July 10, 2009
Neurosecurity
Hacking into the brain? As brain-to-computer interfaces become more commonplace, scientists are beginning to worry that the risks of 'brain hacking' should be taken seriously. While great strides have been made in implantable electronic devices, little attention has been paid to the security of these digital connections. An article in this month's Neurosurgical Focus discusses their potential security weaknesses.
Many of the current devices such as deep brain stimulators and prosthetic devices are designed to be surgically implanted and controlled reprogrammed from outside the body by a wireless link with very little, if any, built-in authentication. They function similar to TV remote controls where anyone with the correct remote control can change the settings on a TV. It is assumed that no one except the owner would want to. As these devices become more widespread, however, it leaves open the possibility that malicious attackers could alter the function of the brain by taking control of the device.
There have already been security vulnerabilities in implanted medical devices. The authors of this paper in previous research have experimentally demonstrated that a hacker could wirelessly compromise the security and privacy of an implantable cardiac defibrillator. A person using homemade and low-cost equipment, could wirelessly change a patient's therapies or disable the device. In another example, "vandals using computers in an attempt to cause physical harm to patients... placed flashing animations on epilepsy support websites, causing some patients with photosensitive epilepsy to experience seizures."
The authors draw the analogy to security on the Internet. "When the Internet was originally designed and built as a research project, security was not a critical concern. Yet, as we all know, security concerns on the Internet are now a daily issue. Furthermore, because the Internet was not originally designed with security in mind, it is incredibly challenging—if not impossible—to retrofit the existing Internet infrastructure to meet all of today's security goals."
"We are at a similar stage in the evolution of neural engineering as we were at the Internet's inception: neurosecurity is not an issue today, but it could be an important concern in the future. The consequence of a neurosecurity breach can be far worse than a breach in the Internet's security; instead of protecting the software on someone's computer, we are protecting a human's ability to think and enjoy good health. Rather than wait for these concerns to manifest - at which point it may be too late to retrofit security into mature designs - we must begin to consider neurosecurity now."
The authors define "neurosecurity" as "the protection of the confidentiality, integrity, and availability of neural devices from malicious parties with the goal of preserving the safety of a person's neural mechanisms, neural computation, and free will." They describe "neurosecurity" as a version of computer science security principles and methods applied to neural engineering." They point out that three of the standard goals in computer security are confidentiality, integrity, and availability: an attacker should not be able to exploit the properties of a device to learn private information (confidentiality); an attacker should not be able to change device settings or initiate unauthorized operations (integrity); and an attacker should not be able to disable a device altogether and render it ineffective (availability).
Neurosecurity is not a critical concern for current neural engineering devices, which have limited deployment outside of research environments or are self-contained systems; however, unless appropriate safeguards are considered early in the design of the neural devices that will be deployed within 5-20 years, security and privacy concerns could become critical. "We view it as the community's responsibility to assess and develop technical approaches for mitigating these threats - before any serious risks manifest."
It is easy to imagine that it might also be desirable to set up home monitors for patients with neural devices. In the future we can also expect multiple implants within a patient's body to be wirelessly interconnected; for example, neural signals from the motor cortex could be wirelessly transmitted to a robotic prosthetic leg. Another trend is the increase of complexity: as the components used in neural systems become more complex, more integrated, and influence a larger set of neurons, it will become harder to identify and defend against all potential security vulnerabilities.
Neurosurgical Focus
July 2009 Volume 27, Number 1