Brain-Computer Interfaces: A New Frontier for Hackers 

Guest author Jason Pittman, Sc.D., is a collegiate faculty member at UMGC where he teaches in the School of Cybersecurity and Information Technology. 

The potential of Brain-Computer Interfaces (BCIs) is enormous, from helping people with disabilities to improving work and personal performance but so, too, are the untold cybersecurity risks. 

The idea of using our brains to control a computer may seem far-fetched, even in science fiction. Yet, brain-computer interfaces (BCIs) are already commercially available. We can use a BCI to float a ball in mock Jedi fashion, enable the physically disabled to enter data into a computer, and academically plumb the mysteries of human-computer interaction. Indeed, companies such as OpenBCI and Emotive offer research-grade equipment. Manufacturers including Mattel and NeuroSky sell toy BCIs.  

The good news is these devices benefit millions of people today. The bad news is that BCIs provide three new frontiers for hackers.  

First, a little background about BCI technology. BCI technology is either invasive or noninvasive. Invasive BCIs measure neural activity from within the brain through some form of implant. While such methods are medically intrusive, the fidelity of recording is high since the sensors connect into neural clusters and can measure single-neuron activity. Noninvasive BCIs gauge neural activity using sensors placed on the scalp. Signal recording in noninvasive BCIs is broad because sensors can only measure clustered neural activity. Currently, all commercial BCIs are noninvasive except for some medical implementations, such as cochlear implants. 

The promise of BCIs is impressive, but the technology carries attack opportunities for hackers.  It is important to understand the cybersecurity of BCIs if we are to proactively prevent threats to this new frontier of innovation. We need to be ahead of the hackers willing to use it for nefarious outcomes.  

Malicious software. Malicious software—viruses, worms, and Trojans—have existed since the dawn of the internet. This software has one purpose: to cause harm and mayhem. Modern malicious software, or malware, leads to more than $20 billion in damages every year. On one hand, the concept of malicious software infecting a wired-up brain is scary. On the other hand, the concept of ransomware or malicious software that uses encryption to lock the brain is downright terrifying. 

Integrity. Our data and their transmission are the primary drivers of modern computing. With BCI, our thoughts become part of the operating landscape. As such, BCI data are subject to the same at-rest and in-transit problems as regular data. Just as normal data can be intentionally corrupted to cause harm to the integrity of the data, hackers will be able to corrupt or otherwise alter thoughts-as-data.  

Interception. An obvious vector for hackers is going to be reading our thoughts since BCI uses our thoughts as input to a computing system. Hackers can already do this with data flowing over a computer network. They can intercept and block or intercept and alter messages. Because a BCI transmits neural activity, we should expect that existing interception techniques apply. When this happens, no thought will be private or safe. 

We should not let the grimness of potential attack vectors dampen the great potential of BCI. We have conquered harder problems. Moreover, we are in a unique position to understand the threats before hackers start exploiting these vulnerabilities. But we need to begin now, and we need to take these frontiers seriously.