SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

Three unsafe technologies that could 'hack our bodies'

Thu, 12th Oct 2023
FYI, this story is more than a year old

Can our bodies be hacked? The answer may be yes, in that anyone can implant a chip under the skin and these devices do not usually use secure technologies. 

However, despite more than a decade of talk about biohacking, implantable technologies are still quite primitive, so a possible cyberattack against them should not result in major consequences. This is different in the case of implantable medical devices, the breach of which can seriously damage a patient's health. 

Aaccording to Entelgy Innotec Security, the futuristic era of men turned into cyborgs capable of killing each other by infecting each other with malware seems not to have arrived yet.

Pablo Martnez, a hacker in the Red Team department at Entelgy Innotec Security, says that while more than a decade has passed since we started reading and hearing information about chips that are injected under the skin to pay without money, sensors that are implanted in the body to 'hear' colours or to feel the vibrations of earthquakes in the earth, and even small technological devices that are somehow attached to the body (internally or externally) and are useful from a medical point of view. Many others before us asked the same question: could they hack into our bodies or minds?

"At a time when security in the digital realm - and also in the physical realm - has become the greatest responsibility for users and organisations, we analyse the degree of implementation of the well-known biohacking (a technique that consists of 'hacking' our body at will, inserting various technologies into it or using them externally with the intention of improving it) and to what extent we should fear that cybercriminals will breach our bodies," Martnez says. 

"Since biohacking could be considered hacking in itself, what we analyse in the present article is whether someone with malicious intent could use this willingness to self-hack to 'cyberattack' our bodies," he says.

"We should not panic, biohacking does not seem as advanced as we think. There are studies, experimental situations, but what we know so far is quite primitive and does not leave many possibilities for a cybercriminal to hack our body with a malicious purpose. At the moment we don't carry our smartphone inside our head and they can't put a virus inside us."

More unsafe implantable technologies

"Our cell phone is possibly even more vulnerable today than an experimental chip injected under the skin, since this chip, although susceptible to hacking, has a very limited function, while the cell phone is exposed to countless threats," Martnez says.

"Most implantable technologies, with the exception of medical ones, consist of a small device that is inserted into a capsule that your body does not reject at first and injected into the skin. Are they insecure? Very. Could they be hacked? Yes. Could we understand that, by wearing a chip under the skin of our hand, it could be hacked? Yes. 

"However, Fall prefers to differentiate. "What can be hacked is the technology, not the body itself. A vulnerable device can be hacked both outside and inside the body. What we need to pay attention to is the security of the technology we are trying to implant," he says.

In the spectrum of implantable technology, which is the most insecure and, therefore, hackable? Entelgy Innotec Security analyses the most popular ones:

RFID (Radio Frequency Identification) technology is possibly the most widespread technology. It allows several devices to identify and contact each other by emitting and reading radio waves. These are low-frequency technologies. 

"This makes it possible for an attacker to 'read' the information on a chip that works with RFID, being able to make a clone in another chip that he has or in an RFID emulator," says Martnez. 

Other examples include chips used to identify pets or to open doors. The latter can be worn inside the hand or externally. 

"I haven't seen them open the door of a house, but I have seen them in corporate access controls and gates. A secure chip needs a reader that is also secure, and that can be very expensive. Many entities with large deployments are not interested in investing in this, so they set up cheap and very insecure access controls."

NFC (Short Range Communication) wireless communications are generally more secure than the previous case, but are also generally insecure. It is a branch of RFID technology, but the components operate and communicate at a greater distance than in the case of NFC. Some people are already using this technology, for example, to exchange their 'contact card', to buy food from vending machines or to clock in at work. Credit cards issued by banks in Spain, however, also work with high-frequency NFC and are considered secure devices.

Implantable medical devices: there are other implantable devices, usually mandatory for certain people, for medical purposes and whose safety is necessary. Among them, pacemakers have always been in the spotlight.

"Especially the old ones, of which there is a record of vulnerabilities. Years ago they used the dark security method. That is, the pacemaker worked on a frequency that no one knew about and was therefore not easy to hack," says Martnez. 

"Over time, this security was no longer effective. As soon as these devices were sold on online sites, we learned how they worked. In addition, once deployed, these devices must be configured wirelessly." 

In recent years, vulnerabilities have also been detected in implantable cardiac defibrillators (which correct and monitor abnormal rhythms). These security flaws allowed the small devices to be taken over.

Although the aim of cybercriminals is rarely to affect a patient's health directly, this can be a consequence of some of their actions, especially cyber-attacks on hospitals. According to the recent report 'Good practices for the security of healthcare services', by the European Union Agency for Cybersecurity (ENISA), "implantable medical devices in patients, such as holters, insulin pumps, pacemakers, gastric and brain stimulators; and even wearables such as glucose meters, among others, are electronically connected to hospitals' digital systems.

Any cyberattack against a hospital's digital systems will lead to an attack on the security of all medical devices connected to its network, both physically and digitally. Also to devices implanted in patients. 

"Today much of the medical software is out of support and many of the systems in use are outdated and deeply implanted. There is a great risk in exposing the machinery and tools of a hospital to all the threats of the digital environment," says Alejandro Villar, Global Director of OT Cybersecurity at Entelgy Innotec Security.

Martnez adds that anything related to wireless communications, radio frequency, wifi or bluetooth "looks bad." 

"The security risks increase exponentially when you communicate wirelessly, a spectrum where anyone can tap into that communication. In addition, implanting an RFID or NFC chip in your skin, when there is a counterpart to perform the same function externally, is unnecessary," he says.

"Despite these examples, although technology enthusiasts love to dream of a world where cyborgs share the stage with humans, and where technology is assumed within the body and mind as a fully integrated entity, it seems that the future everyone hopes for has not yet arrived. Perhaps by the time it does, both users and organisations will be better prepared to face the dangers ahead and cling to cybersecurity like a life preserver."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X