As software plays a bigger part in medical devices, tearing it down is becoming increasingly important.
When one thinks of medical devices, mechanical and electrical elements often come to mind, whether as part of a pacemaker or in pure materials products such as stents and catheters. However, the software associated with the medical device is playing an ever-larger role in the development, testing, and certification of medical devices. Reverse engineering (RE) of products is an important tool to have in the product development toolbox, even in the regulated space of medical product development.
This article discusses the use of reverse engineering of software in medical devices, outlining the how and why of its use.
RE is the systematic tear down and analysis of what lies under the hood of a product. It typically provides an understanding of how a device works as well as what intellectual property (IP) went into its creation. RE supports strategy and decision making across the entire IP lifecycle, from concept creation to product retirement. It also enables a company to protect its own IP as well as ensure that it has a rock-solid defense against allegations of patent infringement from competitors. RE is also a proven method to determine if a competitor’s comparable product is implementing patented inventions, benchmark one’s self against the market, and identify technology trends and key innovation impacting market dynamics.
While RE is a valuable tool, special care needs to be taken when using it for the evaluation of software since software or firmware, unlike hardware, is subject to copyright law. This application of copyright law limits the circumstances under which it is legal to engage in a process of software RE—there must be a clear and credible allegation of infringement to proceed. Even then, it is often better to engage the services of a third‐party RE firm, which has the specialized expertise, processes, and equipment to perform a thorough and impartial analysis of the software in question to produce evidence that is admissible in court and ensure an extra level of legal protection by providing only the information required to substantiate or invalidate the claim.
Figure 1. Generic Medical Monitoring Device Block Diagram (click to enlarge)
At UBM TechInsights, our reverse engineering has often centered on the hardware associated with a particular product. However, the importance of the hardware details for medical devices is often less important to the developers of those devices and we’re seeing an increase in systems and software RE. Reasons for this include a higher use of established or commercially off the shelf (COTS) components, relatively low volumes compared with consumer devices, and the low correlation between hardware cost and product price for medical devices. As a result, in many medical devices the “secret sauce” consists of the algorithms and software being run on conservative processor selections. However, for the reasons noted, software RE can provide an understanding of behaviors, operations, or functions in products; make it technically viable to enforce IP licensing of system-level and software-based patents; and expand IP licensing opportunities, particularly as the consumer and medical device worlds begin to overlap.
Because software has become a bigger part of medical products, it is important to understand some of the factors that differentiate it from hardware, and that can make reverse engineering of the products more complex. Those factors include:
Figure 2. Software Reverse Engineering Process (click to enlarge)
Some of the tools available to aid in this effort include firmware extraction, binary code inspection, and static code analysis techniques such as software disassembly and software decompiling. Dynamic analysis methods include custom test application development, I2C / JTAG capture, and code trace & debugging at the application- and operating system–level. To demonstrate the software RE process, consider a couple of examples of its use in addressing possible patent infringement. The process flow chart is depicted in Figure 2. The first step after acquisition of the target device is the extraction of the software from the device, code update, installer, etc. The analyst then assesses the software by identifying the specific code of interest, and then performing a reconstruction of a higher level representation of the software. Finally, the potential infringing elements are identified based on this sequence of operations.
The first example of software RE is the assessment of a model to estimate battery lifetime, a capability important to implantable medical devices as well as to the emerging portable medical monitoring devices, where battery life and capacity are critically important. In recent years, there have been rapid advances in system and on-chip power management techniques. There are many patents covering all aspects of power and frequency control, power distribution, static power reduction, and even power management of “smart” systems. In this instance, the target hardware was a mobile handset. Using the battery lifetime API as the starting point, the sophisticated lifetime estimation algorithm was first identified. Then, the portion of the code that received information from the voltage and discharge sensors and the timer were disassembled and analyzed. The code was then exercised on an ARM emulator with values fed from the sensors and the results tested against the mathematical model, verifying infringement (or not) of underlying IP.
Figure 3. Smart Phone App Analysis Flow Chart (click to enlarge)
The second example is an analysis of a smartphone application, an area of interest in medical due to the rapid increase in health and fitness as well as medical applications. With the rapid proliferation in these software products, the probability of encroaching upon someone else’s IP has increased as well. In this case, we were asked to perform a reverse engineering study on a magnetic compass app to understand role of sensor data with respect to image orientation, and, if applicable, perform a claims mapping to the app. Figure 3 outlines the general high-level approach to this analysis. To understand how the application applies the sensor data to calculate orientation of the displayed image, a full software RE was performed. The application was downloaded, and then the app and OS framework were unpacked. We then disassembled the compass & map apps as well as the orientation and image rendering frameworks for analysis. A detailed code analysis identified the relevant code segments, strings, and data tables. A decompilation of the disassembled code into native C code was done using an ARM decompiler to create a high-level diagram of relevant functional elements. By linking the functional testing of the app to the code analysis, we were able to conclusively determine whether the claim elements of the IP mapped to this app. We were also able to determine how this patent might apply to similar apps.
In summary, medical devices continue to evolve, particularly as more commonly used off-the-shelf hardware is utilized. That tendency alone will drive a further increase in the importance of algorithms and software as key product differentiators. However, the rapid proliferation of smartphones and their attendant apps will further complicate this situation. Software reverse engineering is a proven method to protect not only your company’s intellectual property, but also to identify possible licensing opportunities through identification of potential infringement. It should be part of any company’s strategic toolbox.
William Betten is the medical technology director for UBM TechInsights, where he is responsible for business development activities associated with intellectual property assessment and management, business and technical intelligence, and technology direction for the medical devices product area. Prior to joining UBM TechInsights, Bill served as vice president of engineering and led the product development organization at Nonin Medical, a provider of pulse oximetry and noninvasive medical sensing equipment. He can be reached at firstname.lastname@example.org.