Personal Security Devices For
Protecting Legacy
Mobile Medical Devices

Millions of people use mobile medical devices - more every day. But our understanding of device security and privacy for such devices is incomplete. Many forms of attacks on existing devices have been demonstrated, and surely more remain to be discovered. Such attacks can compromise the privacy and safety of patients. Ideally, such devices should be designed to high safety standards, but unfortunately many medical devices making use of wireless networks and other computing and communications capabilties are already in use. Frequently, such devices have poor security built in, and often little or no ability to perform upgrades to their software. Something must be done to protect such devices.

Further, experience has shown that almost all deployed software will have some security problems. Often it has proven difficult to get good patches to remedy such problems, resulting in yet more deployed devices that have known vulnerabilities. In some cases, the nature of a medical device makes alteration of its internal software risky, even if it theoretically has the capability of installing updates. Consider a pacemaker embedded in a patient's chest, for example. Halting the device to install a new update may be inadvisable.

In response to these difficulties, we are investigating another approach to provide a higher degree of security for legacy devices that cannot be easily upgraded to fix their security problems and for devices that, for whatever reasons, cannot be readily patched. This approach involves the use of a separate stand-alone device that tries to remedy the security flaws of other devices. We call this device a Personal Security Device, or PSD. The PSD is intended to be a light, portable, battery-powered device that patients can easily carry with them. It will be aware of the array of mobile medical devices the patient uses and will have built-in understanding of the characteristics and problems of those devices. The PSD will have the ability to observe wireless interactions involving the medical devices and will be able to signal possible attacks and often take remedial actions to limit or counteract such attacks.

We are currently developing prototype versions of the PSD. An initial prototype was built on a laptop computer, while a second prototype used an Android smart phone. We are in the process of building a PSD prototype that is closer to the original vision of the project. Here is a picture of the prototype, which is based around an Arduino microcontroller. We are also working on investigations of security flaws in commonly used medical devices and defense approaches that the PSD could use to remedy those flaws.

Examples of legacy wireless medical devices we have worked with include:

As part of this project, we did a survey of wireless medical devices on the market, concentrating on security-related aspects of the devices. This survey was done in 2012.

We implemented the PSD using an Arduino controller as a base device. Here is a description of the basic Arduino PSD device. Here is a report on running AES on the PSD Arduino.

The project is jointly led by

Dr. Peter Reiher, an adjunct professor at UCLA


Dr. Majid Sarrafzadeh, a professor in the Computer Science Department at UCLA and head of the UCLA Wireless Health Institute.

This project is funded by the National Science Foundation grant CNS-1116371.

Publications related to this grant include:   Securing Legacy Mobile Medical Devices, Vahab Pournaghshband, Majid Sarrafzadeh, and Peter Reiher, Mobihealth 2012. [Slides]

Adrasteia: A Smartphone App for Securing Legacy Mobile Medical Devices, Vahab Pournaghshband, David Meyer, Michael Holyland, Majid Sarrafzadeh, and Peter Reiher, to appear in the IEEE Workshop on Usable Mobile Security, December 2014.


For further information contact
Last modified: December  3, 2014