Belgian scientists have managed to hack a neurostimulator or ‘brain pacemaker’. They showed that it is possible to take control of the neurostimulator with inexpensive hardware. Using this approach, a person with malevolent intent could cause serious brain damage to patients, with fatal consequences. The scientists proposed new methods to improve the security of medical implants.

Neurostimulators are used to treat the symptoms of illnesses such as epilepsy and Parkinson’s disease. Using fine wires, they send controlled electrical pulses to specific parts of the brain. The neurostimulator is implanted in the patient’s body and is thus no longer physically accessible, so wireless communication is used to read out data and to adjust settings. A ‘clinician programmer’ is used for this purpose.

A fake doctor with low-cost hardware

A team of seven researchers at the Catholic University of Leuven (Belgium) were able to take control of a neurostimulator (to avoid copycat attacks, they did not mention the names of the device or the manufacturer). They did this by emulating the clinician programmer, using only a small number of devices: a laptop computer, a USB-6351 data acquisition system (DAQ) from National Instruments, and two home-made antennas. They described their findings in the paper Securing Wireless Neurostimulators.

The seven-member team started by tapping the wireless communication signals between the neurostimulator and the clinician programmer. They discovered that the communication was not encoded, and there was no authentication procedure to prove that the device was actually what it claimed to be. This allowed them to simulate the communication protocol between the two devices and talk to the neurostimulator without using the clinician programmer.

That enabled them to read out data and to reprogram the neurostimulator – which could be exploited to cause serious physical damage to a patient. In their paper they said that “adversaries could change the settings of the neurostimulator to increase the voltage of the signals that are continuously delivered to the patient’s brain. This could prevent the patient from speaking or moving, cause irreversible damage to his brain, or even worse, be life-threatening.”

Tag alert: Subscribe to the tag Elektor Ethics and you will receive an e-mail as soon as a new item about it is published on our website!

Better security

The seven researchers concluded their paper with a number of proposals for improving the security of medical implants. To make third-party attacks more difficult, they suggested a ‘touch to access’ policy for the devices. This means that the clinician programmer would first have to touch the skin of the patient for several seconds before it could communicate with the neurostimulator.

A second proposal is to encrypt the communication. It is difficult to employ encryption in medical implants, because they must be small and therefore have hardware restrictions. A true random number generator is often used for encrypted communication. That is a small device that produces random numbers based on physical processes instead of a software algorithm. These numbers are used to generate cryptographic keys. But there is no room for such a device in a neurostimulator.

The researchers therefore proposed the idea of using physiological signals extracted from the patient’s body as random data. In the words of the paper, “this allows signals that are already being gathered by the device to be used as a low-cost source of randomness.” The neurostimulator can measure brain waves, and the researchers suggested that these signals could be used to generate cryptographic keys. Encryption of the brain-computer interface would improve patient protection against external attacks.

The paper Securing Wireless Neurostimulators was presented in March at the ACM Conference on Data and Application Security and Privacy.

Image: Deep brain stimulation. Source: Dr Craig Hacking, A. Prof. Frank Gaillard. CC BY-SA 4.0 licence.