Blog post -
Internet of Thinks: Securing the Brain Computer Interface (BCI)
From our phones to our cars to our homes, we are realising the benefits of linking more and more aspects of our lives to the internet in a safe and secure manner. But what would happen if we could connect our brain to the internet?
In our latest whitepaper, we explore this and more through the emerging phenomenon of Brain Computer Interfaces (BCIs) - technologies that provide mechanisms for monitoring and decoding activity in the brain and send signals to the brain through stimuli.
Although they sound like science fiction, some major technology companies are already researching, developing and commercialising BCIs.
Facebook has researched the use of BCIs to decode speech directly from the brain, while Neuralink by Elon Musk is researching how the technology could support people with spinal cord injury, restore motor and sensory functions and help treat neurological disorders.
In our paper, we outline the historical development and current status of BCIs and explore their progress to date. We also example the potential social impact, delving into the regulatory, policy and ethical challenges that are associated with such technologies. Finally, we examine the cybersecurity and privacy challenges of BCIs by threat modelling their end-to-end lifecycles and highlighting likely areas of attack or compromise.
You can download the whitepaper here.
To give you a taster, Matt Lewis, Group Commercial Research Director at NCC Group provides some background on BCIs, their potential use cases, and how some of those cybersecurity challenges and risks could be mitigated.
What are BCIs?
There are three main types of BCI - Non-Invasive BCIs, Partially Invasive BCIs and Invasive BCIs - which can be categorised according to their physical invasiveness upon the human body and overall proximity to the affected user’s brain:
- Non-Invasive BCIs - Non-invasive BCIs are usually sensors attached to the head or through use of a head-based helmet or exoskeleton with an array of sensors (EEG) connected to a person’s head. Such BCIs typically just read data from the brain, with limited to no direction of input or stimuli to the brain. Non-invasive BCIs are easy to wear and don’t require surgery, but they cannot effectively use higher-frequency signals because they reside outside of the brain and the skull presents some resistance, rendering reading of EEG activity less effective.
- Partially Invasive BCIs - Partially invasive BCIs are implanted inside the skull but rest just outside of the brain rather than within the brain’s grey matter. Because partially invasive BCIs sit closer to the brain using Electrocorticography (ECoG) techniques, they produce better resolution signals than non-invasive BCIs, and their position on the brain has a lower risk of forming scar-tissue in the brain than fully invasive BCIs. Operationally, they are less risky than implanting directly into the brain.
- Invasive BCIs - Invasive BCIs require surgery to implant electrodes underneath the scalp for communicating brain signals directly into and out of the brain. Invasive BCIs present the most accurate brain readings. However, disadvantages include intrusive surgery which carries greater risk than with less invasive BCIs. Invasive surgery could result in scar tissue forming on the brain which could lead to health-related issues such as seizures.
How could they be used?
The number of potential applications and impacts on society and industry through BCIs is extensive. A couple of examples include:
- Medical applications, such as alleviating physical disabilities by stimulating parts of the brain concerned with motor neuron functions to restore movement in affected limbs.
- Media, gaming and entertainment applications, such as content that is streamed directly into the brain through BCIs or enabling users to control aspects of a video game through their thoughts.
Many of these imagined applications will only be realised through advances in neuroscience and artificial intelligence or machine learning, but the significance of their potential impact on how we will live and work is obvious.
We explore more potential use cases of BCIs in our whitepaper.
What are the security and safety risks?
Putting aside the exciting aspects and opportunities of BCIs, the reality is that they involve integrating technology with our brains – technology can be insecure and vulnerable to attack, so the threat model of BCIs needs to be carefully understood, particularly within specific use-case contexts (e.g. thinking one’s password to unlock a device).
BCIs bring with them security risks to confidentiality, integrity, availability and safety, where they may offer mechanisms to adversely affect the operation of a person’s brain activity which could result in mental manipulation, long-term brain damage or loss of life. They also have the potential to impact individual privacy in ways that could dramatically alter our society and freedoms.
Some of the specific safety risks of BCIs include complications during the surgical procedure to implant them, scarring on the brain and burns through excessive heat generated from BCIs.
From a security perspective, the volume of potential threats is vast, ranging from design, supply chain and surgical impact through to removal and decommissioning.
However, once the BCI is implanted and operational in the user’s brain, some of the main security threats include:
- Brain Control – this is where adversaries would seek to make someone think and/or do something beyond their free will, or use/steal their brain power for computational tasks (e.g. a botnet composed of multiple compromised BCIs). The level of control could be broken down into three main types:
- Movement control – make someone perform a physical action (e.g. move their limbs) beyond their free will.
o Emotion control – make someone experience or feel a specific emotion that is not their actual current emotional state (e.g. invoke fear or paranoia in a victim)
- Neurological Function Blocking – blocking specific functions of the brain (e.g. a Denial of Service) or temporarily denying BCI operation such as in a Ransomware scenario (Brainsomware), where a compromised BCI, BCI NCD or application is held to ransom
- Mind Reading – this is where attackers may seek to gain unauthorised access to someone’s thoughts or secrets (e.g. passwords), or be able to intercept or infer such information from wireless broadcasts, subliminal cues and/or adversarial AI techniques
How can these risks be mitigated?
It is vital that security considerations span the entire lifecycle of a BCI, from secure design, secure and safe surgery and implant (where BCIs are invasive), secure operation and secure decommission.
Ultimately, we’d encourage that principles of security by design are implemented to mitigate potential risks, but other considerations include:
- Supply Chain Threats - The production of hardware devices involves multiple suppliers at various stages of the production and support lifecycle, so it’s important that all BCI manufacturers follow strict process and governance around supply chains.
- BCI Interface Security – BCIs will need to communicate data out from the brain (and possibly back into the brain by way of stimuli); so it’s important that these communications are conducted in a safe and secure way. This could involve new ways to authenticate access to BCIs and considerations around preventing jammed communications.
- Software Escrow - Users of BCIs will likely become extremely reliant and dependent upon them, be it for health-related issues and/or overall improved cognitive function or experience. This could be problematic in cases where a BCI manufacturer and system maintainer stops operating, so it’s important that manufacturers consider the long term availability and accessibility of BCIs and take steps to provide assurance through software escrow agreements to ensure continued availability in an event such as a manufacturer or maintainer going out of business or ceasing support.
The convergence of mind, body and technology is fascinating and exciting, with potentially huge impact on humankind’s evolution and enlightenment, but it’s crucial that we approach BCIs with the same diligence as we would with any other emerging technology.
By doing so, we can continue to realise the benefits of our increasingly connected world in a safe and secure way.