Brainjacking, the movie in the making : Cybersecurity for BCIs

Brain Computer Interfaces (BCIs) have essentially grabbed quite a lot of attention amongst researchers today. From merely being a product that could record EEG, today BCIs have been used for multiple reasons including treatment of motor impairments, neurorehabilitation and severe nerve-related problems. BCI improves the ability of the human brain to interact with its environment. The latest advances in machine learning techniques and algorithms have increased interest in BCI applications based on electroencephalogram (EEG). Smart BCI based on EEG can continuously monitor human fluctuations. The cognitive state in monotonous tasks is good for people in need of medical care and general researchers in various fields. Today, as these technologies have aided humans, the security and privacy concerns with the use of such technology should be addressed at the earliest.

We are entering the era of neurotechnology and brain-computer interfaces-a technology that connects people’s brains directly to mobile phones and computers. But…is this technology really safe from cyber attacks? What measures should manufacturers, users and governments take to deal with this new security scenario? Some consulting companies predict that consumers will choose this type of consumer BCI, and sales are expected to double between 2025 and 2030. Over time, touch screen technology will evolve into non-contact interfaces such as BCI, virtual reality, augmented reality, and mixed reality.

Source : Reference

With the rapid development and digital advancements, numerous challenges arise to ensure the CIA triad w.r.t information needs to be addressed at all costs to ensure a safer use of such technologies. From large companies like Tesla, Nissan and even Facebook are heading towards integrating brain communications to power various devices. Nissan has already designed a technology that provides the world’s first system for real-time detection and analysis of brain activity relating to driving. It includes activity in advance of intentional movement (e.g. steering), known as movement-related cortical potential (MRCP), and activity that reveals the variance between what the driver expects and what they are experiencing (e.g. car moving too fast for comfort), known as error-related potentials (ErrP). This brainwave activity is measured using a skullcap worn by the driver and analyzed and interpreted for immediate implementation by onboard autonomous systems. All genetic components like fingerprint, iris, facial muscles add an additional layer of security but recent studies have shown most of the methodologies can be hacked. Hence, the need for cybersecurity to protect BCIs is without a doubt paramount to ensure the information transferred to and from the devices is secured and safeguarded.

In short, we are talking about accessing very sensitive personal information, such as real feelings and motivations and even possible diseases. In some cases, this information may be information that the user does not even know, and this information can be processed. In order to obtain the algorithm that detects the possibility of certain sensations or the development of diseases. If handled properly, this personal data can be profitable by a third party without the user’s knowledge. Apple Watch with ECG is now the focus of attention: some insurance companies are willing to change the premium amount based on the results of accessing these data. Data brokers or data sellers are individuals who perform data breaches to collect personally identifiable information from individuals, create trusted consumer profiles, and sell anything to third parties without the user’s knowledge (or consent).

Currently, consumer profiles can even contain customer data, including customer history (credit cards, tastes, needs, needs). This information can help determine what types of sales can be made to the customer and determine the risks associated with providing a particular product to the customer and many more. Some of the potential impacts of the technology has been briefed below:

ScenarioImpact
Headband’s firmwareTheft of data, with the purpose of extortion or sale to third parties. In this case, it refers to EEG data or device-associated data.
Communication between EEG and close control deviceManipulation of the actions carried out by the application to fulfill its purpose.
Close control deviceThis feedback could be altered with concrete visual stimuli to obtain brain reactions and evoked response (non controllable) to those stimuli, obtaining therefore information on the emotions and motivations to these specific stimuli.
Attack to the remote control deviceIn this case, data that arrived at the servers would be altered, and for example the entire monitoring carried out by medical doctors
Source : Reference

These attacks open a completely different horizon to exploit vulnerabilities associated with such technology, hence some of the security practices needs to be in place. These include encryption of firmware and verification of the authenticity through hash or signature, Encryption of the EEG information transmitted via BLE and Double authentication (fingerprint, PIN, NFC) with the objective of ensuring that the device can only be connected with an EEG device through the BLE protocol.

The concept of security by design is very important to ensure that all these measures are considered during the product design phase, and the involvement of neuroscientists complements the engineer’s vision. The Internet of Things (IOT) security guidelines defined by the Open Web Application Security Project (OWASP) can be used as an effective starting point, and implementing these measures when dealing with conflicting functionality and usability issues is seen as a delicate decision and adds to the resolution. Cybersecurity ought to be reinvented endlessly to ensure its effectiveness, encompassing biological, human and social fields that move with technology, giving ideas that facilitate perceive and predict the rising threats and new issues which may arise.

Article by Kaushik Sundararajan

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: