By Aaron Kesel
Scientists and security experts are warning of the potential for a person’s brain to be hacked, who have had “brain implants” to treat Parkinson’s disease, according to cybersecurity firm Kaspersky Lab and the University of Oxford Functional Neurosurgery Group, ZDNet reported.
The problems of medical device vulnerabilities were first brought up by Barnaby Jack, a hacker who mysteriously died right before he was set to give a presentation on how to hack a pacer monitor in 2012. Jack’s death was ruled a drug overdose by medical examiners but, still, the timing is coincidental.
Barnaby expressed that he could induce an 830-volt shock into someone on a laptop up to 50 feet away.
In 2006, the U.S. Food and Drug Administration approved full radio-frequency based implantable devices operating in the 400MHz range, Jack said at the time.
With that wide transmitting range, remote attacks against the software become more feasible, Jack said. Upon studying the transmitters, Jack found the devices would give up their serial number and model number after he wirelessly contacted one with a special command.
With the serial and model numbers, Jack could then reprogram the firmware of a transmitter, which would allow reprogramming of a pacemaker or ICD in a person’s body.
“It’s not hard to see why this is a deadly feature,” Jack said.
As if this wasn’t bad enough, Jack said it’s possible to upload custom firmware to a company’s servers that would then infect multiple pacemakers and ICDs, spreading through their systems like a virus.
“We are potentially looking at a worm with the ability to commit mass murder,” Jack said. “It’s kind of scary.”
Before Barnaby died he was alleged to be working on “Electric Feel,” an application with a graphical user interface that would allow a user to scan for a medical device in range.
The spotlight was further brought onto the issue last year when the U.S. Food and Drug Administration (FDA) issued a recall of 465,000 St. Jude pacemakers against remote attacks, like Barnaby Jack was set to demonstrate before he mysteriously died.
Now scientists are finding that deep brain stimulation (DBS), a neurosurgical procedure that involves implanting a medical device called a neurostimulator or implantable pulse generator (IPG) in the human body to send electrical impulses through implanted electrodes to specific targets in the brain for the treatment of movement and neuropsychiatric disorders, can also be exploited.
Exploiting a vulnerable pace monitors to induce a heart attack in someone by pumping them full of high volts is one thing, but being able to access someone’s brain, implant false memories and manipulate a person’s reality is a whole different story.
To better understand the potential future threat landscape facing memory implants, researchers from Kaspersky Lab and the University of Oxford Functional Neurosurgery Group undertook a security audit of neurostimulators.
“These vulnerabilities could be exploited in the future to steal personal information, alter or erase memories or cause physical harm,” the researchers say.
Medical professionals use brain implants to treat a range of problems and diseases, including Parkinson’s, Obsessive-Compulsive Disorder, major depression, and tremors.
The reality of brain chips is a relatively new concept and these kinds of implants could be used in a wider range of treatments in the future. However, in their current state they are insecure and a risk to anyone who has one.
Researchers believe that within five years, medical professionals are also expected to have the capability to record the brain signals which build our memory, potentially leading to memory-boosting implants, memory storage, and more.
The researchers found existing and potential risk scenarios, each of which could be exploited by attackers.
According to Kaspersky Labs these include:
- Exposed connected infrastructure – the researchers found one serious vulnerability and several worrying misconfigurations in an online management platform popular with surgical teams.
- Insecure or unencrypted data transfer between the implant, the programming software, and any associated networks could enable malicious tampering of a patient’s implant or even whole groups of implants (and patients) connected to the same infrastructure. Manipulation could result in changed settings causing pain, paralysis or the theft of private and confidential data.
- Design constraints as patient safety takes precedence over security. For example a medical implant needs to be controlled by physicians in emergency situations, including when a patient is rushed to a hospital far from their home. This precludes use of any password that isn’t widely known among clinicians. It also means that by default such implants need to be fitted with a software ‘backdoor’.
- Insecure behavior by medical staff – programmers with patient-critical software were being accessed with default passwords, were used to browse the internet or had additional apps downloaded onto them.
Perhaps one of the most worrying things about brain chips is the fact that management software which can be accessed by both patients and clinicians and the systems interconnect through the Bluetooth, a recipe for disaster.
The team’s investigation uncovered numerous existing attack scenarios which could be used to execute code on these brain chips.
Also, the team uncovered a serious vulnerability — together with misconfigurations — in an online management platform that permitted would-be attackers to access sensitive data and treatment procedures.
Some of the implants that transferred data via management software were found to be completely insecure and unencrypted, which could lead to a would-be hacker being able to exploit several massive groups of implants all at once. An absolutely horrifying scenario to say the least.
“Manipulation could result in changed settings, causing pain, paralysis or the theft of private and confidential personal data,” the researchers said.
It’s telling that pace monitors can be hacked; and soon a hacker might be able to edit someone’s memories or cause damage to someone’s brain who has a brain chip implanted.
Aaron Kesel writes for Activist Post. Support us at Patreon. Follow us on Minds, Steemit, SoMee, BitChute, Facebook and Twitter. Ready for solutions? Subscribe to our premium newsletter Counter Markets.