According to a Congressional report, about 1,645 veterans lost limbs during the War on Terror years, causing bodily harm and lasting effects but also a heavy psychological burden. Not all veterans require prosthetics or even want them, but for the ones who do, innovations in this field cannot come soon enough. However, with more technology and complexity also comes an added risk of vulnerabilities, even more so for biomechanical prosthetics that are connected to the internet. For example, the prosthetic arm made by Motorica is part of an ever-growing industry called IoT or Internet of Things.

The arm is equipped with dedicated sensors that are connected to the skin, which read muscle contractions and analyze them to create movement of the robotic fingers. It is unwieldy and unnatural in the beginning, according to researchers, yet after some practice, it becomes like a natural extension.

Similar to other IoT devices, the arm sends data to the cloud to monitor movements, function and any anomalies. Similar to other IoT devices, there are countermeasures needed regarding vulnerabilities, which malicious actors can exploit.

In a paper published by Kaspersky Labs researcher Vladimir Dashchenko, vulnerabilities were discovered in the software of the biomechanical prosthetic arm.

Every Motorica manufactured arm has an onboard SIM card, which is intended to communicate statistical data to the cloud. Now, the arm can only send data to the cloud and not the other way around, giving it a layer of security. However, Motorica intends to implement a unidirectional connection at a later date.

Researchers demonstrate how cyber hackers can hijack artificial limbs

The researcher first tested the basic control software but could not find any vulnerabilities, as it is well structured. The test arm had only basic functions, however, the manufacturer intends to add extra functions such as smart phone interconnect, contactless payments and other features. The problem is that these added features also add more risks. The danger is particularly prevalent with the so-called man in the middle attacks, where an attacker can hijack the data by intercepting the signal.

After analyzing the protocol that sends data to the cloud, vulnerabilities were found. According to Dashchenko, these vulnerabilities can be exploited so incorrect account operations and insufficient input validation can be used by a remote attacker to: