What Happens When Brain Implants Get Hacked?

And why do I have this sudden urge to send money to a Nigerian prince?

"DEAR SIR OR MADAM," the voice in your virtual reality field says. The man's eyes twinkle. His face glows with goodwill. He's right there inside your head. How did he get past the spam filter, you wonder? But he continues:


Your brain implant interface is purring. Hormones are pumping, your mood center's swinging. Even better than the last time you had virtual sex with a stranger via Tinder's new brain implant app. How can this feel so good, you wonder? You consult your memory, which for more reliable retrieval is now stored on your implant instead of your all-too-fallible grey cells. Why, all your friends are sending money to Nigeria too! In fact, the President recently gave a speech highlighting the importance of all good citizens to send money to Nigeria! How is this possible? That can't be right. Can it—?

But then a lightbulb goes on in your head. A switch, flipped. "I must save this young prince," you decide. "A life of penury shall not be his." Immediately you log in to your virtual bank account, authenticate using your brain implant, and wire the ten thousand dollars to Nigeria. "But will that be enough?" you wonder, biting your fingernails. His dastardly uncle might still refuse to allow the prince to become—king! And so you empty your bank account in your noble quest to aid the scion of Nigerian royalty, all the while quivering in ecstasy.

A week later your automatic withdrawal for rent bounces. Your bank account is zero. But where did all the money go? You search your memory: Nothing. The money should be there. All you remember is having a nice brain orgasm with someone new. You jump into a mind meld conference with a bank rep. They show you the trail of destruction leading to Nigeria. What's going on?

You just got totally pwned.

Now that the most sensitive parts of our lives are online, security matters. So what happens when you stick a computer inside your head? What happens when Android becomes Google Borg, and iOS becomes iBrainImplant?

The security issues don't go away. They just get exponentially worse.

Just one problem: There is no solution.

DARPA is pushing the capabilities of brain implants far into the future, but naturally security is a concern.

"I think our human civilization is still hundreds of years away from getting to a point where software can be written without critical security bugs, if it's even possible at all," Micah Lee, technologist at The Intercept, wrote me in an email.

Because programmers make mistakes, and some of those bugs inevitably turn out to be security vulnerabilities. Which means zero-day exploits will be with us for the foreseeable future.

Brain implant researcher Roozbeh Jafari agrees. A professor of electrical engineering at the University of Texas at Dallas, his research focuses on developing a brain-machine interface.

"There's a whole bunch of questions of security and privacy that need to be addressed," he said. "Suppose we want to push updates to the system, but if someone can remotely hack into the brain and control our brain or control our muscles, I'm not sure what the consequences would be… it could become a significant concern."

Lee suggests that designing implants with security in mind is possible, but may run contrary to market forces—not to mention medical constraints. "The most effective way to secure implants," he wrote, "would be to limit the attack surface as much as possible. For example, the implant could not include any wireless functionality at all, or can only output data wirelessly but refuse to accept any inputs. If the implant doesn't accept any remote commands at all, there's no way to hack it without opening the brain and physically retrieving the implant."

"Of course," he added, "this might not be practical. What if you need to send a command to the implant, or update its firmware to fix a bug? It doesn't seem healthy to have to go in for brain surgery for these things."

We can definitely safely say that government hackers would hack people's brains for fun and profit

He suggested that a properly-implemented cryptographic protocol be used to authenticate any external commands or updates, and that the source code of any implantable device be open source and free of DRM.

Connecting brain implants to the internet, as some scientists have been speculating for years, makes securing a brain implant even more challenging.

Lee doesn't mince words. "Giving brain implants access to the internet is a terrible idea," he said.

"The issue," said Jafari, "is an average user needs to be aware of how they are giving up their privacy. In most cases we are giving up our privacy to improve the quality of services we receive. You might be using Google Maps, so Google knows exactly where you are at any given time." But he acknowledges that giving Google access to our innermost thoughts might pose a more serious set of privacy questions.

Lee is cynical about the future of privacy protections for brain implants. "If done right, brain implants could be created to give people superhuman abilities while also respecting their privacy," he wrote. "But given the history of smartphone apps and the data industry, it seems likely that privacy would be a consumer-demanded afterthought that isn't profitable for the people who design the products."

Far more Orwellian concerns lurk in the shadows, however. If brain implants were connected to the internet, "We can definitely safely say that TAO [the NSA's offensive hacking unit] and other government hackers would hack people's brains for fun and profit," Lee wrote. "This is similar to today's pacemakers, which also run computer code, and which have been shown to be hackable to trigger remote heart attacks."

Worse, the brain implant the surgeon puts in your brain might not be the one that left the factory. "If brain implants could give you valuable intelligence by, say, monitoring your targets' thoughts, then I think NSA as well as intelligence agencies from China, Russia, Israel, and everywhere else would love to include these in their interdiction programs," said Lee.

But Jafari emphasized we are still decades away from developing a true brain-machine interface. "The brain is a very fantastic and interesting organ that we have in our bodies, but there is so much we don't know about the brain," he said.

The current state of brain implants, he said, reminds him of the internet back in the 1990s: "We knew how it would work… but it wasn't until the early 2000s that Amazon realized we could sell things on the internet." Jafari emphasized that researchers are still trying to figure out how to use implants effectively. "The question is, where can we use this? One of the main obstacles in my opinion," he said.

Jacked In is a series about brains and technology. Follow along here.