Security on NFC-Enabled Platforms

Transcription

1 Security on NFC-Enabled Platforms Building Trust in the New Mobile Applications Ecosystem Whitepaper

2 Content A New Stage in the Evolution of Personal Mobility 4-7 The Need for Hardware-based NFC Security 8-9 NFC Phone Security Architectures Evolution of the NFC Ecosystem 12 Implementing Secure Elements Success Factor End Customer 16 The Future and Deployment of NFC 19 2

3 The Promise of NFC and the Importance of Trust Nearly a decade after it was first introduced, Near Field Communication (NFC) is entering the consumer technology mass market. Soon to be available on hundreds of millions of smart phones and portable personal information devices such as tablet computers, NFC provides a short-range wireless data connection that enables an array of new consumer services. Many of these services, in particular those described as electronic wallet functions, utilize information that providers and users want to keep private. In fact, a high level of confidence that personal data and financial transactions are protected is critical to wide market success for NFC. Wider uptake of NFC is hinged on three related aspects of system security: trust that personal and financial data used in applications remains confidential flexibility of the security technology available to handset manufacturers and service providers and overall system performance, which translates to consumer satisfaction with the convenience of NFC applications. To best meet these challenges, hardware-based security is vital but it must also support different business models and implementations. 3

4 A New Stage in the Evolution of Personal Mobility with New Experiences for Mobile Device Users Simply put, NFC technology promises new levels of convenience for users of mobile devices. With the widespread adoption of smart phones across the global marketplace, powerful and easy-to-use computing is now ubiquitous. Consumers now expect that a single device can be used to access a suite of converged services that use the mobile network for communications, entertainment and, increasingly, commerce. With NFC, the same mobile device becomes a platform for new applications that will massively enhance the total consumer experience. Established as an international standard (ISO/IEC 18092), NFC uses the principle of magnetic induction coupling to create a MHz communication channel when two devices are within very close range (up to 10 cm/4 in.) of each other. This close proximity underlies the description of NFC as a tap and use technology. In effect, users touch an NFC device to a compatible reader or other NFC- equipped passive or active device to create the link. The link can be to another mobile device, a terminal or reader device (for example, in a retail store), or an NFC tag. The integration of NFC in mobile devices marks a new stage in the evolution of personal mobility. Even considering only few of the potential services and new conveniences made possible by NFC illustrates the potential and impact of the technology and the promise of a more interactive world. For enhanced information exchange, including reading NFC tags embedded in posters and objects, as well as easy connectivity between NFC-enabled devices: Smart posters, shelf-edge labels and consumer products which consumers can tap to learn more about events, special offers, etc. New types of check-in for location-based marketing and consumer reward services. One-touch device pairing for easy connectivity of devices, such as headsets, speakers, cameras, printers and cell phones, without the multi-step configuration typical of other wireless technologies. Peer-to-Peer (P2P) connections between NFC devices that allow controlled sharing of information, an easier and more secure way to identify devices. As an electronic wallet, NFC enables contactless transactions and personal access. It can reduce the number of individual cards people carry in a wallet or purse today and it creates exciting new possibilities: Based on card emulation software, the NFC-enabled device can act just like a consumer charge/debit card issued by a financial institution, but with added functionality, such as electronic receipts, real-time balance/credit status, and over-the-air revocation. Tickets for transport services and events can be purchased electronically and stored in the device memory, eliminating delays in issuance and offering extra-value services, such as train services, destination status, and journey updates. Loyalty cards and coupon replacement to collect and redeem points, miles or virtual currency in an easy and convenient manner, that can be updated depending on time and place of the user and yet be easily presentable. Electronic keys: as a simple substitute for card keys used to gain building, hotel room or office access, offering real-time provisioning of access rights. 4

5 It is the wide range of both information exchange and e-wallet applications that makes NFC a game changing technology. Given this wide array of potential services and applications, the expectation for an exponential increase of NFC is not surprising. Growth from approximately 120 million NFC-enabled handsets in 2012 to nearly 1,200 million by 2017 is forecasted by the market research firm IHS (March 2013). By 2017, 62% of all handsets shipped will be NFC enabled 1. 1 IHS Near Field Communications World 2013, March 2013 NFC Secure Element shipments (million units) NFC handsets (million units) Some handsets are forecast to have more than one secure element. This, non-handset NFC shipments and lead times result in SE shipments being greater than NFC handset shipments Source: IHS Near Field Communications World 2013, March 2013 Figure 1: Development of NFC Secure Element shipments and NFC handsets

6 NFC-based services what is vital for the success of open and secure applications The evolving array of services made possible by NFC can be categorized as open applications and secure applications: Open applications are characterized by information exchange and do not have a requirement for privacy and data protection. Infineon Technologies supports open NFC applications with chips for NFC Tags from the my-d move range of devices. For secure applications, both the end user and service provider seek a level of confidence that access to personal and financial information is protected to a degree equivalent to that of banking cards and secure ID documents. With smart banking cards and ID documents a provider controls the issuance of each secure credential. Users will also expect application availability, using the convenient app store download model, to provide access to a huge range of services. Open Applications Device Pairing Info Sharing Peer to Peer Discover Actions NFC APPLICATION ENVIRONMENT Payment Access Control Ticketing Loyalty Secure Applications Figure 2: Typical applications utilizing NFC 6

7 As a result, many different open and secure applications may reside on any one NFC device. Providers have expectations for security. In this context, the success of any NFC-based service in the market also depends on the ability to easily deliver a seamless and simple application experience on the consumer s chosen platform. Given that trust and confidence for both the consumer and service provider is paramount, the key characteristics of secure applications on NFC devices can be summarized as follows: 1. Convenient: For an application replacing current practice (such as retail payments), it should be at least as fast and simple to make a transaction with the phone as it is today with a smart card. 2. Easy: No new steps for applications replacing current practice, and new types of applications should be intuitive. 3. Ubiquitous: Payment applications should be as widely accepted as card-based payments today. The financial/payments ecosystem, including banks, retailers, point-of-sale terminal suppliers and payment network providers (Visa, MasterCard, etc.). Developers of electronic wallets and value-added services build around NFC functionality. These may be organizations already involved in either the mobile or financial ecosystems, or new participants. For any application involving transactions, service providers will seek a revenue stream. Additionally, in payment, ticketing and access-control applications, both consumers and service providers demand protection against fraud, loss or unauthorized use of credentials. Consumers and service providers also need to be assured that devices and user profiles can be readily controlled, for example allowing protected activation/deactivation if a device is lost or stolen, and when a user changes phones. These kinds of concerns affect how security is implemented in the NFC ecosystem, and how the various providers can manage their liabilities. As noted, while consumer expectations are shaped by the smart phone apps experience, the delivery of many NFCbased services involves more complex business models than those seen in today s mobile apps ecosystem. The ecosystem for NFC applications brings together previously separate sets of business entities: The existing mobile device ecosystem of handset manufacturers, operating system and application providers, Mobile Network Operators (MNO) with additional Trusted Service Manager (TSM) companies to facilitate access to the Secure Element (SE) at the heart of the NFC device. Infineon s view of the security architecture for NFC is shaped by more than two decades of experience providing technology to protect individuals, business and government organizations from the risk of fraud, theft and breaches of personal privacy. The company believes that the security architecture presented in this paper represents industry best practice toward the goal of providing the utmost protection for consumers and participants in the NFC ecosystem. 7

8 The Need for Hardware-based NFC Security Current industry practice is mainly driven by the Mobile Network Operator (MNO), which primarily concerns authenticating a user on a specific mobile network and controlling the services available to that subscriber. This is an issuer-centric model in which the MNO manages its customer relationship. It is by definition a device-independent approach supported by standards that specify the interfaces to the MNO-owned UICC also known as SIM card. the end user and an interest in managing the application to meet its own liability and therefore security requirements. By providing security mechanisms on the platform, all potential providers have a framework to protect against potential attacks. Importantly, this framework should be based on the best practices of the industry and, when applicable, standards that both conform to rigorous security requirements while supporting interoperability as needed. From issuer-centric to user-centric definition of security requirements The NFC ecosystem involves many different contributors in delivering value to end users of mobile platforms. The NFC Forum, a 170+ member organization that drives specification processes for the technology, describes a new model in which the smart phone platform with NFC is a transition from an issuer-centric to a user-centric model with many different services that involve financial transactions and personal information co-existing on NFC-enabled platforms 2. This change makes the security approach to a platform specific requirement. An important implication of this new model is that each service provider has an interest in earning revenue from its relationship with In a report published in early 2011, two member banks of the US Federal Reserve 3 provided a definition of the minimal functional features of the NFC platform. This feature list leads to an important addition to the Bill of Materials for smart phone platforms: Minimum compliance requirements for adoption should include dynamic data authentication, m-wallet contactless functionality and a secure element in the mobile phone. While no standard exists for the Secure Element, the Smart Card Alliance (SCA), which represents many participants in the electronic payments and identification industry, provides this definition: 8

9 The Secure Element (SE) is a secure microprocessor (a smart card chip) that includes a cryptographic processor to facilitate transaction authentication and security, and provide secure memory for storing payment applications (e.g. American Express, Discover, MasterCard, Visa and other payment applications). SEs can also support other types of secure transactions, such as transit payment and ticketing, building access, or secure identification 4. The architecture of NFC-enabled devices starts with an NFC radio channel that is connected on one side to a host controller and that establishes NFC communication via an antenna on the other side. The host controller can be the baseband controller of a phone or an application processor in a computer or tablet. Via the NFC channel, the host is able to interact with tags, readers or other NFC peers when they are in close proximity. A secure NFC platform includes: Baseband or Application Processor A central processing unit that meets demanding performance specfications. The baseband chip is frequently upgraded from one product generation to the next, with new technology introduced at 6-12 month intervals. RF Connectivity Device Provides additional wireless connectivity to a handheld and typically incorporates additional RF modes (i.e. WLAN, Bluetooth). Integration of many different RF modes onto this chip is a result of manufacturer goals for miniaturization and cost reduction of the platform. Contactless Front-End (CLF) Modem/Controller Manages the specific NFC communications protocols and interface to the NFC antenna. In current implementations, this is most likely is a standalone device which, in some cases, may be packaged in a module with a Secure Element. However, in many future designs this function is likely to be part of the RF Connectivity Device. Secure Element A security microcontroller, similar to those used for smart card and e-identity applications. Accepted industry practice for the security controller is that it meets requirements of the industry standard Common Criteria security evaluation. It may be integrated into the platform in several ways. Both the end user and the service provider expect access to their personal and financial information to be protected by a similar level of security as their smart banking cards and secure ID documents for applications such as payment, transport and ticketing or access control. To provide such security, a dedicated Secure Element (SE) is mandatory. Non-NFC-enabled devices can be made NFC-compatible with the use of additional components, for example: A phone jacket or sticker with a NFC contactless chip/se with Bluetooth connection to the phone A removable device for the phone in the form of a micro-antenna integrated with SE with CL interface into a single package (MicroSD) or added to the SIM card (e.g. the SIMpass concept). 2 NFC Forum, Essentials for Successful NFC Mobile Ecosystems, October Federal Reserve Board of Atlanta, Mobile Payments in the United States: Mapping Out the Road Ahead, March 25, Smart Card Alliance, The Mobile Payments and NFC Landscape: A U.S. Perspective, September

10 NFC Phone Security Architectures Mobile Network Operator centric UICC-SE SWP SIM card Handset Manufacturer centric Embedded SE Packaged Secure Chip Application / Baseband Processor RF connectivity device Application / Baseband Processor RF connectivity device SWP Figure 3: NFC-enabled smart phone architectures with SWP-SIM and embedded Secure Element Other service provider centric Removable SE Ex: Boosted NFC MicroSD Card Application / Baseband Processor RF connectivity device µsd Controller SE Flash Memory Front End Boosted NFC MicroSD-Card Figure 4: Solution for microsd-based Secure Element 10

11 Current NFC-enabled devices require a CLF modem together with a Secure Element in different form factors to suit the requirements of handset manufacturers and/or service providers, supporting their respective business models (Figure 3). For the support of other specific business models, NFC functionality, such as card emulation, can be also supplied via a plug-in microsd card (Figure 4). involves certification of processes at many points in the product lifecycle. Microcontrollers offer the best possible in-system performance, especially for cryptographic algorithms, with the smallest possible footprint. Another crucial reason is that of semiconductor process technology: the optimized analog circuit processes used in the CLF do not lend themselves to the implementation of high density logic and NVM requirements of a SE. For several reasons, the Secure Element remains a standalone component and its functionality is not likely to be integrated into another system chip of the mobile device. The foremost reason is security; microcontrollers used for Secure Elements have a unique physical design and dedicated features that fulfill extensive security certification requirements. The most widely used of these is the international standard (ISO/IEC 15408) Common Criteria for International Security Evaluation, which The requirement to support several business models in the NFC ecosystem may lead to an NFC architecture that features more than one Secure Element. These could have several form factors; e.g. SWP-UICC (SWP is the standardized interface connection between an NFC SIM card and the CLF modem) and a second embedded Secure Element (Figure 5). Infineon thereby supports all kinds of business models and follows a flexible approach. Today Future Application / Baseband Processor Application / Baseband Processor RF connectivity device ISO 7816 ISO 7816 RF connectivity device UICC (SIM) MNO LTE Functions NFC Applications UICC (SIM) MNO LTE Functions NFC Applications esecure Element Handset NFC Applications Trusted Security esecure Element Handset NFC Applications Trusted Security Figure 5: Future NFC Architecture and Ecosystem 11

12 Evolution of the NFC Ecosystem With industry consortia and handset operating system providers driving payment applications, and hundreds of millions of NFC-ready handsets hitting the market in the next few years, an infrastructure of readers and NFC tags will proliferate in this decade. NFC use will grow both in secure applications (e.g. payment/financial and transport & ticketing) and in information exchange applications with varying security requirements. Performance and convenience will be key in gaining consumer acceptance while service providers will require security that meets accepted industry criteria. End users must be given good reason to trust the security architecture. These requirements affect the implementation of secure NFC technology in coming generations of mobile devices. As with any ecosystem, different implementations of removable and embedded security will co-exist. The typical scenario combines a SWP-UICC and an embedded Secure Element (ese) as represented in figure 3. Various participants in the NFC ecosystem have clear paths for implementing their applications. These must be balanced between the business model requirements of the Mobile Network Operator (MNO), the Handset Manufacturers (HSM) and other independent service providers. An important aspect of trust and security is the ability to protect consumers and other ecosystem participants from fraud in the event of a lost or stolen handset. There should also be the ability to deactivate services on a specific handset and then activate them on a replacement. Similar functionality is needed to seamlessly transfer services when a consumer acquires a new handset or mobile device. While total replacement of the physical wallet may not happen, NFC may supplant many separate cards typically carried today. Instead of individual financial, access and transportation ticket cards, consumers will be able to rely on the digital wallet features of a smart phone to conduct everyday business. To turn this vision into reality, it is important that consumers trust the technology and that wallet functions are as easy to use as the cards they replace. Handset architectures that optimize security and make commerce transactions equal to or more efficient than older methods will accelerate acceptance of NFC as a convenient tool. That core acceptance then clears the path for innovative new applications that will launch the next revolution in technology-driven consumer services. In addition to typical authentication functionality, NFC SIMs must support NFC applications and services from MNOs and third parties in a variety of handsets, while HSMs integrate an embedded Secure Element to manage their own secure NFC applications. They establish a secure Root of Trust for their mobile device services that must work across various MNO networks. In all cases, the NFC applications must be able to be either pre-loaded or installed Over-The-Air (OTA) by the end user and potentially modified through a Trusted Service Manager (TSM) ex post. 12

13 13

14 Implementing Secure Elements Infineon Technologies, which has been active as an innovation leader in the secure chip card IC (integrated circuit) market for more than two decades, has a long history of active contribution to standards in the smart card IC business segment. For example, the company worked to help define the Single Wire Protocol (SWP) interface for NFC in-system communications that was standardized by ETSI (European Telecommunications Standards Institute). Infineon authored the Contactless Tunneling Protocol (CLT), which provides the necessary fast communication interface to support earlier generation Mifare and FeliCa compatible applications over SWP. Infineon is one of the founding members of the OSPT (Open Standard for Public Transport) Alliance, which published the CIPURSE standard (based on ISO 7816) for secure transport card applications. Additionally, the company has made several important contributions to the standardization activities at the NFC Forum. The principal work of this last group is promotion of the technology and publication of detailed specifications for devices (passive and active) compliant with ISO requirements. Infineon supports the NFC ecosystem with distinct security product offerings that meet the requirements of the different NFC platforms now in the market. All Infineon s NFC products are certified according to Common Criteria EAL5+ high and have also been approved by the payment card industry consortium EMVCo (American Express, JCB, MasterCard, Visa), necessary for secure transactions such as contactless payment, mobile banking and authentication: Secure Elements NFC SIM Embedded SE Solutions with flexible antenna NFC MicroSD SWP product Possibility to package together a NFC Modem and a SWP chip into a MicroSD Dual Interface product + Active modulation in a SIM Form Factor + Active modulation in a SIM Form Factor Figure 6: Infineon serves broad NFC Applications 14

15 SWP Secure Element Since 2007, the Single Wire Protocol (SWP) has been the standard interface connection between the UICC/SIM and the CLF (Contactless Front-End) modem within NFC-enabled mobile devices. Infineon s SLE 97 SOLID FLASH Family is the state-of-the-art product generation for high performance security chip cards supporting the SWP interface. The SLE 97 family is provided in various form factors. Aside from SIM/UICC Secure Elements, it also addresses microsd Secure Elements. The SLE 97 products implement a 32-bit CPU based on the SecurCore SC300 from ARM, enhanced by Infineon s Cache and Security Technology. They offer a wide range of peripherals, including powerful processors for the cryptographic algorithms RSA and 3DES used in payment transactions. Furthermore, they offer AES cryptography, which is used, for instance, in CIPURSE, the open standard for public transport. In addition to ISO/IEC 7816 and SWP, the following communication interfaces are also available to support all implementations of NFC Secure Elements: SPI, I 2 C and GPIOs. DCLB Secure Element The Digital ContactLess Bridge (DCLB) is an open connectivity interface optimized for embedded Secure Element implementations, available on products of the SLE78 family. Incorporating Infineon s award-winning digital security technology Integrity Guard with fully encrypted data path, the SLE78 with DCLB interface are the ideal solution for a standalone Secure Element for embedded solutions. Products using the DCLB interface can be combined with NFC modems from various suppliers. Dual Interface Secure Element The Infineon SOLID FLASH Dual Interface (DI) Security Controllers, such as the SLE 78 Family, are highly secure controllers supporting the simultaneous communication of both contact-based and contactless interfaces in contrast to typical controllers that actually support only one interface at a time (e.g. contactless only for paying, contact-based only for usage at a bank terminal). Combined with an integrated antenna and booster chip (e.g. microsd) or with a flexible antenna (e.g. SIMpass ), the Infineon SOLID FLASH DI Controllers support secure NFC applications. These controllers also incorporate Integrity Guard. With the DI SIM solution, secure NFC payment can be immediately enabled on any handset. Furthermore, the Boosted NFC Secure Element, a derivative of the Dual Interface Secure Controller family, can be used on small form factor devices to overcome the limitations of integrated micro-antennas. This solution can significantly increase contactless communication capability. Embedded Secure Elements can be provided either as hardware only or as complete bundle including EMVCo approved JavaCard/GlobalPlatform operating system. In addition, Infineon offers customization services such as pre-personalization, loading of applications and key management service including secure key injection. Infineon additionally supports so-called open NFC applications with the my-d NFC and my-d move NFC memory chips for NFC Tags. 15

16 Success Factor End Customer As mentioned above, NFC is using existing mobile infrastructures (e.g. handsets and tablets) that simplify the adoption perceptible and makes open NFC applications instantly useable. Simultaneously open applications act as trailblazers for secure applications. The latter have verifiably higher requirements in terms of infrastructure and players involved, and must therefore deal with a higher complexity of the ecosystem. To speed up the adoption of NFC, two factors need to be considered: First of all, the market acceptance of NFC is much easier to achieve via open tap and use applications which have no real market entry barriers, resulting from the NFC eco-system. Secondly, and must be pointed out, the convenience factor of this kind of application is easy for the end customer to understand. The end customer is, in fact, a very important factor when it comes to the success of NFC. Only if the end customer demands a dedicated NFC device ( pull principle ) and understands the advantages of NFC, the technology adoption will really take off. Basically the current conditions are good for such kind of achievement also caused by a change of paradigm: The end customer no longer uses the mobile phone merely for communication but also as transaction tool. It goes without saying that it is of course reasonable to bring NFC handsets and tablets to the market without actually being required by the end customer ( push principle ) to build a broader infrastructure as a first step. But without real adoption by the end customer, it will be just another technology stuck in the niche. One success factor to reach the objective NFC market adoption lies in educating the end customer. End customers will only adopt this technology when they can generate benefits from usage of NFC and when they are also aware of these benefits. Such benefits can include, for example: Improvement of personal mobility Reduction of transaction times (e.g. for transport & ticketing applications) Simplifying transactions (e.g. for receiving information) Ubiquity of receiving information (e.g. even if a network is not available) Increasing of security level of transactions (e.g. for mobile payment) Using one device for several applications (e.g. as wallet functionality) Worldwide exchange of information and usage of services Interoperability between devices Up to now, as conducted surveys show, NFC has not truly reached the end customer. This means there is still a lot of work to do regarding education. The main challenge here is to determine who is supposed to be in the driver seat for this task. From the perspective of who has the closest link to the end customer, particularly companies who offer B2C products and services should be the main educators. These companies are, for instance, banks, service providers, MNOs, retailers and handset manufacturers and should accordingly engage themselves more in this respect. 16

17 17

18 18

19 The Future and Deployment of NFC With the number of NFC-capable handsets in the field increasing from the low tens of millions to two hundred million plus through 2013, consumers and the industry ecosystem will begin to realize the benefits of mass deployment. This will drive the technology to higher levels of standardization in the next few years. From an applications view, the popularity and broad acceptance of NFC will initially be driven by open applications, including peer-to-peer connections, information exchange, and new marketing and consumer services that take advantage of simple, automatic connectivity controlled by the consumer. In a nutshell, convenient and simple to use new capabilities will create a comfort level in NFC for millions of people. Concurrently, the growth of a user base will lead the ecosystem of service providers involved with transaction and security-sensitive applications to resolve business model concerns. By 2016, it is expected that the broader usage of NFC-based payment and transport ticketing will be the principal areas for secure applications. Innovative companies will also build on integrated security features to implement secure services that use the NFC device as a means of personal identity authentication for both physical and logical access control. In such cases, the phone expands from being a container for applications to serving as a secure connectivity tool. The parallel technology integration from will see handset providers move from a diversified set of solutions e.g. separate CLF modem, multiple packaging formats for Secure Element to a more standardized 3rd generation device set. Combo-chips that combine the CLF capability with other RF-modes will become common. Security capability will remain a standalone function because of the need for security certification, and business model separation will see typical systems supporting both an ese and UICC-SE solution in the handset. Predicting the path of high technology device evolution and adoption is always a challenging task. The combination of mobile communications with secure payment and identification promises new and still only partly defined capabilities for consumers and opportunities for suppliers. By successfully providing flexibility and performance for secure NFC transactions, Infineon has established an important position that makes the company a strong partner within this dynamic, emerging ecosystem. Principal Member of Member of 19

20 Ask Infineon. Get connected with the answers. Infineon offers its toll-free 0800/4001 service hotline as one central number, available 24/7 in English, Mandarin and German. Our global connection service goes way beyond standard switchboard services by offering qualified support on the phone. Call us! Germany (German/English) China, mainland (Mandarin/English) India (English) USA (English/German) Other countries... 00* (English/German) Direct access (interconnection fee, German/English) * Please note: Some countries may require you to dial a code other than 00 to access this international number, please visit for your country! Where to Buy Stay connected Infineon Distribution Partners and Sales Offices: Published by Infineon Technologies AG Neubiberg, Germany 2013 Infineon Technologies AG. All Rights Reserved. Visit us: Order Number: B189-H9725-G1-X-7600 Date: 09 / 2013 Attention please! The information given in this document shall in no event be regarded as a guarantee of conditions or characteristics ( Beschaffenheitsgarantie ). With respect to any examples or hints given herein, any typical values stated herein and/or any information regarding the application of the device, Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind, including without limitation warranties of non-infringement of intellectual property rights of any third party. Information For further information on technology, delivery terms and conditions and prices please contact your nearest Infineon Technologies Office ( Warnings Due to technical requirements components may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies Office. Infineon Technologies Components may only be used in life-support devices or systems with the express written approval of Infineon Technologies, if a failure of such components can reasonably be expected to cause the failure of that life-support device or system, or to affect the safety or effectiveness of that device or system. Life support devices or systems are intended to be implanted in the human body, or to support and/or maintain and sustain and/or protect human life. If they fail, it is reasonable to assume that the health of the user or other persons may be endangered.