Internet of Thinks: Securing the Brain-Computer Interface (BCI)

From our phones to our cars to our homes, we are realizing the benefits of connecting more and more aspects of our lives to the internet in safe and secure ways. But what if we could connect our brains to the internet?

In our latest white paper, we explore this and more through the emerging phenomenon of brain-computer interfaces (BCIs) – technologies that provide mechanisms for monitoring and decoding activity in the brain and send signals to the brain. through stimuli.

Although it sounds like science fiction, some big tech companies are already researching, developing, and commercializing BCIs.

Facebook has studied the use of BCIs to decode speech directly from the brain, while Elon Musk’s Neuralink is studying how the technology could help people with spinal cord injuries, restore motor and sensory functions and help treat neurological disorders.

In our article, we describe the historical development and current status of BCIs and explore their progress to date. We also provide an example of the potential social impact, looking at the regulatory, political and ethical challenges associated with these technologies. Finally, we examine the cybersecurity and privacy challenges of BCIs by modeling the threats of their end-to-end lifecycles and highlighting likely areas of attack or compromise.

You can download the white paper here.

To give you a taste, Matt Lewis, NCC Group Business Research Director, provides insight into BCIs, their potential use cases, and how some of these cybersecurity challenges and risks could be mitigated.

What are BCIs?

There are three main types of BCIs – non-invasive BCIs, partially invasive BCIs, and invasive BCIs – which can be classified based on their physical invasiveness on the human body and overall proximity to the brain of the affected user:

  • Non-invasive BCIs – Non-invasive BCIs are typically sensors attached to the head or through the use of a head-based helmet or exoskeleton with an array of sensors (EEG) connected to a person’s head. These BCIs typically only read data from the brain, with little or no input direction or stimuli to the brain. Noninvasive BCIs are easy to wear and don’t require surgery, but they can’t use high-frequency signals effectively because they reside outside the brain and the skull has some resistance, making the reading of less effective EEG activity.
  • Partially invasive BCIs – Partially invasive BCIs are implanted inside the skull but sit just outside the brain rather than in the gray matter of the brain. Because partially invasive BCIs are closer to the brain using electrocorticography (ECoG) techniques, they produce better-resolution signals than non-invasive BCIs, and their position on the brain poses a lower risk of formation of scar tissue in the brain than fully invasive BCIs. Operationally, they are less risky than implanting directly into the brain.
  • Invasive BCIs – Invasive BCIs require surgery to implant electrodes under the scalp to communicate brain signals directly in and out of the brain. Invasive BCIs exhibit the most accurate brain readings. However, disadvantages include intrusive surgery which carries a higher risk than with less invasive BCIs. Invasive surgery could cause scar tissue to form on the brain, which could lead to health problems such as seizures.

How could they be used?

The number of potential applications and societal and industrial impacts through BCIs are enormous. Here are some examples :

  • Medical applications, such as alleviating physical disabilities by stimulating parts of the brain involved in motor neuron functions to restore movement to affected limbs.

  • Multimedia, gaming, and entertainment applications, such as streaming content directly to the brain via BCIs or allowing users to control aspects of a video game through their thoughts.

Many of these imagined applications will only be realized through advances in neuroscience and artificial intelligence or machine learning, but the magnitude of their potential impact on the way we live and work is obvious.

We explore other potential use cases for BCIs in our whitepaper.

What are the security and safety risks?

Aside from the exciting aspects and opportunities of BCIs, the reality is that they involve the integration of technology into our brains – technology can be insecure and vulnerable to attack, so the threat model of BCIs must be carefully understood, especially in specific use case contexts (e.g. thinking about one’s password to unlock a device).

BCIs carry security risks for confidentiality, integrity, availability and security, where they can offer mechanisms that can negatively affect the functioning of a person’s brain activity, which could lead to manipulation. mental illness, long-term brain damage or death. They also have the potential to impact the privacy of individuals in ways that could dramatically alter our society and our freedoms.

Some of the specific safety risks of BCIs include complications during the surgical procedure to implant them, scarring on the brain, and burns from excessive heat generated by BCIs.

From a security perspective, the volume of potential threats is vast, ranging from design, supply chain and surgical impact to removal and dismantling.

However, once the BCI is implanted and operational in the user’s brain, some of the major security threats include:

  • Brain control – this is where adversaries would seek to make someone think and/or do something beyond their free will, or use/steal their brain power for computational tasks (e.g., a botnet composed of several compromised BCIs). The level of control can be broken down into three main types:

    • Motion control – forcing someone to perform a physical action (e.g. moving their limbs) beyond their free will.
      o Emotion control – making someone experience or feel a specific emotion that is not their actual current emotional state (e.g. invoking fear or paranoia in a victim)

    • Blocking of neurological function – blocking of specific functions of the brain (e.g. denial of service) or temporary denial of BCI operation, such as in a ransomware (Brainsomware) scenario, where a BCI, BCI NCD or application compromised is held for ransom

  • Mind reading – this is where attackers may seek to gain unauthorized access to someone’s thoughts or secrets (e.g. passwords), or be able to intercept or deduce this information from wireless broadcasts, subliminal cues and/or adversarial AI techniques

How can these risks be mitigated?

It is essential that safety considerations cover the entire life cycle of a BCI, from safe design, safe and secure surgery and implantation (where BCIs are invasive), safe operation and safe dismantling. .

Ultimately, we encourage implementing security-by-design principles to mitigate potential risks, but other considerations include:

  • Supply Chain Threats – The production of hardware devices involves multiple vendors at different stages of the production and support lifecycle, so it is important that all BCI manufacturers follow a strict process and governance around supply chains.
  • Security of BCI interfaces – BCIs will have to communicate data from the brain (and possibly send it back to the brain through stimuli); it is therefore important that these communications take place in a safe and secure manner. This could involve new ways to authenticate access to BCIs and considerations for preventing blocked communications.
  • Escrow Software – BCI users will likely become extremely dependent and dependent on them, whether for health issues and/or overall improved cognitive function or experience. This could be problematic in cases where a BCI manufacturer and system maintainer go out of business, so it is important that manufacturers consider the long-term availability and accessibility of BCIs and take steps to provide a insurance through software escrow agreements to ensure continued availability in the event of a manufacturer or maintainer going bankrupt or ceasing support.

The convergence of mind, body and technology is fascinating and exciting, with potentially enormous impact on the evolution and enlightenment of humanity, but it is crucial that we approach BCIs with the same diligence as we would with any other emerging technology.

By doing so, we can continue to enjoy the benefits of our increasingly connected world in a safe and secure way.