What if a hacker could one day enter your mind at will, stealing information, tweaking or eradicating memories, or causing debilitating damage?
It might seem like a concept born from Altered Carbon’s stack technologies, but according to cybersecurity firm Kaspersky Lab and the University of Oxford Functional Neurosurgery Group, cyberattacks might not always be limited to the physical when it comes to our health.
The problem of medical device security hit the spotlight when the US Food and Drug Administration (FDA) issued a voluntary recall of 465,000 St. Jude pacemakers in order to patch them against remote attacks last year — despite the risk of the firmware update preventing the pacemakers from working altogether.
Hacking medical equipment which can mean the difference between life and death is not science fiction. Thankfully, there are not any known examples of such compromise at present, but this does not mean these attacks will not potentially happen one day.
The teams from Kaspersky and Oxford said on Monday that our current brain stimulation implants and chips already contain existing and ‘potential’ vulnerabilities which could be used in attacks against the organ.
“These vulnerabilities could be exploited in the future to steal personal information, alter or erase memories or cause physical harm,” the researchers say.
The teams collaborated on a project which examines the security of Implantable Pulse Generators (IPGs), also known as neurostimulators, which are used to send electrical impulses to specific areas in the brain.
Medical professionals use these implants to treat a range of problems and diseases, including Parkinson’s, Obsessive-Compulsive Disorder, major depression, and tremors. Brain chips are a relatively new concept and these kinds of implants could be used in a wider range of treatments in the future.
The researchers say that within five years, medical professionals are also expected to have the capability to record the brain signals which build our memory, potentially leading to memory-boosting implants, memory storage, and more.
The latest generation of implants we currently use come with management software which can be accessed by both patients and clinicians and the systems interconnect through the Bluetooth communication protocol.
The team’s investigation uncovered a range of existing attack scenarios which could be used to assault these medical devices.
A serious vulnerability — together with misconfigurations — was discovered in an online management platform which, while popular with surgical teams, also permitted attackers to access sensitive data and treatment procedures.
In the cases of some implants, data transferred via management software was found to be insecure and unencrypted, which could lead to an attacker being able to tamper with massive groups of implants at the same time.
“Manipulation could result in changed settings, causing pain, paralysis or the theft of private and confidential personal data,” the researchers said.
Our brain chip and implant designs are also of concern — especially given potential future security ramifications. By design, these devices may need to be fitted with a software backdoor for clinicians to change settings in an emergency, and this backdoor could become an avenue for attack.
The human element is also a problem. The devices used by medical professionals which contain the software critical to patient implants and care were found to be left open and exposed with default passwords in a number of cases, and they were also used to download additional apps — any of which could become an attack vector, if vulnerable.
If we can’t tackle such security problems now, future brain implants could become a hacker’s playground.
“Current vulnerabilities matter, because the technology that exists today is the foundation for what will exist in the future,” said Dmitry Galov, junior security researcher of the Global Research and Analysis Team at Kaspersky Lab. “Although no attacks targeting neurostimulators have been observed in the wild, points of weakness exist that will not be hard to exploit.”
Who knows? Perhaps, sooner than we think, our memories could be locked by brain-based ransomware, or state-sponsored groups might target figures of political interest in order to wipe their memories clean.
“Memory implants are a real and exciting prospect, offering significant healthcare benefits,” said Laurie Pycroft, doctoral researcher in the University of Oxford Functional Neurosurgery Group. “The prospect of being able to alter and enhance our memories with electrodes may sound like fiction, but it is based on solid science, the foundations of which already exist today.”
“Memory prostheses are only a question of time,” Pycroft added. “Collaborating to understand and address emerging risks and vulnerabilities, and doing so while this technology is still relatively new, will pay off in the future.”
In August, the US Department of Homeland Security’s ICS-CERT warned of severe vulnerabilities in Philips cardiovascular imaging devices.
A major vulnerability, deemed trivial to exploit, can be used by attackers to escalate their privileges and execute arbitrary code.
Previous and related coverage