthesized by uniformly sampling parameters from a sub-interval of this range.
Jiang et al. generated synthetic EGMs for the 19 heart conditions specified in the RIGHT clinical trial (Berger et al., 2006), a trial designed to evaluate the BSc discrimination algorithm. The validity and faithfulness of these EGMs were validated by electrophysiologists. In this paper, we therefore use the same synthetic EGM dataset. The signals are open-loop (i.e., fixed): our attack model does not require closed-loop modeling, as explained in Section 3.
3. Attack model
We present a model-based approach to synthesizing reprogramming attacks on ICDs, as the attacks are not evaluated on the actual physical device but on a model of the device. The BSc algorithm model that we consider was compiled from device manuals and the medical literature, and faithfully reproduces the behavior of the real device in terms of arrhythmia discrimination and therapy, as discussed in Section 2. We focus on reprogramming attacks where the attacker manipulates the parameter values of the victim’s ICD with the aim of causing harm while going undetected. These two objectives are respectively called the effectiveness and stealthiness of the attack, and are formalized in Section 4.
An attack is effective when it compromises the decision of the discrimination algorithm in such a way that the a required therapy is prevented (e.g., during VF), or an inappropriate therapy is introduced (e.g., during SVT). Our attack model is concerned with inducing at least one compromised decision, which suffices to cause adverse or even fatal effects: depriving a patient of treatment for VF can lead to sudden cardiac death, while inappropriate shocks can result in damaging heart-tissue remodeling and cause significant psychological distress (Jiang et al., 2016). Note that the unaltered parameters can themselves have a low rate of inappropriate or missed therapy (Berger et al., 2006), which is, however, negligible compared to that for malicious parameters.
In our attack model, stealthiness depends on the clinician’s ability to detect the attack. We are therefore interested in finding malicious parameters that exhibit small deviations from the clinical settings of the victim’s ICD, changes that are difficult for the clinician to notice or that can be mistaken for human error. Indeed, the victim has no means to monitor their ICD parameters outside of clinic, and upon experiencing unusual activity by the ICD, s/he will likely seek medical aid rather than suspect a cyber-attack. Hence, the in-clinic setting is of primary interest. Moreover, the victim will likely be unable detect the attacker on the spot, because a successful malicious reprogramming does not typically induce adverse outcomes immediately but with some delay, depending on the frequency that the victim experiences arrhythmia and the probability that the reprogrammed parameters mis-classify that arrhythmia.
Reprogramming attacks are synthesized in an offline training phase, which allows the attacker to obtain malicious parameters with optimal effectiveness and stealthiness with respect to a set of training EGM signals. Such parameters are derived by solving a multi-objective optimization problem over a set of logical constraints describing the behavior of the discrimination algorithm over the training signals. We solve the problem through SMT-based techniques that are guaranteed to find parameters attaining the exact optimal effectiveness-stealthiness front (see Sections 4 and 5).
The malicious parameters synthesized in the training phase are validated using a disjoint test dataset. In this way, we can evaluate how the attack generalizes with previously unseen signals, which mimic the unknown EGM of the victim.
We assume that the attacker has no knowledge of the victim’s ICD parameters, and thus that their best strategy is to train the attack by assuming that the default (unaltered) parameters correspond to the nominal values (see Table 1). Therefore, the stealthiness computed under nominal parameters might deviate from that under the actual victim’s parameters. However, this discrepancy is limited by the fact that condition- or patient-specific parameters tend to be close to the nominal ones, which are considered safe for any kind of arrhythmia requiring an ICD (Moss et al., 2012)
. I.e., nominal parameters provide a good estimate of the victim’s parameters.
Due to limited availability of real patient signals, we choose to work with synthetic EGMs. We remark, however, that our approach supports both. The automated EGM generation method of Section 2.2 gives the attacker a crucial advantage: if the attacker knows that the victim is affected by a specific arrhythmia, then it can tailor the attack to the victim in question by generating a training dataset of synthetic signals with that arrhythmia. In our evaluation, we consider training datasets tailored to specific conditions (condition-specific attacks) as well as more generic datasets that include signals for different arrhythmias (condition-agnostic attacks). The latter are suitable when the attacker has little knowledge of the victim’s condition.
Open-loop EGM signals are adequate for our purposes because successful attacks do not affect the signals in a significant way: when the attack prevents a required shock for an EGM with arrhythmia, the arrhythmia persists and the EGM is unaffected; when the attack introduces inappropriate shocks during an already normal heart rhythm, the EGM is also unaffected, as shocks restore the electrical activity of the heart to normal sinus rhythm.
We discuss additional assumptions that would make our model-based method suitable to real-world attacks using radio signals via software-defined radios.
Firstly, the attacker must know the ICD model of the victim, so that it can select the appropriate discrimination algorithm to use in the training phase. The ICD model can be revealed by sending discovery signals to the device (as shown in (Halperin et al., 2008)), or from the victim’s medical records. To change the parameter settings, the attacker also must know the communication protocol of the ICD, which can be reverse-engineered as also shown in (Halperin et al., 2008). In our work, we focus on a single discrimination algorithm. Due, however, to the universality of discriminators, our approach can be easily adapted to other algorithms.
Secondly, the radio antenna transmitting the attack signals must be physically close to the victim. To do so, the attacker could approach the victim (e.g., in a crowded space) or hide/disguise the transmitter and leave it running in proximity of the victim.
Previous studies have proposed methods for preventing attacks on implantable medical devices, but to date, none of these have been put in place by device manufacturers. A solution is securing device accesses through an authentication token (smart card, NFC device, etc.) that shares a secret key with the device. The patient would provide these credentials to grant the clinician access to the device. To further secure the authentication, the key could be derived from some of the patient’s biometrics, such as the electrocardiogram (Xu et al., 2011). In emergency situations where the token might not be available, one could restrict access from devices only at very close proximity, as done in (Rasmussen et al., 2009). Finally, a simple detection method would be notifying the patient with a beep whenever a communication happens with the device (Halperin et al., 2008).
4. Problem Formulation
We formalize the synthesis of reprogramming attacks, (which corresponds to the training phase), as a multi-objective optimization problem that seeks to derive ICD parameters achieving two main (and contrasting) objectives: effectiveness, i.e., the attack must maximize therapy disruption; and stealthiness, that is, the attack must be difficult to detect.
For a set , denotes the Kleene closure of . For a sequence , denotes its length and, for , denotes its -st element. Let be the set of -dimensional, finite-length, discrete-time cardiac signals. For signal , correspond to the values of atrial, ventricular and shock EGMs () at the -st sample of the signal.
Parameters are tuples , where is the value of the -th ICD parameter, and is its finite domain (for each parameter there is a finite set of programmable values – see Table 1). We denote with the set of possible parameterizations.
From an abstract viewpoint, we can characterize a discrimination algorithm as a function , where is the set of Boolean sequences. For parameters and signal , is a Boolean-valued sequence called a therapy signal, with as many elements as the number of heart cycles in . For , is true if the ICD requires delivering therapy at the -th heart cycle, and is false otherwise. Recall from Section 2 that the discrimination algorithm is only invoked at each ventricular event (corresponding to the end of the heart cycle), and thus, intermediate time points between two ventricular events are not relevant to studying therapy decisions. Note that we do not consider ICD parameters that affect the detection of ventricular events, meaning that the length of the therapy signal stays the same for any .
Let be the default parameters of ICD algorithm , and be an attack parameter. The effectiveness of is evaluated over an input dataset of signals (either training or test dataset), and is denoted by .
Following our description of the attack model, we define effectiveness as the proportion of signals in where the attack prevents the ICD from delivering any therapy when, without the attack, it would deliver some, and forces the ICD to deliver some therapy when, without the attack, it would deliver none:
where is the indicator function, and is the therapy reachability value, describing whether or not therapy is administered at any point for signal and parameters :
Therapy reachability is motivated by the fact that we employ synthetic EGMs reflecting a number of arrhythmogenic (VF/VT-like) and non-arrhythmogenic (SVT-like) situations, with the former requiring device-delivered therapy and the latter requiring that such therapy not be delivered. We deem an attack successful on an EGM if the EGM is mis-classified in this manner.
In practice, attacks that prevent therapy during VF or VT can be fatal (these arrhythmias can lead to sudden cardiac death (Jiang et al., 2016)) and thus are more dangerous than attacks introducing unnecessary therapy during SVT. In our definition of effectiveness, these two cases are given the same importance to avoid excessive bias towards attacks preventing therapy. Also, VT/VF-like and SVT-like EGMs should never occur in the same set of training or test data, because attacks that can both prevent therapy (for VT/VF) and introduce unnecessary therapy (for SVT) are clearly impossible.
Consider the example of Figure 4 showing a set of signals of length 8 and the corresponding therapy signals for the default () and reprogrammed () parameters. For signal , two therapy episodes occur at cycles and , respectively. In this case, the attack is not effective as it manages to prevent only one of the two therapies. In contrast, the attack is effective for (therapy prevented) and (therapy introduced). For , the attack only delays the therapy so it is not considered successful. The overall effectiveness of the attack is thus .
An attack is considered stealthy when the deviation between the reprogrammed parameters and the default parameters is small. To capture this deviation, we introduce a measure of parameter distance that we seek to minimize to achieve optimal stealthiness. Since ICD parameters can be only programmed to a finite set of values, we quantify the distance between two parameters as the number of programmable values separating them.
For , let be the programmable values for the -th ICD parameters. W.l.o.g. assume that the values are ordered. Rewrite the default parameters as and the attack parameters as , i.e., is the index of the element of corresponding to the value of the -th parameter in . is defined in an analogous way for . Then, the distance between and is defined as:
We explain (3) with an example. Suppose that the -th parameter is from Table 1, which can be programmed to any value in the set , . We set using the nominal value of for , which corresponds to the 4-th element of . Hence, . Consider attack parameters where is set to , i.e., the 8-th value of (). The distance relative to is the number of programmable values separating the default setting () and the attack (), which is given by . Indeed, the two are separated by four programmable values (). The overall distance is the maximum separation over all ICD parameters. See Figure 5.
This notion of distance assumes that parameters are equipped with a linear order, which is the case for all numeric parameters of the BSc ICD algorithm. For categorical parameters, one could either assign the same distance to all categories different from the nominal one, or repeat the synthesis for each category.
Optimal stealthy attacks.
We formulate the synthesis of stealthy reprogramming attacks as a multi-objective optimization problem, where we seek to optimize effectiveness and stealthiness (maximize and minimize ) of the parameters w.r.t. a set of training EGMs. Multi-objective optimization allows one to derive the optimal trade-off between multiple, possibly contrasting objectives, implying that we do not need to assume any weight or priority ordering for the objectives. The result of this analysis is a so-called Pareto front, i.e., a set of non-dominated points in the objective space of possible effectiveness and parameter distance values.
Problem 1 (Reprogramming attack synthesis).
For effectiveness objective and distance objective , training set of signals , find the set of Pareto-optimal parameters, i.e.:
Consider for instance two parameters and , such that for some , , , , and . has better effectiveness than and same distance, so dominates , meaning that cannot be in the Pareto-optimal front. is in the Pareto-optimal front if there are no parameters that dominate it.
To quantify how well the attacks generalize to unseen data, we introduce a validation score defined as the average deviation of the attack effectiveness between training and test data.
Given a training set , a set of Pareto-optimal parameters with respect to , and a test set , we define the validation score as: . Positive values indicate that the parameters have better performance with unseen data than with training data, whereas negative values imply the opposite. Note that the validation score need not consider stealthiness because this is independent of the signals.
5. OMT Encoding
In this section, we present a solution method for the reprogramming attack synthesis problem (Problem 1). We formalize the behavior of the BSc discrimination algorithm in the framework of Satisfiability Modulo Theories (SMT) (Barrett et al., 2009), within which the ICD algorithm is described as a set of first-order formulas over some (decidable) background theory. Parameters are represented as uninterpreted constants in the SMT encoding, and parameter synthesis corresponds to finding a satisfiable assignment to those constants, i.e., a so-called model. In particular, we formulate Problem 1 as an Optimization Modulo Theories (OMT) problem, i.e., an extension of SMT for finding models that optimize given objectives (Bjørner et al., 2015).
The synthesis of optimal reprogramming attacks is difficult as it entails solving a combinatorial multi-objective optimization problem (non-continuous, non-convex) constrained by the behavior of the discrimination algorithm, which cannot be captured by simple (in)equality constraints. Therefore, classical optimization methods such as linear or convex programming are not suitable, while nonlinear optimization techniques such as genetic algorithms would provide only sub-optimal solutions. In contrast, OMT is uniquely suited to solve this problem, as the ICD algorithm can be adequately encoded as SMT constraints and the parameters found by OMT are guaranteed to be optimal.
Since we are interested in analyzing the behavior of the algorithm offline over a fixed set of EGM signals, we can pre-compute for each signal the non-linear operations underlying some of the discriminators, such as the Rhythm Match score. This allows us to encode the problem over the decidable theory of quantifier-free linear integer real arithmetic (SMT QF_LIRA). Importantly, we pre-compute only the operations that are not affected by the ICD parameters, meaning that our encoding accounts for all possible behaviors induced by different parametrizations.
W.l.o.g. assume that the training dataset is indexed. The behavior of the algorithm for the -th signal is described by a sequence of symbolic states , one for each cardiac cycle, where is the number of cycles in the -th signal. The evolution of the discrimination algorithm over the training signals is characterized by the following formula (inspired by bounded model checking (Biere et al., 1999)):
where is a predicate describing the programmable values of the ICD parameters (see Table 1); is the predicate for constraining the initial state of the algorithm, and is the transition relation determining from the current state and heart cycle, the admissible states of the algorithm at the next cycle. In our case, the transition relation is deterministic, i.e., for fixed and , there exists only one state such that holds. In (5), states are implicitly existentially quantified.
In the BSc algorithm, the state for the -th signal and -th heart cycle is represented by
where and tell whether or not the algorithm is, respectively, in the VF duration and VT duration mode, with being the clocks that keep track of time spent in the respective modes. The clocks are digital () and measure the time in milliseconds. Note that the value of the therapy signal is not part of the state but, as we shall see, is encoded as a state predicate.
For any signal , the initial state of the algorithm is given by the following predicate
indicating that the algorithm is in neither duration mode and that the clocks are set to zeros.
An example path of the BSc algorithm encoding is given below. denotes a transition between states and at the -th heart cycle, i.e., such that holds.
The transition at marks the start of VT duration ( passes from to ). The algorithm stays in VT duration for 13 more heart cycles during which the episode persists, until it reaches the end of the timer: at the start of the 26-th cycle the VT clock evaluates to , but at the end of the cycle, the clock would exceed the VT duration parameter which, in this example, is set to the nominal value milliseconds111To produce a concrete path, we must fix an interpretation for the ICD parameters.. At this point, it delivers therapy and resets the VT clock, going back to state .
The transition relation encodes the behavior of the discrimination algorithm presented in Section 2. For the sake of simplicity, we omit the signal index from the equations below.
(6) establishes that VF duration starts in the next state ( holds) when predicate holds and we are not in VF duration () or the current VF duration mode just ended (). (7) is the analogous for the VT zone. Predicate encodes the first discriminator of the BSc algorithm (last 8/10 ventricular intervals faster than ), and is defined by:
where is the if-then-else function, and is the duration of the ventricular interval for the -th cycle. Ventricular intervals are pre-computed from the input signals and thus have fixed interpretation in the SMT encoding. Predicate is defined as:
is true when the episode does not persist ( encodes the second BSc discriminator), or when the duration expires, i.e., holds ( is the time spent in VF duration at the end of the -th cycle). and are uninterpreted constants representing the (unknown) ICD parameters to synthesize for the VF detection threshold and VF duration, respectively. Predicates , , and are defined in an analogous way for the VT zone. (8) tells that if we are not in VF duration and does not hold, then VF duration cannot start in the next state. (9) is the analogous of (8) for the VT zone. (10) and (11) handle the situation when the algorithm exits from the VF and VT duration modes, respectively, and a new duration cannot start because no new episode is detected (i.e., in the case of VF, holds). (12) and (13) consider the opposite situation that the algorithm stays in the VF/VT duration mode, in which case the corresponding clock is updated. (14) and (15) express that the VF and VT duration clocks are set to zero when the algorithm is outside the corresponding duration mode, or the mode has just ended.
Finally, we introduce the predicate indicating whether or not therapy is administered at the -th cycle, in this way providing a symbolic representation of the therapy signal, i.e., for signal and parameters , corresponds to .
The formula captures the discrimination tree presented in Section 2. encode the last three BSc discriminators. is true if the average ventricular rate is at least 10 BPM faster the average atrial rate. does not depend on any ICD parameter and thus, is pre-computed for improving efficiency. and are given by:
where and are pre-computed constants, respectively indicating the Rhythm Match score and the variance of the last 10 ventricular intervals. is the pre-computed duration of the -th atrial interval, where is the number of atrial intervals occurred within heart cycles. , and are the symbolic encoding of the corresponding ICD parameters.
Effectiveness and stealthiness encoding.
We show how to encode effectiveness maximization as a MaxSMT problem. For each signal , we define the following soft constraint:
where is the therapy reachability value (telling whether or not therapy is administered at any point) for signal and default parameters. can be pre-computed for efficiency. represents the therapy reachability value for the attack parameters, and thus, is true if the attack disrupts the default therapy. Note that maximizing the effectiveness defined in (1) is equivalent to maximizing the number of constraints satisfied. Hence the MaxSMT formulation.
Parameter distance is encoded as an uninterpreted integer constant to minimize, . Recall that we measure distance between two parameters as the number of programmable values separating them, and that in BSc ICDs, any parameter has a finite number of numeric programmable values. It follows that has a finite domain, i.e. 222, where is the number of programmable values for the -th parameter and is the index of its default value..
We encode in an implicit way, that is, we do not add constraints for (3) but we restrict the parameter domains conditioned on the distance value as follows:
where is the SMT encoding of the -th parameter, , and . In other words, is the -th closest left neighbor of ’s default value, is its -th closest right neighbor. Therefore, restricts the domain of to values with distance at most , from which the correctness of (24) follows.
To clarify this encoding, below is shown part of the concrete instantiation of (24) relative to parameter :
Synthesis of Pareto-optimal attacks.
The OMT solver returns the set of Pareto-optimal objective values, i.e., the set of all pairs such that and for some Pareto-optimal parameter w.r.t. training set . For each , the solver computes a witness yielding that Pareto-optimal objective value. The synthesized parameters is the set of all such . This implies that we synthesize a subset of since the witness might not be unique, but do not exclude any in the space of Pareto-optimal objectives.
6. Results and discussion
We apply our method to the synthesis of condition-specific attacks. We employ synthetic EGMs for 19 different conditions, generated through the method of Section 2.2, and synthesize Pareto-optimal parameters using a training set of 100 signals for each condition. We validate the attacks with test sets of 50 signals per condition (disjoint from the training sets). In our experiments, we found that the performance with unseen test signals stays relatively constant for any training set size larger than 40; see Figure 8 in the Appendix. Thus, 100 training signals provide a sufficiently complete representation of the signal space. All EGMs have a duration of 30 seconds, but their lengths – given by the number of heart cycles – vary depending on the ventricular interval duration.
These 19 arrythmias can be broadly classified in two categories: VT and SVT. The former consists of arrythmias where the majority of signals require ICD therapy (based on the nominal parameters), and thus, it covers both VT and VF. The latter includes conditions where most of the signals do not require therapy. In particular, we have 8 VT and 11 SVT conditions, with all VT signals requiring therapy at some point and all SVT signals not requiring any therapy.
We also synthesize condition-agnostic attacks, suitable when the attacker has little knowledge of the victim. Specifically, we consider two attacks for generic VT and SVT conditions, using training sets of 200 EGMs derived by randomly choosing among the 8 VT-like conditions and the 11 SVT conditions, respectively. We validate the two attacks with disjoint test sets of 100 signals.
The method for generating synthetic EGMs was implemented in MATLAB. For parameter synthesis, we used the z3 SMT solver (Bjørner et al., 2015).
|1||SVT||0.338 [0.02,0.87]||15.5 [13,18]||6||-0.0217||776||57.59 [53,62]|
|2||SVT||0.397 [0.04,0.92]||15.5 [13,18]||6||-0.0433||459||58.19 [55,63]|
|3||VT||0.497 [0.01,1.00]||6.583 [1,13]||12||-0.0033||4776||90.48 [81,100]|
|4||VT||0.561 [0.01,1.00]||9.583 [4,16]||12||0.0025||8208||84.64 [74,95]|
|5||SVT||0.505 [0.01,1.00]||9.154 [1,17]||13||-0.0523||1894||64.3 [58,70]|
|6||SVT||0.298 [0.03,0.55]||10 [4,18]||9||0.02||455||61.03 [54,73]|
|7||VT||0.504 [0.01,1.00]||9.357 [2,16]||14||-0.0593||5270||84.36 [75,96]|
|8||SVT||0.170 [0.01,0.48]||9.5 [7,12]||6||-0.05||460||48.64 [42, 57]|
|9||SVT||0 [0,0]||0 [0,0]||1||0||279||47.72 [44,51]|
|10||VT||0.565 [0.01,1.00]||7.091 [2,13]||11||-0.0518||4739||89.34 [80,102]|
|11||SVT||0.033 [0.01,0.06]||11 [10,12]||3||-0.0267||343||45.87 [43,52]|
|12||SVT||0.326 [0.01,0.75]||11.385 [3,18]||13||-0.0077||876||59.39 [54,66]|
|13||SVT||0.084 [0.01,0.20]||16 [14,18]||5||-0.036||363||50.38 [46,56]|
|14||SVT||0.067 [0.01,0.16]||15.333 [12,18]||6||-0.01||539||52.01 [48,59]|
|15||SVT||0.498 [0.01,0.92]||13.5 [11,16]||6||0.0083||374||51.23 [36,60]|
|16||VT||0.468 [0.02,0.99]||6 [1,11]||11||-0.0064||4419||89.06 [80,100]|
|17||VT||0.490 [0.05,1.00]||10.6 [6,16]||10||-0.004||2699||84.82 [75,95]|
|18||VT||0.517 [0.04,1.00]||10.7 [6,16]||10||-0.009||2489||84.45 [75,95]|
|19||VT||0.506 [0.04,1.00]||10.6 [6,16]||10||-0.02||2812||84.87 [75,96]|
Table 2 provides statistics on the synthesized Pareto-optimal attacks. Figure 6 shows the Pareto-optimal fronts for a selection of representative conditions (see Figure 7 in the appendix for the full set). The synthesized parameters for all conditions are in Tables 4-21 of the appendix.
Remarkably, the synthesized attacks attain validation scores that are either positive or very close to zero, indicating that the attacks generalize well with unseen data and, thus, would have comparable effectiveness when applied to the unknown EGM of the victim.
As visible in Table 2, our method can derive effective attacks for all VT conditions, since the corresponding Pareto fronts always contain a parametrization able to affect the therapy of all training signals (effectiveness 1), with the exception of condition 16 where the maximum effectiveness is 0.99. However, not all attacks on VT conditions are comparably stealthy (see Figure 6). For instance, for condition 10 a parameter distance of 7 ensures that the attack is effective with half of the training signals, while for condition 17, the same effectiveness level is obtained only at a distance of 11 from the nominal parameters (worse stealthiness).
In contrast, attacks on SVT conditions are not all equally successful. For condition 5 we can find parameters with 100% effectiveness as well as stealthier attacks that e.g. are able to affect almost 40% of the signals with a distance of only 5. For conditions 2 and 15 we obtain parameters with nearly 100% effectiveness but with poor stealthiness (the minimal distance of a Pareto-optimal attack is 13 and 11, respectively). Some EGMs turned out to be difficult to attack. Specifically, for condition 11 the strongest attack affects only 6% of the signals and, for condition 9, no Pareto-optimal attacks exist but the trivial one that leaves the nominal parameters unchanged.
The reason why VT conditions are easier to attack is that it takes only a minor increase to the VT and VF detection thresholds (parameters and ) to make the ICD mis-classify a tachyarrhythmia episode. On the other hand, and must be reprogrammed to very low values for the ICD to classify a slow heart rate as VT or VF to induce unnecessary therapy. This is not always possible because in SVT conditions, the heart rate is often below the lowest programmable values for (110 BPM) and (90 BPM), which explains why, for instance, no attack parameters exist that can affect condition 9. We remark that these results are provably correct because OMT is guaranteed to find Pareto-optimal attack parameters, when they exist.
Besides increasing and , the attacks on VT conditions synthesized by our method tend to increase the VF and VT durations ( and ) thus reducing the probability that the ICD classifies an episode as sustained, which is a necessary condition for delivering therapy. For instance, the most effective attack for condition 10 has BPM, BPM, s, and s, against nominal values of 200, 160, 1, and 2.5, respectively. For some VT conditions, the attacks also tamper with the VT zone-related parameters: they decrease the Rhythm Match score and the detection threshold for atrial fibrillation , while increasing the stability score (parameter ), making discriminators D6 and D7 more likely to be satisfied thus tricking the ICD into classifying the episode as SVT. Indeed, for condition 10 the most effective reprogramming has (nominal 0.94), BPM (nominal 170), and (nominal 20).
Figure 7 compares nominal and reprogrammed parameters over an execution of the BSc algorithm at the start of a VF episode, using an EGM from condition 10. With nominal parameters, VF duration starts after the last 8/10 ventricular intervals faster than VF (see marker 1 in Fig. 7) and ends after an interval is found below the VF threshold (see marker 2). A new VF duration can start right away, ending this time with a therapy (marker T).
In this example, the reprogramming sets BPM (250 ms), BPM (325 ms), and s (corresponding to parameter #6 in Table 12 of the appendix). With the higher VF threshold, the attack leads to marking the VF episode as VT, triggering VT duration (marker 3). VT duration ends with one interval found below the reprogrammed VT threshold (marker 4). A new VT duration can start right away, but therapy is prevented due to the long .
Attacks on SVT conditions follow the opposite strategy. They tend to keep , , and to the minimum programmable values, thus increasing the probability that slow heart rhythms are classified as a sustained tachyarrhythmia episode. An example is condition 5, for which the most effective attack has BPM, BPM, s and s. Such an attack is 100% successful regardless the other VT zone-related parameters, while for other SVT conditions we also need to increase the Rhythm Match threshold. In contrast, the parameters of discriminator D7, and , appear to have little effect.
Pareto fronts for the condition-agnostic attacks on VT and SVT, hereafter referred to as VT attack and SVT attack, are shown in Figure 8. The corresponding parameters are available in Tables 22 and 23 of the appendix. These attacks attain very good validation scores, comparable to the condition-specific scores, suggesting that our method can generalize well also with heterogeneous arrhythmias. The Pareto front for the VT attack has a similar profile to those for the condition-specific attacks: the effectiveness is poor for parameter distance below 5, it has a sharp increase between distance 5 and 10, growing slowly after that up to reaching 100% success at distance 16. The attack strategy is the same discussed for the condition-specific case: as the parameter distance grows, our method finds parameters with gradually higher values for , , , and , and lower values for and .
On the other hand, the parameters for the SVT attack reach a maximum effectiveness of 49% at distance 18, compatibly with the fact that condition-specific attacks are reasonably successful only for a subset of SVT conditions. The attack strategy confirms our previous discussion, with the synthesized parameters having minimal values of , , and .
Performance and adequacy
Performance results for the synthesis of condition-specific attacks, reported in Table 2, show that VT conditions are more computationally demanding than SVT ones, with runtimes ranging from 2489 to 8208 seconds versus a range of 279 to 1894 seconds for SVT. The reason is that VT conditions are characterized by shorter ventricular intervals, leading to more heart beats for the same EGM duration and thus, to longer signals. The path length and the number of training signals are indeed the main factors affecting the complexity of OMT-based synthesis.
We demonstrate the adequacy of our approach by showing that the parameters synthesized through OMT comfortably outperform those found by a random search (RS). For this purpose, we ran RS for each condition and for the same runtime of OMT, and compared the area under the curve (AUC) of the Pareto fronts obtained with OMT and RS, with both training and test EGMs. Higher AUC values imply better performance. We remark that the parameters found by OMT are guaranteed to be Pareto-optimal with respect to training EGMs, and so RS (or any other optimization method) cannot have better performance on the training data. Indeed, RS yields AUC values strictly less than OMT for all conditions except 18 and 19, for which RS and OMT produced the same Pareto fronts (see Table 24 in the Appendix for the full set of AUC values). With test data, OMT outperforms RS on 11 conditions, while the opposite happens only for three conditions. For the remaining conditions, OMT and RS have equal AUC values. These results confirm that OMT exhibits superior performance also with regard to unseen signals.
7. Related work
The work of Halperin and colleagues (Halperin et al., 2008) was the first to show that ICDs can be accessed and reprogrammed by unauthorized users using off-the-shelf hardware. Unlike our work, however, they did not provide automated methods to derive stealthy attacks, nor did they consider the problem of tailoring the attacks based on the heart condition. Rather, they simply showed that they can disable all therapies, an attack which is easily detectable. Other examples are spoofing attacks on ICDs (Kune et al., 2013), attacks on insulin pumps and glucose monitors (Li et al., 2011), and on electrocardiogram-based biometrics (Eberz et al., 2017).
The work of Jiang et al. (Jiang et al., 2016) offers a model-based approach to analyze the accuracy ICD algorithms by conducting in-silico trials on synthetic cardiac signals. Our work relies on (Jiang et al., 2016) for the generation of synthetic EGMs and the reverse-engineering of the Boston Scientific algorithm, but tackles the fundamentally different problem of designing stealthy attacks on ICDs, introducing a novel formalization of attack synthesis as multi-objective optimization, and an SMT-based encoding for its solution. In (Kwiatkowska et al., 2015), an SMT-based method is presented for the synthesis of cardiac pacemaker parameters that ensure safe heart rhythm and maximize robustness to parameter deviations. There are substantial differences between (Kwiatkowska et al., 2015) and our work, both in the problem under study (improving the pacemaker function versus compromising the ICD function), and in the kind of devices considered: pacemakers help correct slow heart rhythms through low-voltage electrical pulses, and thus follow completely different algorithms from ICDs.
Related research include model-based methods for attack detection and identification in cyber-physical systems (Pasqualetti et al., 2013; Tiwari et al., 2014; Hei et al., 2015) and methods for secure state estimation, i.e., for reconstructing the plant state from attack-prone sensor data (Pajic et al., 2014; Fawzi et al., 2014), some of which employ, as we do, SMT-based techniques to this purpose (Shoukry et al., 2017).
SAT-based software verification techniques are applied in (Inverso et al., 2018) for the synthesis of spoofing-attacks on control systems.
The lives of millions of patients rely on the correct functioning of implantable cardiac devices. As demonstrated by recent security-related recalls, vulnerabilities in these devices exist, which can be exploited to put the patient’s safety in jeopardy through the malicious reprogramming of the device.
Motivated by the need to improve the security, safety and robustness of such devices, we presented the first framework for systematically synthesizing reprogramming attacks on ICDs designed to maximize therapy disruption while minimizing detection. Such attacks can therefore be tailored to the victim’s physiology through condition-specific synthetic cardiac signals.
Our approach builds on automated reasoning methods (OMT) that allowed us to synthesize malicious parameters that precisely attain Pareto-optimal performance w.r.t. stealthiness and effectiveness criteria. We demonstrated that such attacks are particularly effective in preventing therapy in the presence of VT and VF, and that they readily generalize to unseen signals. This makes our approach suitable for real-world attacks.
For future work, we plan to evaluate synthesized attacks on a real ICD device, building on the hardware testbed for cardiac pacemakers of (Jiang et al., 2014). We will also investigate spoofing attacks on EGM sensors and techniques for making ICD discrimination algorithms more resilient to such attacks.
- Barrett et al. (2009) Clark W Barrett, Roberto Sebastiani, Sanjit A Seshia, and Cesare Tinelli. 2009. Satisfiability Modulo Theories. Handbook of satisfiability 185 (2009), 825–885.
- Berger et al. (2006) Ronald D Berger et al. 2006. The Rhythm ID Going Head to Head Trial (RIGHT). Journal of cardiovascular electrophysiology 17, 7 (2006), 749–753.
- Biere et al. (1999) Armin Biere et al. 1999. Symbolic model checking without BDDs. In Tools and Algorithms for the Construction and Analysis of Systems. 193–207.
- Bjørner et al. (2015) Nikolaj Bjørner, Anh-Dung Phan, and Lars Fleckenstein. 2015. Z-An Optimizing SMT Solver. In TACAS, Vol. 15. 194–199.
- Boston Scientific Corporation (2017) Boston Scientific Corporation. 2017. Implantable Cardioverter Defibrillator, reference guide (part number: 359407-003). (2017).
- Eberz et al. (2017) Simon Eberz et al. 2017. Broken hearted: How to attack ECG biometrics. In Network and Distributed System Security Symposium (NDSS) 2017. Internet Society.
- Electrogram (2018) Electrogram. 2018. Ann Arbor Electrogram Libraries. (2018). http://electrogram.com/
- Fawzi et al. (2014) Hamza Fawzi, Paulo Tabuada, and Suhas Diggavi. 2014. Secure estimation and control for cyber-physical systems under adversarial attacks. IEEE Trans. Automat. Control 59, 6 (2014), 1454–1467.
- Food and Drug Administration (2017) Food and Drug Administration. 2017. Implantable Cardiac Pacemakers by Abbott: Safety Communication. (2017). https://www.fda.gov/safety/medwatch/safetyinformation/safetyalertsforhumanmedicalproducts/ucm573854.htm
- Halperin et al. (2008) Daniel Halperin et al. 2008. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In IEEE Security and Privacy Symposium. 129–142.
- Hei et al. (2015) Xiali Hei, Xiaojiang Du, Shan Lin, Insup Lee, and Oleg Sokolsky. 2015. Patient infusion pattern based access control schemes for wireless insulin pump system. IEEE Transactions on Parallel and Distributed Systems 26, 11 (2015), 3108–3121.
- Inverso et al. (2018) Omar Inverso, Alberto Bemporad, and Mirco Tribastone. 2018. SAT-based synthesis of spoofing attacks in cyber-physical control systems. In Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical Systems. 1–9.
- Jiang et al. (2014) Zhihao Jiang et al. 2014. Heart-on-a-Chip: a closed-loop testing platform for implantable pacemakers. (2014).
- Jiang et al. (2016) Zhihao Jiang et al. 2016. In-silico pre-clinical trials for implantable cardioverter defibrillators. In EMBC. IEEE, 169–172.
- Jiang et al. (2012) Zhihao Jiang, Miroslav Pajic, and Rahul Mangharam. 2012. Cyber–physical modeling of implantable cardiac medical devices. Proc. IEEE 100, 1 (2012), 122–137.
- Kune et al. (2013) Denis Foo Kune et al. 2013. Ghost talk: Mitigating EMI signal injection attacks against analog sensors. In IEEE Security and Privacy Symposium. 145–159.
et al. (2015)
Marta Kwiatkowska et al.
Synthesising robust and optimal parameters for cardiac pacemakers using symbolic and evolutionary computation techniques. InHybrid Systems and Biology (LNCS/LNBI), Vol. 9271. Springer, 119–140.
- Li et al. (2011) Chunxiao Li, Anand Raghunathan, and Niraj K Jha. 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In IEEE Healthcom. 150–156.
- Moss et al. (2012) Arthur J Moss et al. 2012. Reduction in inappropriate therapy and mortality through ICD programming. New England Journal of Medicine 367, 24 (2012), 2275–2283.
- Pajic et al. (2014) Miroslav Pajic et al. 2014. Robustness of attack-resilient state estimators. In ACM/IEEE 5th International Conference on Cyber-Physical Systems. 163–174.
- Pasqualetti et al. (2013) Fabio Pasqualetti, Florian Dörfler, and Francesco Bullo. 2013. Attack detection and identification in cyber-physical systems. IEEE Trans. Automat. Control 58, 11 (2013), 2715–2729.
- Peterson (2013) Andrea Peterson. 2013. Yes, terrorists could have hacked Dick Cheney’s heart. Washington Post (2013).
- Rasmussen et al. (2009) Kasper Bonne Rasmussen et al. 2009. Proximity-based access control for implantable medical devices. In CCS. ACM, 410–419.
- Rios and Butts (2018) Billy Rios and Jonathan Butts. 2018. Understanding and Exploiting Implanted Medical Devices. Black Hat USA conference. (2018).
- Shoukry et al. (2017) Yasser Shoukry et al. 2017. Secure State Estimation for Cyber-Physical Systems Under Sensor Attacks: A Satisfiability Modulo Theory Approach. IEEE Trans. Automat. Control 62, 10 (2017), 4917–4932.
- Singer (2001) Igor Singer. 2001. Interventional electrophysiology.
- Tiwari et al. (2014) Ashish Tiwari et al. 2014. Safety envelope for security. In Proceedings of the 3rd international conference on High confidence networked systems. ACM, 85–94.
- Xu et al. (2011) Fengyuan Xu et al. 2011. IMDGuard: Securing implantable medical devices with the external wearable guardian. In IEEE Infocom. 1862–1870.
- Zanker et al. (2016) Norbert Zanker et al. 2016. Tachycardia detection in ICDs by Boston Scientific. Herzschrittmachertherapie+ Elektrophysiologie 27, 3 (2016), 186–192.
Appendix A Supplementary material