News + Trends
When will humans become cyborgs?
by Kevin Hofer
Hacking cyborgs: security gaps in cybernetic implants
25.6.2018
Translation: machine translated
Pacemakers, insulin pumps and even implanted NFC chips are not safe from attacks by third parties. This exposes their wearers to constant danger. Where are the biggest weak points?
At 6.38 a.m. on the dot, Linus is at Siselen-Finsterhennen station. He stands here five times a week to travel to work - without interruption for 35 years. Even when he was ill, he always went to work. No, that's not quite true. Last year, Linus, 58, had to have a pacemaker transplant. That's why he stayed away from work for a change.
With the obligatory three-minute delay, Linus arrives in Biel at 7.14 am. Like every morning, there is a big crowd at the station. Suddenly he feels a shock, collapses and never gets up again. As the post-mortem will later show, the pacemaker is the cause of death. It had been hacked and triggered an electric shock that stopped Linus' heart.
This fictitious and admittedly extreme example shows how dangerous unsecured cybernetic implants can be. They are effectively life-threatening. It is astonishing how little has been done about this so far. There are regular reports of pacemaker safety gaps.
The fact that pacemakers can be hacked became known to a wider audience in 2012. Hacker Jack Barnaby showed how he could easily manipulate a pacemaker from a distance of around 15 metres to deliver an 830-volt shock. A scenario like Linus' is very much conceivable.
The manufacturers of pacemakers do not yet seem to be as advanced in terms of safety as they are in terms of medical development. Fortunately, however, no case like Linus' has yet been publicised. However, as cyborgisation progresses, safety should become more of a focus for manufacturers.
Cyborgs: vulnerable subjects
Cyborgs are on the rise. Whether out of medical necessity or the pursuit of perfection, we humans want to improve our bodies. And as quickly as possible. So why wait for evolution when technology can do it faster? Or as James Scott from the Institute for Critical Infrastructure Technology puts it:
«The human condition is plagued by a labyrinth of shortcomings, frailties and limitations that hinder man from reaching his fullest potential. Therefore, it only makes sense that we find ourselves at the next phase in human evolution where restricted man merges with the infinite possibilities of hyper-evolving technologies.»
Scott believes that by 2025, cyborg technology will be more advanced than in Ghost in the Shell. In his essay "Hacking Cyborgs : By 2025, Non-Augmented Humans Will Be Obsolete. but There's Bad News..." he describes security concerns regarding cyborg technologies. In the following I refer to Scott's paper.
Security-exempt technologies
Cyborg technologies are commonplace today. They may not always get under your skin, as you might imagine from science fiction films. But with smartphones and wearables, we already have the relevant technologies today. It's only a matter of time before they get under your skin.
When will humans become cyborgs? I deal with this topic in the text below.
Biohackers, transhumanists or even cyborgs who transplant technologies into themselves are a reality today. They are convinced that the connection between man and machine is the next evolutionary step. Some of these technologies, such as the pacemaker mentioned at the beginning, are medically necessary. Others, such as NFC chips, are not. Security concerns do not usually play a role in either case. The belief in progress and the pursuit of convenience are stronger.
Implanted devices consist of sensors, processors, transmitters/receivers and memory. Not all technologies have all of these components. Magnets, for example, are a popular implant and do not have a processor. Implants are often developed on a limited budget and need to be small for transplantation. In order for end users to be able to afford the devices, they are usually so slimmed down that they cannot offer any encryption at all.
Cryptographic algorithms were not developed for devices as small as implants. The lifespan of a pacemaker could be reduced from almost ten years to just a few months by incorporating encryption. In addition, the devices would have to be built larger, which would make implantation more difficult.
Simplicity before security
In addition to these hardware limitations, the human factor also plays a role. It starts with the fact that technology has to be convenient above all else. Nobody wants to deal with tedious processes. Security can be a tedious process. Who wants to log into their pacemaker if it's not working properly and needs to be done quickly?
Convenience also includes ease of transfer. Implanted devices have to communicate with the outside world somehow. This usually works with Bluetooth, NFC or Wi-Fi. This makes access easy, but the connections are rarely secure.
Modern pacemakers often have Bluetooth; they are IoT devices that can be accessed locally or remotely. The Bluetooth standard is ideal for implanted technologies because it is technically simple and consumes little power when connected. However, both Bluetooth and pacemakers were developed without security in mind. Bluetooth is not a secure transmission protocol. It was developed in the 1990s for office use. The idea behind it: Devices should be connected quickly and easily without cables. However, pacemakers are not the only medical implants with security vulnerabilities.
Insulin pumps can be manipulated to deliver a lethal dose. Thanks to wireless transmission from a distance, without those affected noticing. Safety concerns should be even greater with neuroprostheses. These could be implants that communicate directly from brain to brain. The medium of speech would then be superfluous. A dream of the future, that much is clear, but increased caution is still required here.
Neuronal implants as described are not yet available for the mass market. Their development is still in its infancy. This makes it all the more important that safety concerns play a role in their development. After all, we don't like it when someone uninvited eavesdrops on our conversations. This would probably be much more extreme in an intimate brain-to-brain discussion.
But it's not just medically necessary implants that are vulnerable.
NFC vulnerability
An NFC chip is a simple implant that is not medically necessary. As well as being used in the private sector, they are also used in the professional sector. Employees can use them to make payments or log in to IT devices, for example. However, the latter in particular is a major security risk. If someone obtains the data on the chips, they can instrumentalise it for their own purposes. What's more, companies can use it to track the behaviour of their employees.
As NFC chips are relatively easy to implant, they have been very popular with biohackers in recent years. This is likely to remain the case for a while yet. NFC is a type of RFID. In contrast to other RFID devices, NFC operates at a fixed 13.56 MHz. With NFC, the transmission distance is shorter and is between four and ten centimetres.
RFID devices are passive and have no power supply; they are only activated when a reader is nearby. NFC can send data, but not receive it. At present, the chips cannot yet store very large amounts of data. However, as there is great interest in the technology, this will change in the future.
NFC chips can be found in all kinds of devices today. These range from mobile phones to debit cards with an integrated chip. Data is sometimes exchanged by encrypting a specially designed processor. However, many chips that are implanted have no such encryption. Although data can only be transmitted over a short distance, there are also known cases of successful transmissions over a distance of around three quarters of a metre.
NFC implants are not secure. Unlike the chips in mobile phones, they cannot simply be switched off. Potential attackers could exploit the implants by transferring malware to readers.
Cyborgisation cannot be stopped, but we decide in what form we want it
As the examples above show, cyborg technologies have adopted standards that are not secure. The biggest risks lurk in transmission. This is due to convenience on the one hand and the limited possibilities due to the size of the implants on the other. Theoretically, all cybernetic implants are vulnerable. In the case of medical implants, the wearer's life and limb may be at risk. Data protection, on the other hand, plays a greater role for implants that are not medically necessary.
According to Scott, the civil rights and privacy of implant manufacturers need to be reconsidered. In the next ten years, cybernetic implants will revolutionise our world. "Security by design" - i.e. making sure that hardware and software are as free of vulnerabilities as possible from the outset - is an absolute must. Otherwise, potential human evolution through technology would be jeopardised.
Kevin Hofer
Senior Editor
kevin.hofer@digitecgalaxus.chFrom big data to big brother, Cyborgs to Sci-Fi. All aspects of technology and society fascinate me.
Smartphone
Follow topics and stay updated on your areas of interest
Computing
Follow topics and stay updated on your areas of interest
2 comments
later