As biohacking evolves, how vulnerable are we to cyber threats?

Can our bodies be hacked? The answer may be yes, in that anyone can implant a chip under the skin and these devices do not usually use secure technologies, according to Entelgy.

However, despite more than a decade of talk about biohacking, implantable technologies are still quite primitive, so a possible cyberattack against them should not result in major consequences. This is different in the case of implantable medical devices, the breach of which can seriously damage a patient’s health. However, the futuristic era of men turned into cyborgs capable of killing each other by infecting each other with malware seems not to have arrived yet.

Prioritizing implant technology security

According to Pablo Martínez, a hacker in the Red Team department at Entelgy Innotec Security, and better known as Fall in cybersecurity forums, “we should not panic, biohacking does not seem as advanced as we think. There are studies, experimental situations, but what we know so far is quite primitive and does not leave many possibilities for a cybercriminal to hack our body with a malicious purpose. At the moment we don’t carry our smartphone inside our head and they can’t put a virus inside us.

Our cell phone is possibly even more vulnerable today than an experimental chip injected under the skin, since this chip, although susceptible to hacking, has a very limited function, while the cell phone is exposed to countless threats.

Most implantable technologies, with the exception of medical ones, consist of a small device that is inserted into a capsule that your body does not reject at first and injected into the skin. Are they insecure? Very. Could they be hacked? Yes. Could we understand that, by wearing a chip under the skin of our hand, it could be hacked? Yes.

However, Fall prefers to differentiate. “What can be hacked is the technology, not the body itself. A vulnerable device can be hacked both outside and inside the body. What we need to pay attention to is the security of the technology we are trying to implant,” he points out.

Identifying the most vulnerable implantable technology

RFID (Radio Frequency Identification) technology is possibly the most widespread technology. It allows several devices to identify and contact each other by emitting and reading radio waves. These are low-frequency technologies. “This makes it possible for an attacker to ‘read’ the information on a chip that works with RFID, being able to make a clone in another chip that he has or in an RFID emulator,” explains Fall. Other examples include chips used to identify pets or to open doors.

The latter can be worn inside the hand or externally. “I haven’t seen them open the door of a house, but I have seen them in corporate access controls and gates. A secure chip needs a reader that is also secure, and that can be very expensive. Many entities with large deployments are not interested in investing in this, so they set up cheap and very insecure access controls.”

NFC (Short Range Communication) wireless communications are generally more secure than the previous case, but are also generally insecure. It is a branch of RFID technology, but the components operate and communicate at a greater distance than in the case of NFC. Some people are already using this technology, for example, to exchange their ‘contact card’, to buy food from vending machines or to clock in at work. Credit cards issued by banks in Spain, however, also work with high-frequency NFC and are considered secure devices.

Implantable medical devices: there are other implantable devices, usually mandatory for certain people, for medical purposes and whose safety is necessary. Among them, pacemakers have always been in the spotlight. “Especially the old ones, of which there is a record of vulnerabilities. Years ago they used the dark security method. That is, the pacemaker worked on a frequency that no one knew about and was therefore not easy to hack.

Implantable medical devices vulnerable to cyberattacks

Over time, this security was no longer effective. As soon as these devices were sold on online sites, we learned how they worked. In addition, once deployed, these devices must be configured wirelessly.” In recent years, vulnerabilities have also been detected in implantable cardiac defibrillators (which correct and monitor abnormal rhythms). These security flaws allowed the small devices to be taken over.

Although the aim of cybercriminals is rarely to affect a patient’s health directly, this can be a consequence of some of their actions, especially cyberattacks on hospitals. According to the recent report by the European Union Agency for Cybersecurity (ENISA), “implantable medical devices in patients, such as holters, insulin pumps, pacemakers, gastric and brain stimulators; and even wearables such as glucose meters, among others, are electronically connected to hospitals’ digital systems”.

Any cyberattack against a hospital’s digital systems will lead to an attack on the security of all medical devices connected to its network, both physically and digitally. Also to devices implanted in patients. “Today much of the medical software is out of support and many of the systems in use are outdated and deeply implanted. There is a great risk in exposing the machinery and tools of a hospital to all the threats of the digital environment,” specifies Alejandro Villar, Global Director of OT Cybersecurity at Entelgy Innotec Security.

Fall adds that anything related to wireless communications, radio frequency, wifi or bluetooth “looks bad.” “The security risks increase exponentially when you communicate wirelessly, a spectrum where anyone can tap into that communication. In addition, implanting an RFID or NFC chip in your skin, when there is a counterpart to perform the same function externally, is unnecessary,” he says.

Despite these examples, although technology enthusiasts love to dream of a world where cyborgs share the stage with humans, and where technology is assumed within the body and mind as a fully integrated entity, it seems that the future everyone hopes for has not yet arrived. Perhaps by the time it does, both users and organizations will be better prepared to face the dangers ahead and cling to cybersecurity like a life preserver.