![[Home]](http://www.bayleshanks.com/cartoonbayle.png)
We see by looking at other technologies that even something as seemingly low-level as a router can sometimes be broken into and controlled by an attacker, with no access to the device other than through the network.
Certainly a device that is in direct communication with your brain would present an attractive target for attackers; so if it can be done, it will be.
Therefore I recommend that we assume that almost complex, reconfigurable implanted device connected to the brain and receiving signals from the outside will eventually be taken over by attackers. What would be necessary for you to be comfortable putting something in your head that an enemy will most likely control someday?
Some ideas:
The device must physically rely on something outside your head that you or, in the event that you are incapacitated, people near you, are able to easily, physically remove.
For example, phones are nice because if they go crazy, you can take out the battery; some laptop computers, by contrast, have their batteries welded in, making it potentially very difficult to shut down the computer if it goes completely haywire. The key is that a turn-off-able system should not merely have the ability to execute a 'shut down action' (which could be blocked by an attacker with sufficient low-level control over the device's firmware), but rather the system should not be physically able to remain on without some macroscopic physical configuration being in place.
This is difficult because the ideal solution would be the ability to remove the energetic portion of the device from your head, but on the other hand we don't want to leave the skull open because it increases the risk of infection.
A power source is one possible choice here; if the device relies on power from outside your head, perhaps wirelessly transmitted in a way that requires the transmitter to be nearby, then you can simply remove the power source if the device is behaving erroneously. If this were the solution, then care would need to be taken that an attacker could not simply aim a strong beam of power at you from, say, elsewhere in the building you are in.
This functionality is so important that there should be multiple 'turn off' pathways. Perhaps a certain pattern of vibration on the skull (tap a certain rhythm on your head) could be detected via a secondary system and trigger a shutdown, even if the software does not want to shutdown, and even if the power is still being applied.
You should always keep the device turned off when you are operating heavy machinery, walking on a hard floor, or doing anything else in which sudden and unexpected incapacity could cause a disaster.
There should also be a way to issue a command to the device from your own mind to turn off and to stay off for a certain amount of time, lest you give a kidnapper the ability to brainwash you. This is tricky because if the device starts misrecognizing this turn off command, there should be a way to reconfigure it from the outside, but you don't want an attacker to be able to effectively disable it from the outside.
This isn't a complete solution to this problem because the kidnapper could conceivably find some combination of drugs that would remove your ability to issue the turn-off command in a recognizable fashion.
You don't want an attacker to be able to 'fry your brain' as in cyberspace science fiction.
Neurons die if they are overexcited.
One failure mode of brains is seizures. Seizures can be caused by synchronized input. The device needs to have a filter circuit, built inalterably in hardware, that prevents overly synchronized input in the frequency bands that can cause seizures.
You don't an attacker to have the power to turn you into an addict.
You probably also don't want a connection to pain centers, although since you can turn off the device externally, this is less important.
What if the system becomes compromised and is able to disable the user from turning it off, and no one else who can help is around, or no one notices?
Each time the system is enabled, the system should automatically turn itself off after a set amount of time, and should not allow itself to be turned back on for a set amount of time (so that the attacker can't, e.g., force the user to position their hand holding down the 'turn back on' button at the time of the turnoff). This functionality should probably be embedded in the external 'dumb' (and hence probably hard to reprogram) power source.
On the one hand, a system which has firmware that can be upgraded is necessarily so complex so as to be a security hazard. On the other hand, since it is so risky, expensive, and destructive to do the brain surgery to implant the device, you don't want to be ripping it out and replacing it every two years.
Upgradability may even assist with security; it is likely that over time, as we understand the brain better, more and more subtle attacks will be developed (e.g. can an attacker rewrite memories? can an attacker effectively control sensory perceptions, allowing them to control the person's actions by showing them things that aren't there?). Perhaps some of these can be easily filtered by software ('dont allow pulses above this frequency to be applied to that area').
The device should not have any ferromagnetic metal content because this prevents the user from being able to have an MRI (and also makes them vulnerable to a physical attack by a strong magnet).
If the user takes a strong blow to the head or is in a car crash, the device should not cause more brain damage due to the device physically moving than would otherwise occur.
If the device is damaged, via impact or malfunction, it should not be possible for it to zap the user's brain in a dangerous fashion -- it should be "passively safe". The safeguards against powerful pulses, fast pulses, and synchronized pulses should not be able to be overcome by a short circuit or similar.
The device's components should not allow a distant attacker to fry the user's brain by using the device as a conduit to transfer a large amount of energy into their head.
If the attacker is nearby, they could just use a gun, so we only care about distant attackers.
The temptation will be high for various entities to try to insert back doors into the firmware or even the hardware of such devices. Therefore, it's important that the source code and schematics be publically available, and that manufacturing be openly and externally audited.
