How Secure Is Your Smart Implant?

The real purpose behind this scientist's research into the security of implanted medical devices is to examine the psychological impact and legal implications, as well as the technological possibilities.

Mark Gasson, the scientist who embedded a radio frequency identification (RFID) chip into his left hand, then deliberately introduced a virus to the chip, has more than malware to deal with right now. A member of the faculty in the School of Systems Engineering at the University of Reading in the United Kingdom, Gasson has been interviewed on BBC News; quoted in Business Week, CNET, and Wired; tagged under "madscience" on Gizmodo; and derided by a senior technology consultant at a security firm as performing "shonky research."

But what Gasson is trying to do, he said, is bring attention to the idea that as computer circuitry increasingly becomes part of the gadgetry embedded in humans for medical reasons, computer security, along with other issues, also need to be considered.

Gasson gained notoriety recently when his university released a statement about his research that included the claim that Gasson had "become the first person in the world to be infected by a computer virus." The scientist had contaminated a computer chip that had been inserted into his hand as part of research into human enhancement and the potential risks of implantable devices.

"Our research shows that implantable technology has developed to the point where implants are capable of communicating, storing and manipulating data," he said. "They are essentially mini computers. This means that, like mainstream computers, they can be infected by viruses and the technology will need to keep pace with this so that implants, including medical devices, can be safely used in the future."

Recently, Campus Technology caught up with Gasson on his way home from Australia after delivering a keynote titled, "From Pervasive to Invasive: Our Future with Technology," at the IEEE International Symposium on Technology and Society. The following interview was conducted by e-mail.

Dian Schaffhauser: Was the virus loaded into that chip at the time of its embedding?

Mark Gasson: No. This is one of the poor pieces of reporting we suffered from. We did two experiments: one that had a virus corrupted computer system--for secure building access that the implant could be used for--which transferred the virus to the implant when I tried to gain access; and the other whereby we purposefully infected the implant. As the building read the tag, the virus was transferred and corrupted the building's system. At that point any other device (typically, RFID Smart cards rather than implants) trying to access the system was potentially at risk.

Schaffhauser: What form of virus was it?

Gasson: For this demonstration the virus was a simple SQL injection. It was limited in the damage it could cause, and was restricted to the system we were experimenting with.

Schaffhauser: In looking at the connection between that chip in your hand and a device that could be implanted for medical reasons, are you saying that the software coded into a medical device could be corrupted before it's implanted?

Gasson: Most implanted medical devices communicate wirelessly for, for example, changing the internal software, setting parameters, or reading log data. However, most devices have little if any security or access control. So, if you can communicate with it, you are straight in. This opens up the potential for all sorts of issues, especially as these devices are tending to get more complex and capable.

However, you need an intimate understanding of the device and potential vulnerabilities--much like any computer system--if you want to attack it. While we do not know of any medical devices which are at immediate risk, we are trying to draw attention to the fact that implantable computers are as potentially vulnerable as any piece of technology, and so we need to factor in issues such as security, and mitigate risks at the design stage. To date this has been a poorly considered secondary issue.

Schaffhauser: Is it possible for code inside medical devices to be corrupted after they've been surgically implanted?

Gasson: Again, this depends, and to date we have not found an example of it; but the idea of a "denial of service" attack against a pacemaker is not out of the question. However, corrupting code in medical devices will be out of the question if we incorporate a proper design methodology.

Schaffhauser: What form would the corruption take--what could happen? Would it be purely on the data collection and monitoring side (in other words outside the body), or could it somehow affect the biological functions of a device?

Gasson: It could be either or both. While this is still hypothetical, causing complete device failure is not out of the question.

Schaffhauser: What's your actual hypothesis? What is it you're hoping to learn from this research?

Gasson: We are particularly interested in the psychological impact on the person, and legal implications as well as the technological possibilities. In Europe we talk in terms of human rights to bodily integrity--i.e. self determination (you can do what you want with your body) and the right to not have your body interfered with. People with medical implants (and even other less invasive devices like contact lenses) tend to incorporate the tech over time into what they understand to be their body. Certainly with prosthetics we aim for this effect and actually find it readily occurs.

If I understand my body to include the technology, should these rights extend to the tech too? In these terms we should talk of, for example, a computer virus "infecting" the person, and constituting a form of abuse. This opens very interesting and complex issues which need to be addressed as we are only likely to see more applications of implantable technology.

Schaffhauser: Did you get the kind of outcome that you expected from the research in this first go-around?

Gasson: Yes--in fact more so. It's really hard to get across to people the psychological impact involved in this type of deployment, and this is why I was so keen to test this on myself. If you imagine having your house burgled and that "pit of the stomach" feeling you get and the violating feeling--explaining that to someone who has never had the experience is hard, and they may wonder why you are so upset just over losing some things. This has parallels--feeling tech to be part of you is something you probably need to experience to understand. But when you do, the bigger related issues really become apparent. To then take away control, by infecting an implanted device which you can't simply leave on your desk, is a horribly violating experience, especially as you know you can then potentially transmit the virus simply by walking through a building. Even in our controlled study the impact on the persona is remarkable. It is evident that we cannot separate the person and the tech at this point when we consider these applications.

Schaffhauser: What kind of reaction are you getting from the world of academics, science, and technology--or even from the people who were present to hear you speak this week?

Gasson: There have been very mixed reactions. In academia there is a growing community of people who are appreciating that implantable tech is here and will have future impact on society and that discussion sooner rather than later is important. The interdisciplinary context has meant that there has been great interest all over academia from what we have done and it has generated excellent and interesting and importantly positive debate.

However, there are a lot of people, especially from the technology world who simply look at the study from a computer science perspective and have criticized it as of being little benefit. The "you could have shown that on the bench--implantation is sensationalist" arguments have come thick and fast.

But to view this purely from a blinkered tech perspective is to entirely miss the bigger picture. I fully admit that the virus is simple and limited in scope. However, initial reporting by the media was misleading and has led to a notable backlash, which is a real shame. The worst aspect is the implication that we have created a virus that will jump into a pacemaker and cause problems or death, which is absolutely not what we are claiming.

I do note that many of the "big name" critics online simply took the first media story--written by a journalist, not us--and have criticized the work based on that journalist's interpretation without actually coming back to us and asking what the reality of it is. It seems that if you have an online blog, even if you are a notable "expert," to simply rant and rave has higher priority than accuracy!

Featured