Could you become infected with a Computer Virus?

 

Frequently Asked Questions:

Can you tell me a little bit about your work at the University of Reading?

In our research we are exploring from a multi-disciplinary perspective the potential and risks of implanted devices. The research here has used a device implanted in the hand for gaining access to a building and to allow a mobile phone to be used only by the implanted person. The implant also stores profile data about the person which can be read and modified by the building’s systems. After being implanted in my hand for over a year, a vulnerability in the technology has been deliberately exploited to allow an engineered computer virus to propagate via the implant.

What are the main points you are making with this research?

1)   Implantable technology is potentially susceptible to risks that we need to account for.

Poorly considered security in implanted medical devices is becoming well documented in the academic literature (although no devices are currently known to be at immediate risk) and healthy people implanting potentially vulnerable technology is also becoming more common. As more applications appear and the technology develops, we need to make sure we consider the risks. Indeed, the aim in part is to put a milestone in the development of implantable technology, to highlight the potential security risks of the future and to raise awareness that this can no longer simply be dismissed as science fiction.

2)   We can and should talk in terms of implantable technology being a part of the body.

We are particularly interested in the philosophical and psychological questions surrounding what we perceive to be our own body’s boundaries and the legal implications of this. We can talk in terms of human rights to bodily integrity - i.e. self determination (you can do what you want with your body) and the right to not have your body interfered with. People with medical implants (and even other less invasive devices such as contact lenses) tend to incorporate the technology over time into what they understand to be their body. Certainly with prosthetics we aim for this effect and actually find it readily occurs. If I understand my body to include the technology, should these rights extend to the technology too? In these terms we should talk of, for example, a computer virus "infecting" the person, and constituting a form of abuse. This opens very interesting and complex issues which need to be addressed as we are likely to see more applications of implantable technology.

Are there other resources on this research area?

For academic publications on security issues in implanted medical devices, see here and for news coverage of the discovery of real world issues some two years after our original research highlighted these as likely issues, see here, here and here. More information on the growing community of self-experimenters and technology enthusiasts using implanted RFID devices is available here.

How long have you had the implant in your hand and how long do you want it to stay in?

I had the implant in March 2009, and we did the virus experiments in April 2010, so a little over a year later. I have no plans to remove it.

What type of device is the implant?

The implant is a high-end Radio Frequency IDentification (RFID) device encased in glass forming a small cylinder, measuring about 12mm long by 2mm wide. It can communicate wirelessly with an external reader device, which also supplies power to the implant.

Surely RFID is a simple emitter of information, how did you manage to insert a virus?

Originally RFID tags – like those used in pets – were simple identifiers which could only transmit a unique number. However, the devices have evolved a huge way in the last few years, and now these devices are becoming much more complex. We should start thinking of them as a type of mini computer as they begin to be able to store data and do simple computations. The type of device I have is the latest in this evolution of RFID technology.

Was the virus loaded into the implanted chip at the time of its embedding?

No. This is one of the poor pieces of reporting that has occurred.

We did two experiments: one that used a computer system - which enabled secure access to our laboratory using the implant or 'smart' cards - which we infected with the virus and so it transferred the virus to the implant when I tried to gain access. In the second experiment we purposefully infected the implant itself and as the building’s system read the tag, the virus was transferred and corrupted the computer system. At that point any other device (typically RFID smart cards rather than implants) trying to access the system was potentially at risk from the virus.

What form of virus was it and can it spread out of control?

For this demonstration the virus was a simple SQL injection. It was limited in the damage it could cause, and was restricted to the system we were experimenting with. Like any computer virus, it is entirely specific to the technology, and so we are not saying here that a virus can spread through any technology device in its vicinity. What we have demonstrated is a simple and limited proof of concept to highlight that we need to consider security aspects as this technology develops. This can be done in simple and effective ways.

Is this experiment dangerous to you in any way?

Not dangerous – but if my health relied on the implanted device (as is the case with implanted medical devices) then finding a way to disrupt it could potentially be dangerous. We should note that to date no such problem with medical devices has been found.

How did you feel when you were infected?

The infection was deliberate, and completely engineered by us as a proof of concept. I did not 'feel' anything as such, but was very aware of what was happening, especially when the implant stopped working as a result. From my experience, although we were in control of the experiment, having a piece of technology inside the body which was not performing as it was supposed to, in fact could cause damage to external systems, and over which I potentially had limited control - i.e. it's not as if I could take it out and leave it on the desk, was surprisingly personal. I became aware that in essence I presented a threat because part of ‘me’ had been compromised and simply walking around - and being wirelessly 'read' could cause issues. By actually having an implant, this very interesting and complex phenomenon can be explored, and contributes to the growing academic discussion.

Did you need to have the device implanted to demonstrate this?

Some people overlook the fact that actually having something implanted is extremely different to bench testing a piece of hardware because it adds the person and their experiences into the mix. It is seemingly difficult to get across the psychological impact involved in this type of deployment, and this is why I was so keen to test this on myself. If you imagine having your house burgled and that "pit of the stomach" feeling you get - explaining that to someone who has never had the experience is hard, and they may wonder why you are so upset just over losing some things. This has parallels - feeling technology to be part of you is something you probably need to experience to understand. When you do, the bigger related issues really become apparent. To then take away control, by infecting an implanted device which you can't simply leave on your desk, is a horribly violating experience, especially as you know you can then potentially transmit the virus simply by walking through a building. Even in our controlled study the impact on the person is remarkable. It is evident that we cannot separate the person and the technology at this point when we consider these applications.

Do many people have implanted devices?

Many people think that implanted technology is science fiction, and forget that medical devices form very intimate links with the human body. However, we are now also seeing a trend in people implanting simple technology to try to enhance themselves in simple ways.

Are implanted medical devices at risk of this virus?

No. The virus we have used could not infect a medical device. Computer viruses are usually very specific to the systems they are on and cannot spread across different technologies in this way. However it may be possible in the future, if we do not design devices carefully, to create an exploit which affects a pacemaker. Current we do not know of any medical devices which are at immediate risk. However, while still hypothetical, we do know that security on medical devices is generally very poor, and as the technology develops we have to be careful. The idea of a "denial of service" attack, for example, against a pacemaker that causes complete device failure is not out of the question.

How could implanted medical devices potentially be at risk in the future?

Most implanted medical devices communicate wirelessly for, for example, changing the internal software, setting parameters, or reading log data. However, most devices have little if any security or access control. So, if you can communicate with it, you are straight in. This opens up the potential for all sorts of issues, especially as these devices are tending to get more complex and capable. However, you need an intimate understanding of the device and potential vulnerabilities - much like any computer system - if you want to attack it. While we do not know of any medical devices which are at immediate risk, we are trying to draw attention to the fact that implantable computers are as potentially vulnerable as any piece of technology, and so we need to factor in issues such as security, and mitigate risks at the design stage. To date this has been a poorly considered secondary issue.

Could this mechanism be used, for example, by terrorists to infect the system of a plane or to have access to a building with a security system like the one that you infected?

No - much like a computer virus in your home computer will not infect your phone, viruses are very specific to the system in which they occur. Also implants will not be able to just communicate with any other system - this is not going to happen.

What reaction are you getting from the world of academics, science, and technologists to the research?

In academia there is a growing community of people who are appreciating that implantable technology is here and will have future impact on society and that discussion sooner rather than later is important. The interdisciplinary context has meant that there has been great interest from all over academia in what we have done and it has generated excellent, interesting and importantly positive debate. See also the interview with futurist Prof. Michio Kaku, and the opinion of Dr. Ng a senior manager at Symantec, the producer of Norton Antivirus. However, there are people especially from the technology world who simply looked at the study from a blinkered computer science perspective and have criticized it as of being little benefit without considering the implications beyond their domain of expertise.

Why do some computer scientists and security experts disagree?

To analyse this specific proof of concept out of context, from a purely computer science approach, is to entirely miss the bigger picture - we need to consider how implantable technologies will be used in the future and what benefits, risks and wider implications this may involve. I do note that the "big name" online critics took the first media story - written by a journalist - and have criticized the research based on that journalist's unsanctioned interpretation. It seems that if you have an online blog, even if you are a notable "expert", to simply rant and rave can have higher priority than accuracy.

How should future development in this area and the public discussion of it proceed?

We should always proceed with caution - but what we have observed is the functionality being developed without due concern for the implications and risks. This is largely because people have continually dismissed advances in implantable technology as being science fiction or of too little progress to be of importance, although in the academic community real discussion is now well underway. It is like 30 years ago proposing a concept like the smart phone whereby we would all essentially carry around a computer. Some dismissed it as science fiction, others said we had digital watches and so we were already carrying computers, and few would acknowledge the potential impact on the way we live, work, socialise and communicate and so discussion was slow. This is a necessary discussion for implantable technology, but a certain amount of vision is required.

Do you think in the future we will all have implanted chips?

We envisage a future where these two areas of implantable technology converge and medical technology becomes redeployed for application in healthy people for enhancement. People undergo very invasive surgery for cosmetic reasons and so it cannot be assumed that people will not do the same to have an implant if it is of real benefit to them. We will continue to look for ways to use medical implant technology to enhance us, and if there is real benefit it may become commonplace.

If so, what do you think about that?

As humans we continually look to better ourselves through technology and I see this as the next logical step.

Are there societal questions involved?

It may ultimately disadvantage people to such a large degree if they do not enhance themselves that there is no real choice. This is a real worry. Think of mobile phones - can you sensibly operate in society without one, if you didn't want it? The pressures to have them are real, and this will likely be the case with implantable technology.

Could there become a point whereby an implanted person no longer considers themselves “human”?

I think we will have to start tampering with the very essence of self before people start to consider themselves not human. People are being fitted with prosthetic limbs and medical devices right now, and I don't think this question would cross their minds - I would hope that whatever enhancements we may be able to have in the future it would not go that far.