The Prosthetic DEKA Arm Is Hackable and a Legal Mess
Imagine your arm being controlled by a hacker. Well if it's robotic, one security expert says that's a possibility.
An early version of the DEKA arm holds a light bulb, to demonstrate dexterity (2009). Image: Flickr
Back in May when DARPA triumphantly announced that its DEKA arm was secure enough to be approved by the FDA for circulation to military amputees, the agency didn’t mention that the arm is probably hackable. Security expert Marc Weber Tobias is now sounding the alarm on the hacking dangers the robotic arm faces and the legal can of worms that could open up.
Dubbed Luke, in reference to Luke Skywalker’s robotic arm in Star Wars, the DEKA arm is one of the first prosthetic limbs powered entirely by the user’s brain waves. The DEKA arm connects electromyogram electrodes to surviving muscle, and once attached, follows commands relayed from the brain by surviving biological tissue.
“The question is why would anybody want to hack a robotic arm?" asked Weber Tobias from Italy, where he’s lecturing on the future of physical security. "And that’s where it gets interesting.”
“Here’s the scenario that I’m seeing as a criminal investigator: could someone overtake the arm and make the robotic arm do something they didn’t want to do?,” Weber Tobias continued. “Frankly, I don’t think that’s so far out of line.” According to Weber Tobias the ability to hack the arm a guarantee. Not only that, but it will be an attractive target for hackers looking to prove themselves on new technology.
It’s no secret that the internet of things opens up a new frontier for hackers. Everything from robotic limbs to pacemakers could be the targets for assassins or criminal syndicates looking to extort someone by holding their limb hostage. These real dangers have also also given birth to a collective paranoia from security industry types that say everything that can be hacked will be used by terrorists. Paranoia aside, hackers are a real threat to robot body parts already: even the wifi capability in Dick Cheney’s pacemaker was disabled in 2013 for fear of assassination.
Though the DEKA arm is controlled through electrical signals from muscle contractions, there’s still a tiny computer embedded into the arm receiving signals from the living muscles that can be intercepted. In fact, the DEKA arm can be constructed to use wireless sensors installed on just about anywhere on the users’ body, including within the soles of their shoes.
“The arm needs to be able to be accessed remotely in case something goes wrong,” Weber Tobias said. “The irony is that having the remote access capability now endangers the security of the arm.”
Hacking medical equipment isn’t an unprecedented notion. At the McAfee FOCUS 11 conference three years ago, the late New Zealand hacker Barnaby Jack first demonstrated how he hacked into insulin pumps. Jack garnered complete control of how much insulin the pumps were outputting without any previous knowledge of the product, raising the amounts to lethal levels.
“The only way to talk to the machines implanted in bodies is through a wireless network, equivalent to a Bluetooth setup,” Weber Tobias said. “Even the most encrypted technology can be hacked by anyone who really wants to get inside the computer.”
For Weber Tobias the most troubling aspect of the DEKA arm is the lack of culpability for the wearer in an event of a serious crime. “If the arm is hacked, anyone with access to it can make the arm do whatever they like and, from a legal perspective, it’s a bad scenario," he said. "If you can’t figure out who to blame, we can’t decide who’s culpable." In other words, "it’s not my fault, my arm did it" could be a new—and plausible—legal defence in future courtrooms.
“Let’s use a scenario like Oscar Pistorius," Weber Tobias said. "If he had a robotic arm that had the potential to be hacked, his case would be handled very differently from his legal team. It would not only be more difficult to prove he had complete control over his arm, it would be infinitely more difficult to prove his intentions were to kill.”
Weber Tobias believes the FDA’s approval is another issue associated with physical security. In a Forbes piece he insists the FDA doesn’t have the capabilities or the expertise to properly examine the potential cybersecurity risks associated with medical implants or devices.
For now, DARPA has not released the arm to the civilian public. Instead, the agency is outfitting veterans coming home from war with the robotic prosthetic. Yet the all too familiar path from military grade technology to consumer product is a fast one and the public will very likely get the DEKA arm sooner or later.
Thousands of networked DEKA arms is a complicated prospect for Weber Tobias and he foresees a slew of new legal questions surrounding the roboticized limbs. Ultimately, he says the danger is not overstated.
If hackers can get into the Pentagon and the White House they can surely “hack a tiny computer in an arm" he said, "simple as that.”