Brainjacking, Or How Hackers Can Remote Control Your Medical Implants

CHARLIE SORREL 

June 29, 2016

As medical devices like insulin pumps, defibrillators, and brain stimulators are given connectivity, the next wave of hacking is about to get a lot scarier.

In season one, episode six of underrated robot-cop show Almost Human, criminals extort money from users of artificial hearts, by threatening to shoot down those hearts remotely. Far-fetched sci-fi plot? Yes. But it’s also a scenario considered real enough that a group of scientists and neurosurgeons have authored a paper, published in World Neurosurgery, exploring its dangers. The name for such unauthorized control of implants? Brainjacking.

There are so far two known cases of hacking implants, both restricted to research endeavors. In 2011, researcher and diabetic Jay Radcliffe managed to crack the security on an insulin pump using a cheap computer chip and radio transmitter device. In addition, he "outlined a potentially lethal method of attack," says the paper. Later, a researcher named Barnaby Jack built on Radcliffe’s work by taking unauthorized control of an insulin pump and implantable defibrillator at a distance.

Medical implants are common, and modern wireless technology makes devices like pacemakers and insulin pumps easier to administer. Adjustments can be done without surgery, for example, but as ever, the extra convenience is a tradeoff against security.

These are the means. And as the paper discusses, motives aren’t hard to come by.

Attacks could be made for a variety of reasons including blackmail, malice against an individual, or manipulation of a politically notable individual. The motive need not even be rational; in 2008 a website for epilepsy sufferers was attacked using flashing images designed to trigger seizures, with the attackers’ apparent motivation being amusement

But the really scary stuff is when hackers manage to access brain implants, which may let them control the behavior of an individual. Deep Brain Stimulation (DBS) is a procedure that implants a neurostimulator (aka. "brain pacemaker") into the brain. It then sends electrical impulses into the patient’s brain. DBS is used to control the symptoms of things like Parkinson’s disease, chronic pain, and tremors, but is also be used for disorders like depression and obsessive–compulsive disorder. If the security on these devices can be breached, then the attacker has a direct line into the brain.

Once an attacker has successfully breached security on a device, they have several options for brain-jacking their victim. Stimulation parameters including voltage/current, frequency, pulse width, and electrode contact can be altered in order to change the effect of stimulation. These potential attacks are unlikely to be directly lethal, but may cause serious harm and distress.

There are two kinds of attack. The more general "blind" attack, which can switch off a device, or continually connect to it in order to run the battery down (a serious problem when you have to undergo surgery to replace), and the scarier and more targeted attack.

The targeted attack is harder, because it needs knowledge of the victim’s medical condition, along with continual access to the device, but if we’ve learned anything since the internet became popular, it’s that the ingenuity of hackers is boundless. "Targeted attacks," say the researchers, "include impairment of motor function, alteration of impulse control, modification of emotions or affect, induction of pain, and modulation of the reward system."

Here are some real examples of what can be achieved if you have access to somebody’s DBS electrodes. You can induce mania, hypersexuality, and even pathological gambling. You can modify emotions. Patients undergoing DBS therapy have sometimes experienced pathological crying and inappropriate laughter, "likely due to off-target stimulation," says the paper. Strong sensations of fear and panic have also been observed.

The answer to this is better security. The FDA has issued warnings about the possibilities of hacking drug pumps, and the U.S. Department of Homeland Security has even issued an alert about using hard-coded (unchangeable) passwords in medical devices, but security needs to come from the manufacturers, and the design of the implants themselves can be improved, mitigating the consequences of certain attacks. Using rechargeable implants is one such improvement, and guards against battery-draining attacks.

Security is always a tradeoff with convenience, and too much security—an extra cloaker or shield device to protect the implant, for example—risks being so burdensome that the patient stops using it, or even stops treatment altogether. Other recent upgrades to devices, for example allowing remote control via a smartphone, seem like disasters waiting to happen.

But there’s hope. Smartphone design is becoming more secure. For example, Apple works to shut down unauthorized access to its devices, even to law enforcement agencies. That’s important, because our phones contain so much personal data, but you can’t die if the FBI hacks your phone (unless they find evidence there that puts you on Death Row, that is). Medical devices, then, need to be at least as secure as our iPhones, but technology companies, even the medical ones, don’t tend to make those kinds of features a priority. As customers, we should start requiring those features.

http://www.fastcoexist.com/3061323/brainjacking-or-how-hackers-can-remote-control-your-medical-implants