Flaws in brain stimulation tech could let hackers erase or hold memories for ransom

Oh goody! Erasing memories or rewriting them and then implanting false ones are not just the stuff of sci-fi or horror flicks, as a new report warns that hackers will be able to attack the memories of people with implanted brain stimulation devices.

New research by Kaspersky Lab and the University of Oxford Functional Neurosurgery Group identified vulnerabilities currently in implanted devices used for deep brain stimulation. The devices, known as neurostimulators or implantable pulse generators, send electrical impulses to parts of the brain; they can be used to treat disorders such as Parkinson’s disease, Obsessive–Compulsive Disorder, major depression and essential tremor.

The brain implants come with management software which can be installed on tablets or smartphones; the connection is based on standard Bluetooth protocol. As for what hackers could do, the researchers listed the following as existing and potential risk scenarios:

Exposed connected infrastructure: The researchers found one serious vulnerability and several worrying misconfigurations in an online management platform popular with surgical teams, which could allow an attacker to access sensitive data and treatment procedures.

Insecure or unencrypted data transfer between the implant, the programming software and any associated networks: This could enable malicious tampering of a patient’s implant, or even tampering of whole groups of implants (and patients) connected to the same infrastructure. Manipulation could result in changed settings, causing pain, paralysis or the theft of private and confidential personal data.

Design constraints as patient safety takes precedence over device security: For example, a medical implant needs to be controlled by physicians in emergency situations, including when a patient is rushed into a hospital far from their home. This precludes use of any password that isn’t widely known among clinicians. Further, it means that by default such implants need to be fitted with a software ‘backdoor.’

Insecure behavior by medical staff. Devices with patient-critical software were found being left with default passwords, used to browse the internet or with additional apps downloaded onto them.

Hellish hacks of the future

But wait as there is so much more that attackers will be able to pull off in the future as scientists better understand the brain and the storing of memories. For example, within five years, scientists are expected to be capable of electronically recording brain signals that build memories or even rewriting those memories before stuffing them back into the brain. Commercial memory boosting implants are expected to hit the market in 10 years; in 20 years, it may be possible to allow for vast control over memories.  

The creepy things that hackers could do then include locking memories and holding them for flipping ransom, espionage-themed hacks such as spying on or stealing memories, erasing memories, and mass manipulation of memories to rewrite history.

Thankfully, none of these attacks have yet been observed in the wild. Yet the researchers emphasized that current vulnerabilities in the tech need to be reduced or eliminated altogether before being built into the foundation of the future. If security and healthcare pros, developers and manufacturers start collaborating now to grasp the full range of risks and vulnerabilities, it will pay off in the future.

I am going to be so ticked if the day comes when instead of still writing about ransomware hitting a company, the news will be about the memories of company personnel being locked and held for ransom – or even deleted for not paying the ransom demand. If some people can’t regularly patch, upgrade firmware or even backup their business data, will they be able to backup their brain data, their memories?