A new development was revealed yesterday in the ever-troubling, ever-expanding field of medical hacking. Speaking at BruCon, last week's security convention in Belgium, Alejandro Hernandez, a security expert, demonstrated how he could hack an Electroencephalography, or EEG, machine.
Using a civilian version of an EEG reader, called a Mindwave device, Hernandez showed how easily he could perform a man-in-the-middle attack on the machine and remotely read the brainwaves of someone using the machine. Hernandez told the conference: “If you can sniff brain data in the wire, you can do replay attacks if there is no security mechanism between an operator and a drone tampering with EEG data“.
An EEG reader monitors the electrical activity of the brain and is used in diagnosing various neurological conditions including epilepsy. To use the device, several electrodes are attached to the scalp of the patient which then measure the voltage changes from the neurons in the brain.
Hernandez' example was only for show and much of the medical equipment used professionally still remains out of reach for cyber-criminals and uninterpretable for those without the relevant medical experience. Still, Hernandez notes that exploitable holes still exist in home and hospital equipment which could allow for the theft of data and DDoS attacks.
It's hard to see how an EEG machine might be used for the nefarious purposes of cyber-criminals, but it might signify one more nail in the coffin for the security of medical devices. Speaking at last week's IPExpo in London, Werner Thalmeier, director of security solutions at Radware, warned of how wearable insulin devices, for example, were hackable and were there malign intent there, an attacker could easily harm the diabetic user.