Paper 2022/511

OOBKey: Key Exchange with Implantable Medical Devices Using Out-Of-Band Channels

Mo Zhang, Eduard Marin, David Oswald, Vassilis Kostakos, Mark Ryan, Benjamin Tag, and Kleomenis Katevas


Implantable Medical Devices (IMDs) are widely deployed today and often use wireless communication. Establishing a secure communication channel to these devices is vital, however, also challenging in practice. To address this issue, numerous researchers have proposed IMD key exchange protocols, in particular ones that leverage an Out-Of-Band (OOB) channel such as audio, vibration and physiological signals. These solutions have advantages over traditional key exchange, e.g., their plug-and-play nature. However, such protocols are often constructed in an ad-hoc manner and lack stringent evaluation of their security, usability and deployability properties. In this paper, we systematize this area and derive a solid theoretical footing to compare different OOB-based approaches. We review related work in that light and show the shortcomings of previous approaches. We then make the core observation that security imperfections in OOB channels can be mitigated by incorporating password-authenticated key agreement. Accordingly, we propose a new construction for OOB key exchange and formalize the security level. We then derive three protocols from it that only require an inertial sensor in the IMD, which is already available in advanced devices. We analyze those protocols with the proposed formalism to highlight shortcomings and advantages depending on specific practical scenarios.

Note: This paper is currently under review by ACM Transactions on Computing for Healthcare.

Available format(s)
-- withdrawn --
Cryptographic protocols
Publication info
Preprint. MINOR revision.
medical device securityimplantable medical deviceout-of-band channelkey exchangeinertial sensor
Contact author(s)
mozhang1 @ student unimelb edu au
2022-08-27: withdrawn
2022-05-02: received
See all versions
Short URL
Creative Commons Attribution
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.