Brainjacking: the future of software security for neural implants

In a new scientific review paper published in World Neurosurgery, a group of Oxford neurosurgeons and scientists round up a set of dire, terrifying warnings about the way that neural implants are vulnerable to networked attacks.

Most of the article turns on deep brain stimulation devices, which can be used to stimulate or suppress activity in different parts of the brain, already used to treat some forms of mental illness, chronic pain and other disorders. The researchers round up a whole dystopia's worth of potential attacks on these implants, including tampering with the victim's reward system "to exert substantial control over a patient's behaviour"; pain attacks that induce "severe pain in these patients"; and attacks on impulse control that could induce "Mania, hypersexuality, and pathological gambling."

The researchers discuss some of the ways in which the (dismal) state of medical implant security could be improved. I recently co-authored a set of comments to the FDA asking them to require manufacturers to promise not to use the DMCA to intimidate and silence security researchers who come forward with warnings about dangerous defects in their products.

The paper has a delightful bibliography, which cites books like Neuromancer, anime like Ghost in the Shell, as well as papers in Nature, Brain, The Journal of Neurosurgery, and Brain Stimulation.

Perhaps the most concerning attack strategy feasible using currently implanted neural devices
involves the use of operant conditioning to exert substantial control over a patient's behaviour. As
noted above, the NAcc is the target of stimulation in several emerging DBS indications, including
depression, OCD, and anorexia. Currently the number of patients undergoing NAcc-DBS is small
although this number may rise if one or more indications proves to be clinically viable.

The enhancement/attenuation of positive reinforcement effected by NAcc stimulation has been well
demonstrated in humans and other animals 72,73 and, indeed, is a core component of the rationale for
its value as a target in such a broad range of conditions 74–76 . Sufficient control over the IPG could
enable use of operant conditioning to modify the behaviour of the victim, potentially reinforcing
harmful behaviours. This strategy would require an even greater level of sophistication on the part
of the attacker than required by most of the attacks discussed above. One would need continuous
control over the IPG for an extended period of time, along with a means of surveillance over the
victim. It would be feasible for the attacker to use a wireless relay device placed near the victim to
remove the need to be in close physical proximity, but placing this device without detection would
bring its own challenges.

Brainjacking: implant security issues in
invasive neuromodulation
[Laurie Pycroft, Sandra G. Boccard, Sarah L.F. Owen, John F. Stein, James J. Fitzgerald, Alexander L. Green, Tipu Z. Aziz/World Neurosurgery] [Scihub mirror (no paywall)]

(Thanks, Laurie!)