CHARLIE SORREL
June 29, 2016
As medical devices like insulin pumps, defibrillators, and brain stimulators are given connectivity, the next wave of hacking is about to get a lot scarier.
In season one, episode six of underrated robot-cop show Almost Human, criminals extort money from users of artificial hearts, by threatening to shoot down those hearts remotely. Far-fetched sci-fi plot? Yes. But it’s also a scenario considered real enough that a group of scientists and neurosurgeons have authored a paper, published in World Neurosurgery, exploring its dangers. The name for such unauthorized control of implants? Brainjacking.
There are so far two known cases of hacking implants, both restricted to research endeavors. In 2011, researcher and diabetic Jay Radcliffe managed to crack the security on an insulin pump using a cheap computer chip and radio transmitter device. In addition, he "outlined a potentially lethal method of attack," says the paper. Later, a researcher named Barnaby Jack built on Radcliffe’s work by taking unauthorized control of an insulin pump and implantable defibrillator at a distance.
Medical implants are common, and
modern wireless technology makes devices like pacemakers and insulin pumps
easier to administer. Adjustments can be done without surgery, for example, but
as ever, the extra convenience is a tradeoff against security.
These are the means. And as the
paper discusses, motives aren’t hard to come by.
Attacks could be made for a
variety of reasons including blackmail, malice against an individual, or
manipulation of a politically notable individual. The motive need not even be rational;
in 2008 a website for epilepsy sufferers was attacked using flashing images
designed to trigger seizures, with the attackers’ apparent motivation being
amusement
But the really scary stuff is when
hackers manage to access brain implants, which may let them control the
behavior of an individual. Deep Brain Stimulation (DBS) is a procedure that
implants a neurostimulator (aka. "brain pacemaker") into the brain.
It then sends electrical impulses into the patient’s brain. DBS is used to control
the symptoms of things like Parkinson’s disease, chronic pain, and tremors, but
is also be used for disorders like depression and obsessive–compulsive
disorder. If the security on these devices can be breached, then the attacker
has a direct line into the brain.
Once an attacker has successfully
breached security on a device, they have several options for brain-jacking
their victim. Stimulation parameters including voltage/current, frequency,
pulse width, and electrode contact can be altered in order to change the effect
of stimulation. These potential attacks are unlikely to be directly lethal, but
may cause serious harm and distress.
There are two kinds of attack. The
more general "blind" attack, which can switch off a device, or continually
connect to it in order to run the battery down (a serious problem when you have
to undergo surgery to replace), and the scarier and more targeted attack.
The targeted attack is harder,
because it needs knowledge of the victim’s medical condition, along with
continual access to the device, but if we’ve learned anything since the
internet became popular, it’s that the ingenuity of hackers is boundless.
"Targeted attacks," say the researchers, "include impairment of
motor function, alteration of impulse control, modification of emotions or
affect, induction of pain, and modulation of the reward system."
Here are some real examples of what can be achieved if you have access to somebody’s DBS electrodes. You can induce mania, hypersexuality, and even pathological gambling. You can modify emotions. Patients undergoing DBS therapy have sometimes experienced pathological crying and inappropriate laughter, "likely due to off-target stimulation," says the paper. Strong sensations of fear and panic have also been observed.
The answer to this is better security. The FDA has issued warnings about the possibilities of hacking drug pumps, and the U.S. Department of Homeland Security has even issued an alert about using hard-coded (unchangeable) passwords in medical devices, but security needs to come from the manufacturers, and the design of the implants themselves can be improved, mitigating the consequences of certain attacks. Using rechargeable implants is one such improvement, and guards against battery-draining attacks.
Security is always a tradeoff with convenience, and too much security—an extra cloaker or shield device to protect the implant, for example—risks being so burdensome that the patient stops using it, or even stops treatment altogether. Other recent upgrades to devices, for example allowing remote control via a smartphone, seem like disasters waiting to happen.
But there’s hope. Smartphone design is becoming more secure. For example, Apple works to shut down unauthorized access to its devices, even to law enforcement agencies. That’s important, because our phones contain so much personal data, but you can’t die if the FBI hacks your phone (unless they find evidence there that puts you on Death Row, that is). Medical devices, then, need to be at least as secure as our iPhones, but technology companies, even the medical ones, don’t tend to make those kinds of features a priority. As customers, we should start requiring those features.
http://www.fastcoexist.com/3061323/brainjacking-or-how-hackers-can-remote-control-your-medical-implants
No comments:
Post a Comment