Security Watch: Elon Musk’s NeuraLink Links Brains to iPhones via Bluetooth | Threatpost

Technologist Elon Musk has unveiled a plan for embedding Bluetooth-enabled implants into a human brain, to enable disabled persons to regain motor and cognitive function. IT experts however noted that along with FDA approval, the idea faces hurdles in the form of significant scrutiny on the cybersecurity front.

Neuralink devices are tiny chips that would be interconnected with the brain’s organic neural network via 1,000 wispy wires measuring one-tenth the width of a human hair. They would be implanted by a DARPA-developed “sewing robot”, who, while the patient is under local anesthesia, would drill a 2-millimeter hole (the old-fashioned way or via laser) into the skull. The chip itself would plug the hole after implantation.

“The interface to the chip is wireless, so you have no wires poking out of your head. That’s very important,” Musk, the CEO of Tesla and SpaceX, explained at a launch event for the company on Tuesday. He added that he expects the procedure to be about as invasive as LASIK is for vision correction — and as pervasively available to the masses.

While brain-computer interfaces have been a reality since 2006 (when Matthew Nagel used one to play Pong, essentially with his mind), Musk’s vision differs in a few critical ways. For one, the implants would connect to a smartphone app. Secondly, AI would be a big part of the secret sauce.

The idea is that stroke victims, cancer patients, paralyzed persons and others would be able reap the benefits of a direct neuronal connection linking a patient’s brain to, say, an iPhone — enabling the patient to control it without having to tap, speak, type or swipe.

AI meanwhile would fulfill a bridging role in human thought patterns for those who need a boost. With no middle man between thought and device (such as the requirement to form words and actual speech), it’s possible in theory to overcome some of the deep cognitive issues arising from physical trauma or disease. For instance, stroke victims who can visualize what they want to say, but can’t verbalize it, could rely on the AI to fill the gaps by translating the thoughts into words on the phone.

The goal is “to ultimately…achieve a symbiosis with artificial intelligence,” said Musk, who has often been an outspoken critic of artificial intelligence. “We can effectively have the option of merging with AI.”

Basically, human consciousness becomes a thing that’s simply housed within a body and yet divorced from it. “We are a brain in a vat, and that vat is our skull,” Musk added.

Medical trials for Neuralink could start before the end of 2020, but security experts told Threatpost that there’s plenty to consider when it comes to the security of Musk’s high-flying futurist idea.

David Starobinski, researcher at Boston University, told Threatpost that the decision to use Bluetooth could present an opportunity for a raft of attack scenarios, thanks to known threat vectors.

“For example, potential network-level attacks that could target Neuralink include classical ones in wireless, i.e. spoofing, sniffing, tracking and jamming of the data,” he said. “Spoofing can be taken care with proper authentication – although Bluetooth has been affected with bugs for years. Sniffing can be prevented through proper encryption and use of Bluetooth data channels (rather than plaintext advertising channels). Still, side-channel and/or traffic analysis (i.e., looking at the specific patterns of packet transmissions) may allow adversaries to extract information.”

Preventing tracking attacks requires proper MAC address randomization and lack of identifying tokens, as Threatpost recently reported. And, jamming attacks are very difficult to prevent, he said, adding, “at least they should be detectable – and proper redundancy and fall-back mechanisms should be in place to recover from them.”

Data security and privacy are of course also top-of-mind.

I saw the announcement yesterday that the neurolink will be hooked via Bluetooth to your phone.

— Dave Kennedy (ReL1K) (@HackingDave) July 18, 2019

“When developing such a device one should consider many risks, that lie not only in a medical paradigm, but also in cybersecurity,” Dmitry Galov, security researcher for Kaspersky, told Threatpost. “It is hard to analyze and rate the safety of a device without having a physical copy of it, but past experiences of researchers that have created similar equipment show that one should pay attention to the way that data is being kept and transferred, especially since Bluetooth is going to be used. For instance, make sure that proper encryption is used and that security updates for the device’s system are downloaded regularly.”

Joseph Carson, chief security scientist at Thycotic, said that the privacy stakes are obviously higher with a device that can read someone’s thoughts.

“Brain-computer interfaces is something that has been going on for years, such as helping victims who experienced serious accidents regain speech or even walk again,” he told Threatpost. “What is new with Elon Musk’s plan with NeuraLink is making it automated, available for everyone and including added common interfaces that have been more prone to being hacked. The big question is what data will be collected and will it be able to modify human behavior. This is a major concern for both security and privacy. Biohacking is not new, however, it is getting much more serious now.”

These are but a few issues of course — challenges in updating or patching vulnerabilities, controlling the AI algorithm, rogue NeuraLink apps, the potential for remote code-execution over a compromised wireless connection and more all also leap to mind.

One way to curb some of the dangers would be to apply the principle of device segregation, Galov said, even though Musk mentioned NeuraLink being available “in the App Store.”

“The fact that a very important piece of medical equipment is going to be controlled from a smartphone – the device that we actively use for daily needs, such as phone calls or internet surfing – might seem a bit controversial,” he told Threatpost. “Nowadays many medical organizations use stand-alone programmers and smartphones if they need to synchronize them with medical devices, and do not perform any other activity there.”

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More