Hacking the brain of someone with an implanted medical device is not a far-fetched illusion. While at one time a concept relegated to hair-raising Hollywood movies, scientists in Belgium have found that a wireless brain implant, known as a neurostimulator, can be hacked using off-the-shelf materials. By utilizing remote exploitation, hackers can make voltage changes that, “could result in sensory denial, disability, and death.”

Deep Brain Stimulation (DBS) is the procedure that is used to implant neurostimulators. Electrical impulses are then sent into the brain. DBS is has been used to ease the symptoms of Parkinson’s disease, chronic pain, tremors and other medical disorders. It has also been used to treat illnesses such as depression and obsessive–compulsive disorder.

Private medical information could also be compromised due to the lack of encryption and authentication of these implantable devices. Future neurotransmitters are expected to leverage information extracted from brain waves like P-300, for the purpose of customizing therapy. So, if a hacker is able to capture and evaluate the signal,  it would be possible for the victim’s private thoughts to be exposed.

Medical devices in general, including insulin pumps and defibrillators, can be hacked. Once these devices are connected to the internet things can take a sinister turn, and it's known as "brainjacking."

There exists any number of reasons why a brainjacking attack might be carried out: blackmail, revenge, warfare, political motivations, etc. It could also be used as a bullying tactic. As Fast Company reports, “The motive need not even be rational; in 2008 a website for epilepsy sufferers was attacked using flashing images designed to trigger seizures, with the attackers’ apparent motivation being amusement.”

Securing medical devices

The researchers in Belgium describe their preferred method for securing medical devices in a paper entitled Securing Wireless Neurostimulators. It was presented at the Eighth ACM Conference on Data and Application Security and Privacy last month and involves reverse engineering of an unnamed implantable medical device and using cheap equipment to receive and transmit messages to and from it.

Cheap antenna used by researchers
Cheap antenna used by researchers

The Register reports:

“To mitigate this speculative risk, the boffins propose a novel security architecture involving session key initialization, key transport and secure data communication. Using the brain as a true random number generator, a critical element for secure key generation.

‘We propose to use a physiological signal from the patient’s brain called local field potential (LFP), which refers to the electric potential in the extracellular space around neurons,’ the paper explains.

And to transmit the key to the external device, they suggest using an electrical signal carrying the key bits from the neurostimulator, a signal that can be picked up by a device touching the patient's skin. Other modes of transmission, such as an acoustic signal, they contend could be too easily intercepted by an adversary.  Implantable medical device makers, they argue, should ‘migrate from weak closed proprietary solutions to open and thoroughly evaluated security solutions and use them according to the guidelines.’” 

If the security on these devices is breached, the hacker would have a direct line into the brain--and the ability to wield considerable control over the victim.

U.S. government issues alerts

The U.S. Department of Homeland Security joined the chorus by issuing an alert regarding the use of hard-coded (unchangeable) passwords in medical devices. But, it has been argued that security measures need to be part of the design by the manufacturers, thus mitigating at least some of the potentially dire consequences.  The use of rechargeable implants is one such improvement because it guards against battery-draining attacks.

The Food and Drug Administration (FDA) has pointed out that all medical devices carry a certain amount of risk. The regulatory agency gives the nod to medical devices when there is a reasonable assurance that the benefits to patients outweigh the risks. While admitting that the increased use of wireless technology increases the risks, the FDA also cites the increase in quality of health care these connected devices can bring.

So, it's a balancing act in which the risks are never completely eliminated.

The FDA's recommendations for mitigating and managing cybersecurity:

  • "Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards. Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance."

  • "Hospitals and health care facilities should evaluate their network security and protect their hospital systems.”

The FDA monitors devices already on the market and encourages the public to report any cybersecurity issues regarding medical devices at this link. The public is also welcome to view the information the FDA has collected so far in its efforts to help secure this important and often life-transforming technology.

Related Articles:

U.S. Gov Agencies Fail to Fully Embrace DMARC Email Security Policy