According to a Congressional report, about 1,645 veterans lost limbs during the War on Terror years, causing bodily harm and lasting effects but also a heavy psychological burden. Not all veterans require prosthetics or even want them, but for the ones who do, innovations in this field cannot come soon enough. However, with more technology and complexity also comes an added risk of vulnerabilities, even more so for biomechanical prosthetics that are connected to the internet. For example, the prosthetic arm made by Motorica is part of an ever-growing industry called IoT or Internet of Things.

The arm is equipped with dedicated sensors that are connected to the skin, which read muscle contractions and analyze them to create movement of the robotic fingers. It is unwieldy and unnatural in the beginning, according to researchers, yet after some practice, it becomes like a natural extension.

Similar to other IoT devices, the arm sends data to the cloud to monitor movements, function and any anomalies. Similar to other IoT devices, there are countermeasures needed regarding vulnerabilities, which malicious actors can exploit.

In a paper published by Kaspersky Labs researcher Vladimir Dashchenko, vulnerabilities were discovered in the software of the biomechanical prosthetic arm.

Every Motorica manufactured arm has an onboard SIM card, which is intended to communicate statistical data to the cloud. Now, the arm can only send data to the cloud and not the other way around, giving it a layer of security. However, Motorica intends to implement a unidirectional connection at a later date.

Researchers demonstrate how cyber hackers can hijack artificial limbs

The researcher first tested the basic control software but could not find any vulnerabilities, as it is well structured. The test arm had only basic functions, however, the manufacturer intends to add extra functions such as smart phone interconnect, contactless payments and other features. The problem is that these added features also add more risks. The danger is particularly prevalent with the so-called man in the middle attacks, where an attacker can hijack the data by intercepting the signal.

After analyzing the protocol that sends data to the cloud, vulnerabilities were found. According to Dashchenko, these vulnerabilities can be exploited so incorrect account operations and insufficient input validation can be used by a remote attacker to:

…gain access to information about all the accounts in the cloud including the logins and passwords (in plain text) for all the prosthetic arms and administrators, add or delete regular and privileged users (with administrator rights), launch attacks against administrators via the cloud and then attack Motorica’s internal infrastructure, NoSQL injection, cause denial of service for cloud administrator.”

The test did not include a deep dive to find vulnerabilities in the muscle sensors, contactless payment systems or smart phone control software. Yet, it remains an interesting prospect for further research, especially when a direct brain chip connection is established with the arm. It provides an immense target-rich environment for hackers to either directly impact arm functions or even locate the user, which can be hazardous for soldiers who are still on active duty.

To mitigate and prevent such breaches, Dashchenko stated: “Please follow the best coding practices, implement SDL, do security source code review, create a security champion in your development team, do external vulnerability researches and penetration testing. All these useful and much-needed steps will increase the cyber security level of your devices and technologies.”