Cybersecurity
Brainjacking
In one line
Unauthorized remote control of an implanted neurostimulator (e.g., DBS) to alter stimulation parameters and harm a patient.
Definition
Brainjacking is the term coined by Oxford researchers Pugh, Pycroft, Maslen, Aziz, and Savulescu (2017) for the malicious, unauthorized control of implanted neurostimulation devices - most notably deep brain stimulators (DBS) used to treat Parkinson's disease, essential tremor, dystonia, depression, and OCD. Modern DBS systems are programmed wirelessly through a clinician programmer or, increasingly, a patient remote and a smartphone app communicating over Bluetooth or proprietary RF. An attacker who can reach those programming interfaces could alter stimulation amplitude, frequency, pulse width, or contact configuration, or simply switch the device off. Documented research-level attacks against neurostimulator programming protocols (Marin et al., 2016; Halperin et al., 2008 on ICDs as a precedent) show that the underlying class of attack - eavesdropping and command injection on poorly authenticated implant telemetry - is well within reach of motivated adversaries. Because the targeted organ is the brain, the harm potential ranges from subtle behavioral and motor effects to seizures, severe pain, or cognitive change.
Why it matters
In practice, brainjacking risk is mitigated by treating the implant-to-programmer link as untrusted by default: mutual authentication using device-unique keys provisioned at manufacture, encrypted sessions, replay protection, bounded parameter ranges enforced in firmware, and clinician-confirmed parameter changes with audible/visible feedback. Patient remotes and companion apps should hold no fleet-wide secrets and should mediate, not replace, clinician authority over therapy boundaries.
Common pitfalls
- •Relying on the obscurity of a proprietary RF protocol instead of cryptographic authentication.
- •Allowing the patient remote or companion app to set stimulation parameters outside clinician-defined safe ranges.
- •Leaving the inductive or Bluetooth programming interface open whenever the device is in range, rather than requiring an explicit clinician-initiated session.
- •Treating brainjacking as a purely theoretical risk and omitting it from the device threat model.
Sources
- Pugh et al., 'Brainjacking in deep brain stimulation and autonomy' (Ethics and Information Technology, 2018) · Springer
- Pycroft et al., 'Brainjacking: Implant Security Issues in Invasive Neuromodulation' (World Neurosurgery, 2016) · World Neurosurgery
- Marin et al., 'On the (in)security of the latest generation implantable cardiac defibrillators' (ACSAC 2016) · ACM
- ICSMA-19-080-01 Medtronic Conexus Telemetry Protocol · CISA
- FDA Cybersecurity Guidance (Sept 2023) · FDA