We live in an interconnected age where wirelessly controlled computing devices make almost every aspect of our lives easier, but they also make us vulnerable to cyber-security attacks. Today, nearly everything can be hacked, from cars to lightbulbs. But perhaps the most concerning threat is the one posed by implanted medical devices. Experts have demonstrated the ease with which security on pacemakers and insulin pumps can be breached, potentially resulting in lethal consequences.
In a recent paper that I and several of my colleagues at Oxford Functional Neurosurgery wrote, we discussed a new frontier of security threat: brain implants. Unauthorised control of brain implants, or “brainjacking”, has been discussed in science fiction for decades but with advances in implant technology it is now starting to become possible.
Deep brain stimulation
The most common type of brain implant is the deep brain stimulation (DBS) system. It consists of implanted electrodes positioned deep inside the brain connected to wires running under the skin, which carry signals from an implanted stimulator. The stimulator consists of a battery, a small processor, and a wireless communication antenna that allows doctors to program it. In essence, it functions much like a cardiac pacemaker, with the main distinction being that it directly interfaces with the brain.
DBS is a fantastic tool for treating a wide range of disorders. It is most widely used to treat Parkinson’s disease, often with dramatic results (see video below), but it is also used to treat dystonia (muscle spasms), essential tremor and severe chronic pain. It is also being trialled for conditions such as depression and Tourette’s syndrome.
Targeting different brain regions with different stimulation parameters gives neurosurgeons increasingly precise control over the human brain, allowing them to alleviate distressing symptoms. However, this precise control of the brain, coupled with the wireless control of stimulators, also opens an opportunity for malicious attackers to go beyond the more straightforward harms that could come with controlling insulin pumps or cardiac implants, into a realm of deeply troubling attacks.
Examples of possible attacks include altering stimulation settings so that patients with chronic pain are caused even greater pain than they would experience without stimulation. Or a Parkinson’s patient could have their ability to move inhibited. A sophisticated attacker could potentially even induce behavioural changes such as hypersexuality or pathological gambling, or even exert a limited form of control over the patient’s behaviour by stimulating parts of the brain involved with reward learning in order to reinforce certain actions. Although these hacks would be difficult to achieve as they would require a high level of technological competence and the ability to monitor the victim, a sufficiently determined attacker could manage it.
There are proposed solutions to making implants more resistant to cyber-attacks, but makers of these devices are in a difficult position when trying to implement security features. There’s a trade off between designing a system with perfect security and a system that is actually usable in the real world.
Implants are heavily constrained by physical size and battery capacity, making many designs unfeasible. These devices must be easily accessible to medical staff in an emergency, meaning that some form of “back-door” control is almost a necessity. New and exciting features, such as being able to control implants using a smartphone or over the internet, have to be balanced against the increased risk that such features can provide.
Brain implants are becoming more common. As they get approved for treating more diseases, become cheaper, and get more features, increasing numbers of patients will be implanted with them. This is a good thing overall but, just as a more complex and interconnected internet resulted in greater cyber-security risks, more advanced and widespread brain implants will pose tempting targets to criminals. Consider what a terrorist could do with access to a politician’s mind or how coercive blackmail would be if someone could alter how you act and think. These are scenarios that are unlikely to remain purely in the realm of science fiction for much longer.
It’s important to note that there’s no evidence to suggest that any of these implants has been subjected to such a cyber-attack in the real world, nor that patients with them currently implanted should be afraid. Still, this is an issue that device makers, regulators, scientists, engineers and clinicians all need to consider before they become a reality. The future of neurological implants is bright, but even a single high-profile incident could irreparably damage public confidence in the safety of these devices, so the risk of brainjacking should be taken seriously before it’s too late.