[HEALTHCARE] Hacking of wireless neurostimulators

  Electrical implants placed in the brain, also called neurostimulators, are used to cure neurological health problems such as Parkinson’s disease and chronic pain. Wireless interfaces are essential to the operation of these medical implants because a USB cable cannot be used to connect to the chip that has been implanted into the human brain.

Nevertheless, a team of Belgian security researchers from KU Leuwen discovered that electrical brain implants are vulnerable devices because of their relatively insecure wireless interfaces. Attackers could intercept sensitive medical data that is transmitted between the implant and the connected devices. By hacking neurostimulators, an attacker can cause irreversible damage to patients by preventing them from speaking or moving.

A study published by Gartner in 2015 on medical implants had shown that most of these devices had no protection and, if any, were obsolete. Idem in August 2016, where the possibility of hacking a  brain implant had been exposed by Oxford researchers. Last year researchers found over 8600 security holes on pacemakers. The analysis demonstrated an embryonic security: unencrypted data, ultra-obsolete operating systems, lack of authentication, ageing libraries, etc. Rarely has a safety study found a level of safety as low as that of pacemaker systems. Most of these vulnerabilities are known and come from software that is not up to date.

This is not the first time pacemakers have been pointed out. By 2012, the hacker Barnaby Jack had already shown that pacemakers could be hacked to turn them into electric bombs. More recently, the US Food and Drug Administration (FDA) had expressed concern about the vulnerabilities of some pacemakers. It had launched an investigation with DHS, the US Department of Homeland Security, to assess the robustness of several thousand Abbott’s brand connected pacemakers. We can imagine the cost of patching these pacemakers…

If security measures remain traditional, regularly changing passwords, not disclosing the serial numbers of implants on the Internet and raising awareness among the public concerned, the ideal would be to encrypt data exchanges. Except that these small devices lack battery and memory to implement an efficient security layer. With the increasing development of smart devices, the situation will only get worse.