Modern Implantable Medical Devices (IMDs) are vulnerable to security attacks because of their wireless connectivity to the outside world. One of the main security challenges is establishing trust between the IMD and an external reader/programmer in order to facilitate secure communication. Numerous device-pairing schemes have been proposed to address this specific challenge. However, they alone cannot protect against a battery-depletion attack in which the adversary is able to keep the IMD occupied with continuous authentication requests until the battery empties. As a result, energy harvesting has been employed as an ancillary mechanism for implementing Zero-Power Defense (ZPD) functionality in order to protect against such a low-cost attack. In this paper, we propose SecureEcho, a device-pairing scheme based on MHz-range ultrasound that establishes trust between the IMD and an external reader. In addition, SecureEcho achieves ZPD without requiring any energy harvesting, which significantly reduces the design complexity. We also provide a proof-of-concept implementation and a first ever security evaluation of the ultrasound channel, which proves that it is infeasible for the attacker to eavesdrop or insert messages even from a range of a few millimeters.