Academic researchers have discovered that brain implants, known as neurostimulators, can be hacked and could prevent patients from “speaking or moving, cause irreversible damage to his brain, or even worse, be life-threatening”.
According to a paper published by the Catholic Univery of Leuven, titled Securing Wireless Neurostimulators, and presented at the Eighth ACM Conference on Data and Application Security and Privacy last month, such implants can accessed using off-the-shelf equipment.
Such implants, are used in a medical procedure known as Deep Brain Stimulation (DBS). DBS is used on people with Parkinson’s disease to ease their symptoms, such as shaking. The neurostimulators can also be used to treat mental health issues such as OCD and depression.
Researchers found that the newest generations of neurostimulators often include wireless capabilities that enable remote monitoring and reprogramming through an external device programmer.
“While the wireless interface enables more flexible and personalised treatments for patients, it also opens the door for adversaries to conduct software radio-based attacks,” said researchers.
They added that if strong security mechanisms are not in place, adversaries could send malicious commands to the neurostimulator to deliver undesired electrical signals to the patient’s brain.
“For example, adversaries could change the settings of the neurostimulator to increase the voltage of the signals that are continuously delivered to the patient’s brain. This could prevent the patient from speaking or moving, cause irreversible damage to his brain, or even worse, be life-threatening,” said the paper’s authors.
Hackers could also leverage the wireless nature of the communication to intercept the data transmitted over the air. The transmitted data is personal data, and some of it is sensitive medical data.
“On the other hand, a more sophisticated form of privacy attack would be to use signals extracted from the brain to make inferences about patients. While this is currently not possible, future generations of neurostimulators will use information extracted from patients brain signals for the development of more precise and effective therapies,” said researchers.
To mitigate such attacks, researchers said that the devices needed a security architecture through which the device programmer and the neurostimulator can agree on a session key that allows to bootstrap a secure communication channel.
“Our solution grants access to the neurostimulator to any device programmer that can touch the patient’s skin for a few seconds. This allows to create a secure data exchange between devices while ensuring that medical personnel can have immediate access to the neurostimulator in emergencies,” they said.
“Our solution accounts for the unique constraints and functional requirements of IMDs, requires only minor hardware changes in the devices and provides backward and forward security.”
Lamar Bailey, director of security research and development at Tripwire, told SC Media UK that medical device security is a problem.
“Many of the hospitals have detailed plans and processes to build outpatient and ER rooms with specific devices, all the way down to location in the rooms but there are no plans to update the firmware or software on these devices,” he said.
“It is not uncommon to have multiple versions of the same device at different firmware revisions. Many new models of medical equipment have built-in functionality so that they can be monitored remotely and this has opened up the devices to remote attacks. It is imperative that equipment manufactures keep up with security issues and trends and then feed to their customers in the form of updates and information on why it is important to update.”
Winston Bond, EMEA technical director at Arxan Technologies, told SC Media UK that the paper shows that the protocols used to control these devices is “quite simple and has practically no security”.
“It’s at about the same level as Telnet, a computer networking protocol from the 1960s that no modern IT organisation would allow anywhere near their systems,” he said.
“This system described in this paper is from an era when embedded devices were controlled through dedicated, custom-built machines. Nowadays, devices can be controlled through apps on standard tablet computers. That helps with some problems – it is a lot easier to install or update an app than it is to make sure that every hospital has an up-to-date, working gizmo for every manufacturer’s devices. But it means that hackers won’t have to depend on “black box” attacks any more. The app software will be there to tell them how to communicate with the device.”