Why We Should Be a Little Paranoid About Hackers Messing With Robot Surgeons

Just because something is unlikely, it doesn’t mean we shouldn’t be ready for it.

by Lorenzo Franceschi-Bicchierai
Jul 15 2016, 10:30am

Image: Motherboard

A few weeks ago, my colleague Victoria Turk sat down in a surgical chair, slid her fingers into something that looked like pliers, wore a pair of 3D glasses, and tried to control a robotic surgeon remotely.

The test went smoothly—until a researcher performed a basic hacking attack on the link connecting the haptic interface device that simulated the sense of touch, and the actual robotic arms performing the fake surgery.

This was just a harmless, controlled demonstration, but it gave us a glimpse of the future. Using robots to carry out surgeries or high-risk operations in places where it's not safe for human doctors or technicians will give medical professionals the ability to save lives and not risk their own. But it will also add a new type of risk: what if a hacker takes control of the robot instead of the operator?

The biggest vulnerability, as Turk discovered, is the link between the human and the robot. Researchers who are studying the cybersecurity risks of using robot surgeons believe that in a real-world scenarios, the machines will likely use the same networks we use to check Facebook or play Pokémon Go.

What if a hacker takes control of the robot instead of the operator?

That means anyone on the internet, from skilled government hackers to cybercriminals and hacktivists just trying to break things for fun, could potentially intercept and interfere with that data.

That's known as a man-in-the-middle attack, where a hacker puts themselves in the middle, messing with the communications of two other parties. While this might sound like a crazy scenario in the case of a robotic surgery—who would ever want to do that?—the reality is that we shouldn't take those chances when there's human lives involved.

"The security and the resilience of the IT we depend upon should be commensurate with the level of risk," Joshua Corman, the founder of I Am the Cavalry, a global grassroots organization pushing for better security in systems and devices that can impact safety and human life, such as medical devices, told Motherboard. "Something that's inside your body or able to cut your body should be held to a higher standard."

Researchers have repeatedly proven that it's possible to take over the controls of a flying drone. Yes, those were civilian drones. But even military drones have been hacked. In 2008, a jihadi militant in Iraq intercepted the video feeds of American drones with $26 devices, and for years, the Pentagon didn't bother to make those feeds secure.

The technicalities of these attacks are not exactly the same, but in essence, they all rely on exploiting insecure communication links. One easy solution is to use encryption, which would ensure that the data exchanged between the robot surgeon and its human controller not only can't be intercepted, but also can't be altered.

Recently, hackers have also hit hospitals, which are perfect targets due to the use of outdated software and hardware. The attacks, which weren't highly targeted, were still able to alter the normal operations of several large facilities forcing the hospitals to move patients to other facilities and disrupting their normal operations—all with run-of-the-mill malware known as ransomware that was simply trying to extort money out of the hospitals.

"Something that's inside your body or able to cut your body should be held to a higher standard."

The moral here is that where there's opportunity, there will be a motive.

And while a targeted man-in-the-middle attack against a particular robot surgeon is less likely than an accidental virus infection, or a distributed denial of service where hackers flood networks with bogus traffic—it's still possible.

As Corman put it, when it comes to thinking about the security of devices upon which our lives could depend, "it doesn't matter what most people would do, it matters what one might do."

By taking basic cybersecurity precautions, we won't have to assume no one will target these devices. When it comes to human lives, we just can't afford to take those risks.