What on earth is brainjacking, and should you be worried about it? It depends…
“Let’s just burn your mind out”. It’s December 2020 and Laurie Pycroft is pumped. The noir, hyperviolent and futuristic videogame Cyberpunk 2077 has just been released and Pycroft is livestreaming his first play. A nefarious character with a brain implant has come into view and Pycroft has several ‘quickhacks’ that might bring him down, including ‘synapse burnout’, ‘short circuit’ and ‘memory wipe’.
Pycroft opts for synapse burnout and promptly overloads the bad actor’s brain with voltage, dropping him to the ground in a stroke-like paralysis.
Pycroft’s interest in Cyberpunk 2077 is not purely recreational. He researches the security of implanted brain devices as a doctoral student at the University of Oxford’s Nuffield Department of Surgical Sciences. In a landmark 2016 article, Pycroft coined the term “brainjacking” for what might happen should an ill-intentioned agent gain access to someone else’s brain implant, an outcome that Cyberpunk 2077 riffs on with chilling virtuosity.
So what, precisely, is brainjacking – and could any of the quickhacks in Cyberpunk really happen?
An aspiring brainjacker would likely target someone fitted with a neurostimulator, a device that delivers small bursts of electricity to the brain as part of a treatment called deep brain stimulation (DBS). If you ever need one, you’ll get a battery, or “implantable pulse generator”, put under your skin below the collarbone. A lead runs from the battery up the side of the skull and connects to an electrode, judiciously plunged by a neurosurgeon deep in your brain. Turn it on and, depending on where the electrodes are placed, you get control of a range of disorders including Parkinson’s disease and epilepsy.
But deep brain stimulation, as the Cyberpunk vignette hints at, comes with a dark side. A ‘neurosecurity’ breach could permit a hacker to gain remote control of the device, with potentially devastating consequences. It hasn’t happened yet, although there is one close parallel – in 2007 former US vice president Dick Cheney had the wireless function of his heart defibrillator disabled to thwart a notional assassination attempt. So is something like a Cyberpunk quickhack really plausible?
“For sure,” says Nir Lipsman, a neurosurgeon at the Sunnybrook Health Sciences Centre in Toronto, Canada, who co-authored a recent review of DBS that deals with the brainjacking scenario. Lipsman mostly uses DBS to treat Parkinson’s disease, which causes tremor, stiff limbs and slow movements, but he is also trialling the technology in depression, obsessive compulsive disorder and post traumatic stress.
“Any time you intervene in the brain you are going to have a balance between the clinical effect of trying to treat and adverse effects, which can be related to over- or under-stimulation,” he says. “What you worry about is over stimulation.”
More than 100,000 people worldwide have a neurostimulator in place, often for movement disorders like Parkinson’s disease.
“If you over stimulate somebody who has an implant for Parkinson’s you may get muscular contractions or you may get numbness or tingling; you may get speech deficits,” says Lipsman. “If you under stimulate then it’s basically like under treating their disease and they may get a recurrence or a rebound of their symptoms.”
Theoretically, he says, a hacker could target the device of a politician with Parkinson’s to crank their motor symptoms up or down. Just the thing to stop them voting on crucial legislation. But how likely is it?
Right now, not very. To alter the firing of the device you have to put a hand-held remote controller right over the box under the skin, so any hacker would have to be more or less in your face. But remote monitoring and reprogramming of devices are on the horizon.
DBS system manufacturer SceneRay, for example, has developed technology for web-based programming. Similar tech, which allows doctors to tweak patient’s DBS settings via telehealth, reportedly rolled out in China last year, multiplying the opportunities for hackers to breach neurosecurity.
Another recent development raises the stakes further. Medtronic just released its Percept DBS, which is being trialled in Parkinson’s disease. The Percept is “bidirectional”, which means it doesn’t just stimulate the brain but can also “read” brain activity with its BrainSense™ tech. The idea is that good or bad symptom control will generate a unique set of brainwaves; the device detects this “neural signature” and modifies the zaps accordingly. That information could also be used by brainjackers to see if their hacks were working.
But if you really want to mess with someone’s brain you’ll want an Access All Areas pass. The rising number of indications for DBS means the devices are being put in brain regions with ever more diverse functionality. Research is underway to enhance memory for people with Alzheimer’s disease.
“Studies are being done using [DBS] to stimulate the fornix, which is an important memory structure,” says Lipsman. “The fornix is a major outflow from the hippocampus.” A hack to this region could deliver something akin to the Cyberpunk “memory wipe”.
The fornix also happens to be right next to the hypothalamus, which pumps out hormones that regulate cortisol and adrenalin levels. “If you overstimulate you’re going to have a rapid increase in heart rate and blood pressure, so that can be very risky,” says Lipsman.
It’s an open question whether anyone would actually do this, but the recent experience of videogame journalist Liana Ruppert, however, suggests someone might.
Ruppert was playing Cyberpunk 2077 ahead of its release last year when she entered the “braindance” mode, which hacks into the implant of an onscreen character to experience their point of view. The transition is preceded by a series of flashing lights. Ruppert, who has photosensitive epilepsy, promptly had a grand mal seizure – a repetitive jerking of arms and legs with loss of consciousness that can be fatal. Ruppert survived, wrote about her experience, and was subsequently spammed with hundreds of flashing videos which she claims were deliberate attempts to trigger her epilepsy. Proof of malice would seem to be established.
Device manufacturers are increasingly alert to the threat of remote hacking. In 2017, the US Food and Drug Administration (FDA) ordered the recall of nearly half a million pacemakers manufactured by healthtech firm Abbott, over cybersecurity fears. Medtronic has released a series of software updates for its implantable defibrillators to close security flaws that, according to a 2019 FDA advisory, could permit an “unauthorized individual….to access and potentially manipulate an implantable device.” In 2020 the European Union updated its medical device regulations to tighten cybersecurity.
One innovation, however, raises the brainjacking bar considerably. In his forthcoming book Neural Prosthetics: Neuroscientific and Philosophical Aspects of Changing the Brain (Oxford University Press), Walter Glannon devotes a chapter to the hippocampal prosthetic. Researchers are developing brain implants that aim to restore memory in people with hippocampal injury from trauma, epilepsy or neurodegenerative disease.
“Hackers could create imaginary memories of experiences the individual never had,” says Glannon, a professor of philosophy at the University of Calgary, in Canada. “These could affect agency insofar as memories are the sorts of things we use to project ourselves into the future to develop action plans.”
An implanted memory of a violent assault, says Glannon, could trigger generalised anxiety that altered behaviour, perhaps making the person scared to leave the house.
Of course, if you don’t have any hardware in your head there’s no need to worry. But brain tech is slowly being democratised. Elon Musk’s Neuralink project is building a brain implant to let people control a computer with their thoughts. The Neuralink device was successfully implanted in a pig named Gertrude in 2020 and, in February, Musk announced that a monkey with the device could “play video games with his mind”.
At this stage Neuralink only senses brain activity and doesn’t stimulate, but, says Lipsman, that capability is largely a question of engineering.
The Ruppert case is a terrifying example of a brain hack, albeit without the implant, and puts an eerie “life imitates art” spin on Cyberpunk 2077. Laurie Pycroft considered the attack at length in his livestream commentary.
What did he conclude?
“It is proof that we’re living in a cyberpunk dystopia already.”
Ever wanted to neurone-control Tetris or message people with your mind? Paul Biegler reports from the frontiers of brain-to-brain communication in the next issue of Cosmos magazine, onsale June 3.
Originally published by Cosmos as Biohacking: future tense
Paul Biegler is a philosopher, physician and Adjunct Research Fellow in Bioethics at Monash University. He received the 2012 Australasian Association of Philosophy Media Prize and his book The Ethical Treatment of Depression (MIT Press 2011) won the Australian Museum Eureka Prize for Research in Ethics.