Research and Advances
Computing Applications Contributed Articles

Eight Reasons to Prioritize Brain-Computer Interface Cybersecurity

Defining and analyzing the impact of cyberattacks on novel generations of BCIs.
keyhole on top of a human head, illustration
  1. Introduction
  2. Key Insights
  3. The Brain at Risk Due to Novel Generations of BCI
  4. Eight Neural Cyberattacks Affecting Brain Behavior
  5. What Is the Impact of Neural Cyberattacks?
  6. Conclusion
  7. Acknowledgments
  8. References
  9. Authors
  10. Footnotes
keyhole on top of a human head, illustration

Brain-computer interfaces (BCIs) are bidirectional systems that interact with the brain, allowing neuronal stimulation as well as the acquisition of neural data. Being invasive interfaces extensively used in medical therapy, BCIs can be classified according to their invasiveness level. In this sense and as an example, invasive BCIs focused on neural recording have been used to control prosthetic limbs in impaired patients, while BCIs for neuromodulation have been helpful for treating neurodegenerative conditions, such as Parkinson’s disease.9

Back to Top

Key Insights

  • Brain-computer interfaces have gained tremendous popularity in recent years for neural data acquisition and neurostimulation. However, they have cybersecurity issues that must be addressed.
  • Neural cyberattacks take advantage of vulnerabilities existing in new-generation implantable neurostimulation systems to alter spontaneous neural activity, which significantly impacts the brain.
  • Practitioners, manufacturers, researchers, and end users must carefully evaluate the risks of these novel technologies before they are widely implemented in society.

The second main family of BCIs, in terms of invasiveness, is the non-invasive one. BCIs based on non-invasive principles and, mainly, those focused on neural data acquisition such as electroencephalography (EEG), have gained popularity in recent years, extending their usage from traditional medical scenarios to new domains, such as entertainment or video games. However, despite the benefits of non-invasive BCIs, some works in the literature have identified cybersecurity issues from a neural data acquisition perspective. Martinovic et al.19 demonstrated that an attacker could obtain sensitive personal data from BCI users, taking advantage of their cerebral responses (P300 potentials) when presented with known visual stimuli. Bonaci et al.1 also described a scenario where attackers could maliciously add or modify software modules that cause the BCI to take dangerous action against users. Finally, Takabi et al.24 highlighted that most APIs used to develop BCI applications offered complete access over the information acquired by the BCI, presenting confidentiality problems.

Cybersecurity of invasive BCIs is also a challenge that has been identified in the literature and whose application is in its initial stages3,4,8 This situation is complicated by the recent introduction of novel BCI designs based on nanotechnology aiming to surpass the limitations of traditional BCIs. One example of these emergent systems is Neuralink,20 which uses nanotechnology to record and stimulate specific brain regions with single-neuron resolution. Despite the advantages of the new generation of invasive BCIs, the literature has already identified that some of these BCIs present vulnerabilities that attackers could exploit to affect neural activity.17 In particular, the literature has proposed two cyberattacks—Neural Flooding and Neural Scanning17—focused on neural stimulation, as well as another cyberattack focused on neural inhibition.18 These threats have been defined under the umbrella term neural cyberattacks, which comprises well-known attacks in computer science that can disrupt the spontaneous activity of neural networks of the brain, stimulating or inhibiting neurons.

In such a disruptive and novel context, one of the main challenges is formally defining the behavior of different neural cyberattacks affecting the brain. To that end, studies addressing how neural cyberattacks could re-create the effects induced by certain neurodegenerative diseases are absent in current literature. Furthermore, analysis of the impact of such cyberattacks on spontaneous neural activity is unexplored. Lastly, a comparison of the impact caused by distinct neural cyberattacks is required to understand the changes caused throughout the brain.

Despite the advantages of the new generation of invasive BCIs, some of them present vulnerabilities that attackers could exploit to affect neural activity.

With the goal of improving the previous open challenges, this article presents eight neural cyberattacks affecting spontaneous neural activity, inspired by well-known cyberattacks in computer science: Neural Flooding, Neural Jamming, Neural Scanning, Neural Selective Forwarding, Neural Spoofing, Neural Sybil, Neural Sinkhole, and Neural Nonce. After presenting their formal definitions, we describe research in which the cyberattacks have been implemented over a simulated biological neural network representing a portion of a mouse’s visual cortex, whose topology has been obtained from training a convolutional neural network (CNN). This implementation is based on a lack of realistic neuronal topologies in the literature7 and existing works indicating the similarities CNNs have with neuronal structures from the visual cortex.11,13,14,15 Finally, comparison of the impact between each neural cyberattack is presented for the initial and final part of a neural simulation, studying their impact for both the short and long term. In conclusion, Neural Nonce and Neural Jamming are best suited for short-term effects, while Neural Scanning and Neural Nonce are the most adequate for long-term effects.

Back to Top

The Brain at Risk Due to Novel Generations of BCI

Although this work focuses on neuronal cyberattacks from a computer science point of view, it is essential to introduce, in a basic and synthesized way, how the brain works to understand their behavior and the current state of neuromodulation technologies capable of stimulating and/or inhibiting neurons.

The brain is the human body’s most complex organ, managing all the organism’s major activities. It is divided into left and right hemispheres, which control the opposite sides of the body. Moreover, the cortex of each hemisphere presents four lobes on its surface with differentiated responsibilities. Frontal lobes intervene in reasoning, planning, defining personality, and translating thoughts into words. In contrast, parietal lobes manage sensory perceptions, such as taste or touch, in addition to temperature and pain. These lobes also intervene in memory and the understanding of languages. Occipital lobes identify objects and decode visual information, such as colors or forms, while temporal lobes process auditory stimuli and intervene in verbal memory.12

Within the hemispheres, around 86 billion neurons interact with each other to perform these complex tasks. This interaction is performed by two specific structures of the neuron: the dendrites and the axon. While dendrites receive information from other neurons, axons transmit instructions to neurons. The connection established between these structures is a synapse and is the basis of neuronal communication. In neuronal communication, the dendrites of a given neuron receive stimuli from many neurons (presynaptic neurons) via neurotransmitters, which are molecules that force actions in the receiver neuron (postsynaptic neuron). Presynaptic neurons can be excitatory, producing specific neurotransmitters aimed at initiating an impulse on the postsynaptic neuron, or inhibitory, liberating neurotransmitters to prevent its activity. If the sum of these positive and negative impulses exceeds the postsynaptic neuron’s excitation threshold, this neuron will generate a nerve impulse known as action potential (or spike), electrically transmitted along the axon to reach the axon terminals. When electric stimuli reaches these terminals, they liberate neurotransmitters to the synaptic cleft—the space separating the axon from the dendrites of other neurons—to influence their activity in an excitatory or inhibitory way. These electric and chemical processes are repeated neuron after neuron, but only if they exceed their excitation threshold.

Neurotechnology plays an essential role in supporting these neuronal communications, used for decades in clinical scenarios to induce or suppress neural activity. A wide variety of technologies, both invasive and non-invasive, present different modulation principles, such as ultrasounds, electrical currents, magnetic fields, or light pulses (optogenetics).6 Despite the differences in these approaches, most of them share common parameters used to adjust the modulation process, such as the amplitude or voltage applied or the duration and periodicity of the pulses. Focusing on invasive BCIs, deep brain stimulation (DBS) represents an excellent example of using neural stimulation to treat conditions such as Parkinson’s disease or obsessive-compulsive disorder.9 Moreover, most invasive BCIs also offer recording capabilities, enabling the monitoring of the brain to determine the best time to stimulate or inhibit a particular set of neurons.

In this type of scenario, novel solutions such as Neuralink20 or WiOptND26 deserve special interest; they have introduced the use of nanotechnology to miniaturize the electrodes implanted in the brain, achieving single-neuron resolution. These technologies particularly address neuromodulation from two different perspectives. Neuralink uses electrical currents to stimulate the brain, while WiOptND stimulates or inhibits neuronal activity using optogenetics. Nevertheless, these current initiatives present vulnerabilities in their architectures that attackers could exploit to maliciously stimulate or inhibit neurons.17 Figure 1 introduces the anatomical structure of the head from the scalp to the cerebral cortex, presenting an invasive neuromodulation BCI placed in the cortex that an attacker externally targets. As can be seen, the attacker can execute one of the eight cyberattacks proposed in this work. These cyberattacks exploit vulnerabilities in current BCIs (see Bernal et al.16), generating an impact over the BCI and thus stimulating or inhibiting neuronal activity.

Figure 1. Attacker executing the proposed neuronal cyberattacks that exploit vulnerabilities of invasive neuromodulation BCIs and generate particular impacts on the BCI.

Back to Top

Eight Neural Cyberattacks Affecting Brain Behavior

This work presents eight cyberattacks inspired by well-known threats from digital communications, justified by the potential exploitation of previously highlighted vulnerabilities. Five of these cyberattacks are new (Neural Selective Forwarding, Neural Spoofing, Neural Sybil, Neural Sinkhole, and Neural Nonce), while the remaining three were presented in previous work (Neural Flooding and Neural Scanning in Bernal et al.17 and Neural Jamming in Bernal et al.18). All of them are either based on neuron stimulation, inhibition, or a combination of both. For the sake of simplicity, these cyberattacks assume the use of technologies that can stimulate or inhibit neuronal behavior.

Neuronal flooding. In cybersecurity, flooding cyberattacks focus on collapsing a network by transmitting a high number of data packets, generally directed at specific targets within the network.22 As a consequence, these endpoints increase their workload since they cannot adequately manage legitimate communications. From a neurological perspective, Neuronal Flooding (FLO) cyberattacks try to overstimulate multiple neurons over a particular duration of time. Because FLO cyberattacks do not need previous knowledge about the status of the target neurons, they present a lower complexity than other neural cyberattacks.

The general behavior of an implemented FLO cyberattack can be reviewed in Figure 2. Green boxes indicate actions performed by the cyberattack, and yellow diamonds are conditional blocks. First, the attacker determines the attacking instance and the list of targeted neurons. During the desired instance, the cyberattack selects each of the neurons and stimulates them. Although the flow chart in Figure 2 could be interpreted as sequentially affecting these neurons, the attack is performed in a particular instance of time, resulting in the neurons being attacked at the same time.

Figure 2. Implemented behavior of Neuronal Flooding.

Neuronal jamming. Jamming cyber-attacks introduce malicious interference to the medium to prevent legitimate communication between devices, thus resulting in a denial of service (DoS).25 This principle can be translated to the neurological world, where Neuronal Jamming (JAM) inhibits the activity of a set of neurons, impeding them from generating or transmitting impulses to adjacent neurons. In contrast to FLO, this cyberattack is performed during a determined temporal window, in which the affected neurons do not generate activity. This cyberattack also presents a low execution complexity, only requiring the selection of the target neurons and the attack duration.

The flow chart in Figure 3 represents a temporal window in which the JAM cyberattack is performed. For each instance between the beginning and the end of the attack, the list of targeted neurons is simultaneously inhibited. This inhibition consists of setting the neurons to their lowest voltage within their natural range of values.

Figure 3. Implemented behavior of Neuronal Jamming.

Neuronal scanning. Port scanning is a common cybersecurity technique used to verify if a machine’s communication ports are being used and to identify vulnerable services available in those ports.22 For that, all the machine’s ports are sequentially tested. Similarly, Neuronal Scanning (SCA) cyberattacks aim to sequentially stimulate all neurons of a neuronal population, affecting only one neuron per time instance. As with previous cyberattacks, SCA does not require previous knowledge about the status of the targeted neurons. Nevertheless, execution is moderately complex since the attacker needs to coordinate the order of the neurons attacked, avoid repetitions between them, and determine the time interval between attacking each neuron.

The implemented SCA cyberattack (see Figure 4) targets one neuron per instance under attack, removing from the list those neurons already attacked to avoid repetition and ensure a sequential selection. These instances are determined based on the start of the attack and the time that the attacker waits between affecting neurons.

Figure 4. Implemented behavior of Neuronal Scanning.

Neuronal selective forwarding. In selective forwarding, one of the most harmful cyberattacks against communication networks, malicious hosts selectively drop some packets instead of forwarding them.2 The selection of nodes to be dropped may be random or predefined depending on the attack’s design. As it relates to the brain, Neuronal Selective Forwarding (FOR) changes the propagation behavior of a set of neurons during a temporal window, inhibiting neurons at each instance of the window.

FOR is more elaborate than the previously discussed attacks because it requires knowledge of the neurons involved in a given neuronal propagation path and their status in each instance. It is achieved by real-time neuronal monitoring or via previous knowledge of the neuronal propagation behavior, due to the repetition of actions such as eye blinks or limb movements.

This cyberattack enables a wide variety of different configurations for targeting neurons. It has followed the same sequential criteria already presented for SCA in this work, inhibiting them instead of performing neural stimulation.

Attending to Figure 5, FOR introduces an additional conditional block that verifies if the current neuron’s voltage is suitable for inhibition. Based on the voltage defined for the attack, the implementation verifies whether the difference between current voltage and attacking voltage is lower than the lowest possible value. If so, the attack sets the voltage to the lowest threshold to avoid unrealistic results.

Figure 5. Implemented behavior of Neuronal Selective Forwarding.

Neuronal spoofing. In computer networks, a spoofing cyberattack occurs when a malicious party impersonates a computer or subject to steal sensitive data or launch attacks against other network hosts.22 In the brain scenario, Neuronal Spoofing (SPO) cyberattacks replicate the behavior of a set of neurons during a given period. After recording neuronal activity, the attacker uses this pattern to stimulate or inhibit the same or different neurons at a different time. SPO is one of the most sophisticated attacks since it requires recording, stimulation, and inhibition capabilities as well as deep knowledge of brain functioning. Like most of the others, the impact of this cyberattack is high because a malicious attacker could control some vital functions of the subject’s body.

Figure 6 highlights two main processes. First, the attack performs a neuronal recording procedure for the selected neurons during a particular temporal period. For each instance within the period, the attacker stores the voltage of each recorded neuron. Afterward, the second process properly stimulates or inhibits a different neuronal population targeted by the attack, forcing them to have the same behavior as those previously recorded.

Figure 6. Implemented behavior of Neuronal Spoofing.

Neuronal Sybil. Sybil cyberattacks occur when a computer is hijacked to claim multiple identities, presenting broad security and safety implications. Having different identities, the behavior of the infected host differs according to which identity is acting at each moment.5 With the brain, Sybil attacks can result in the attacker altering the operation of one or more neurons so that they do precisely the opposite of their natural behavior. This means that when a given neuron is firing, the attacker inhibits the activity, and when it is not firing, the attacker fires it. Neuronal Sybil (SYB) cyberattacks are the most complex of those presented because they require real-time recording (or previous knowledge of the firing pattern) and the ability to either stimulate or inhibit a particular neuron in a given instance depending on its natural behavior. The impact of these neural cyberattacks is high, depending on the number of affected neurons.

The implementation of SYB cyberattacks is like the one presented for FLO, although the action performed against the neurons is different (see Figure 7). In SYB, the voltage of each targeted neuron is set to the opposite value within its natural range. This is obtained by adding higher and lower voltage thresholds of the neuron and sub-tracting the current voltage value.

Figure 7. Implemented behavior of Neuronal Sybil.

Neuronal sinkhole. Sinkhole cyber-attacks are applied to routing protocols, where a node of the network broadcasts that it is the best path to reach a specific destination. Based on that, the surrounding nodes will transmit their traffic to the malicious node, which could access, modify, or discard the received data.21 From a neurological perspective, Neuronal Sinkhole (SIN) cyberattacks focus on stimulating neurons from superficial layers connected to neurons placed in deeper layers, the latter being the main target of the attack. SIN cyberattacks are highly complex since the attacker requires knowledge about the neuronal topology and synapses of a specific area of the brain. Moreover, this cyberattack is performed in a particular instance, stimulating the trigger set of neurons that initiates the attack.

The actions included in the implementation of SIN cyberattacks are the same as those presented for FLO, as shown in Figure 8. The main difference between them lies in the selection of the targeted neurons. SIN cyberattacks directly affect the neurons from early layers connected via synapses with the target neuron located in deep layers. Once it identifies which neurons to attack, the process of stimulation is the same as FLO.

Figure 8. Implemented behavior of Neuronal Sinkhole.

Neuronal nonce. Nonce numbers are typically random values used in cryptography to secure communications. A nonce is commonly used just once to prevent old communications from being reused and thus perform a replay attack.22 In the context of neural cyberattacks, Neuronal Nonce (NON) consists of attacking a random set of neurons at a particular instant. The action performed could vary based on the interests of the attacker, either producing neural stimulation, neural inhibition, or a combination of both. The next execution of the attack will target a completely different set. Based on this variability, the complexity of the cyberattack is low, just requiring physical access to the target neurons.

This cyberattack has been implemented following the same principles already presented. The main difference (see Figure 9) resides in the selection of the action to apply over each targeted neuron. For each instance under attack and each targeted neuron, the attack randomly determines whether to stimulate, inhibit, or keep its spontaneous behavior. The attacker can also indicate the probability assigned to each action, with the goal of helping to benefit particular actions.

Figure 9. Implemented behavior of Neuronal Nonce.

Once presented, the behavior of each neural cyberattack must be compared (see Table 1). In particular, the theoretical impact of each attack depends on the aggressiveness of its action mechanism and the knowledge the attacker has about the target neurons. Nevertheless, these cyberattacks present aspects that complicate comparisons, such as their innate behavior, the instances and duration of the cyberattacks, the number of affected neurons, or the voltages used to stimulate those neurons.

Table 1. Comparison of proposed neural cyberattacks.

Back to Top

What Is the Impact of Neural Cyberattacks?

To answer this question, it is important to mention that biological neural topologies, known as connectomes, are critical to measure the impact of cyberattacks. However, there is an absence of realistic neuronal topologies in the literature.7 In this context, and to alleviate this limitation, the literature has evidenced that the hierarchy and functioning of neurons in charge of vision present similarities with the functioning of CNNs.11,13,14,15 Particularly, the layers in both networks move from simple to abstract, where convolutional layers are related to early visual regions and dense layers present similarities with later visual areas. Furthermore, as stated by Grace,15 CNNs could be good candidates for approximation models of the visual system.

Based on that, this work employs a simulated biological network, whose topology is artificially generated from training a CNN, where the resulting CNN weights are transformed to biological synaptic weights, used to represent the voltage increase induced during an action potential. In summary, the CNN is just used to generate a biological topology, while the biological connectome is used to evaluate the impact of neural cyberattacks, representing their effect over a neurostimulation BCI placed in the brain.

Considering the similarities between CNNs and biological approaches, previous work trained a CNN to solve the problem of a mouse trying to exit a determined maze, modeling a portion of a mouse’s visual cortex.17,18 This article also uses this network to generate a simple biological connectome to test the proposed eight attacks. This CNN was specifically trained to obtain the optimal path to the maze’s exit, resulting in 27 positions whose topology comprises two convolutional layers of 200 and 72 nodes, respectively, and a dense layer of four nodes. Although this simulated topology is not the same as a biological one, it serves to compare the impact that each neural cyberattack has over a common baseline.

Once having the artificial neural topology, it was ported to the Brian2 neuronal simulator23 to model the biological behavior of pyramidal neurons from three different layers of the mouse’s visual cortex (L2/3, L5, and L6). For that, Izhikevich’s neuronal model10 was used to represent excitatory neurons with regular spiking dynamics, defining neurons with a voltage range between -65mV and 30mV. Finally, a simulation of 27s was defined, simulating a mouse staying 1s in each position of the optimal path of the maze. Supplementary information concerning design and implementation aspects can be found in Bernal et al.17

Table 2 summarizes the parameters used during the experimentation for each neural cyberattack. It is relevant to note that FLO, JAM, SPO, and SYB target random neurons from the first layer, while SCA and FOR sequentially attack all 200 neurons. SIN affects only the neurons related to the target neurons, and NON randomly evaluates the decision over each neuron of the first layer. Finally, NON presents a probability of 20% of stimulating a neuron, a 20% probability of inhibiting it, and a 60% probability of keeping its spontaneous behavior until the next attack.

Table 2. Parameters used for each neural cyberattack; up arrows (↑) indicate a voltage increase and down arrows (↓) a voltage decrease.

To better understand the behavior of these cyberattacks and the parameters indicated, Figure 10 depicts a raster plot per cyberattack with the evolution of neuronal spikes simulating the biological connectome during a simplified simulation of 215ms instead of 27s, aiming to improve its visibility. A simulation of 215ms has been chosen since it is the minimum duration to clearly present SCA and FOR cyberattacks, attacking one neuron per millisecond.

Figure 10. Visual representation of the behavior of each neural cvberattack proposed.

Particularly, Figure 10 allows for visual comparison between each cyberattack and the spontaneous behavior. Besides, it is worth noting that this figure does not intend to exhaustively present the impact and evolution of the cyberattacks on neural activity but simply illustrate their action mechanisms in a simplified way. Those considerations are later presented in this section.

As can be seen in Figure 10, the first raster plot, representing the spontaneous behavior, presents vertical columns of green dots corresponding to regular spiking from Izhikevich’s model. This spontaneous behavior is also included in the plots presenting each cyberattack to easily compare their behavior. Blue dots indicate neurons attacked by neural stimulation, while black dots represent inhibitory actions. Furthermore, orange dots highlight the evolution of each cyberattack. Finally, a grey background indicates the duration of the cyberattack.

Compared to the spontaneous behavior, FLO generates new orange groups of spikes before the spontaneous columns, caused by the stimulation performed at 10ms. Additionally, orange spikes can be appreciated within the green columns in layers two and three (neurons 200 to 276). These spikes are also a consequence of the attack, applying to subsequent cyberattacks. On the contrary, JAM performs neural inhibition until it reaches 60ms, and it is after that instance when the subset of attacked neurons performs spikes (indicated in black), inducing a delay compared to the spontaneous behavior that is repeated over time as a second column of orange spikes.

Regarding SCA and FOR, both cyberattacks are active during almost all the simulation. However, their impact is quite different. In SCA, a diagonal succession of stimulated neurons can be observed, producing an incremental impact propagated along time. This impact can be appreciated by the apparition of additional diagonal groups of spikes under the diagonal and the anticipation of spikes in the second and third layers. In contrast, FOR only presents small perturbations compared to the spontaneous behavior induced by the implementation considerations already presented in Figure 5. Furthermore, SPO also performs its activity during a temporal window. In this case, there is a clear difference between the behavior of neurons with indexes 100 to 200 compared to the spontaneous behavior caused by the repetition of spikes previously recorded between instances 10ms to 60ms.

Moving to another stimulation cyberattack, SYB presents a spike trend similar to FLO. This is explained via the voltage range defined by Izhikevich’s model, between -65mV and 30mV, which introduces a higher probability of stimulating than inhibiting neurons.

The attack is also relevant because if a large population of neurons recently performed spikes, the voltage will be low and will tend to induce stimulation. Although the output in terms of spikes is similar, their internal behavior is different.

SIN is another neural cyberattack that also presents similarities with FLO in terms of the visual distribution of spikes. However, there is a particular pattern in the attacked neurons caused by the real target of the attack: neuron 201, the first neuron of the second layer. In this topology, it is determined by the connections between layers of the computational model used. Finally, NON induces a more chaotic behavior when the attack progresses, evaluating the attack condition every 20ms. As can be seen, it performs stimulation and inhibition tasks, randomly selected for each instance under attack and for each neuron of the first layer.

Figure 11 depicts the impact of each cyberattack compared to spontaneous behavior over a 27s simulation, indicating the percentage of reduction in spikes. This figure shows a differentiation between the first five positions and the last five positions of the optimal path to the maze’s exit, determining which cyberattacks are more harmful in the short term and which are more suitable for long-term attacks.

Figure 11. Mean percentage of spikes reduced per neural cyberattack compared with spontaneous behavior, studied over the first and last five positions of the maze in a biological simulation of 27s.

The variability presented per cyberattack corresponds to the differences between the five positions considered, either the first positions or the last ones. Moreover, for FLO, JAM, and SYB, which randomly select the target neurons, 10 executions are performed-to offer variability. Interestingly, the data presented for NON only contains one execution, since this attack introduces huge randomness and would be difficult to compare.

NON, due to its random behavior, achieves a reduction of almost 12% over spontaneous activity in the first five positions; it is the most damaging short-term cyberattack, followed by JAM with an almost 5% reduction. In contrast, SCA is the most impactful long-term attack, causing a spike reduction of around 9%, followed by NON with an 8% reduction.

To conclude, it is essential to mention that the metric concerning the number of spikes has been selected for this impact analysis due to its relevance in a wide variety of neurological scenarios. Specifically, the amount of neuronal activity, measured as the number of spikes of a neuronal population, could be helpful in evaluating the impact of certain neurological diseases. As an example, both Amyotrophic Lateral Sclerosis (ALS) and epilepsy naturally generate hyperexcitability of neuronal activity. In this direction, a cyberattack based on neural stimulation, such as FLO, could hypothetically disrupt the natural equilibrium between neuronal excitation and inhibition, re-creating or aggravating the disease. On the contrary, neural cyberattacks generating neural inhibition, such as JAM, could re-create conditions such as Alzheimer’s disease. On that basis, this article considers the number of spikes to be an essential metric for evaluating the damage caused by a cyberattack.

In terms of generalizing these results, these neural cyberattacks have been evaluated over a simplistic and static network with limited variability compared to the biological visual cortex. In this sense, future work is required to assess their impact on multiple topologies. Moreover, while the study of the applicability and impact of neural cyberattacks to induce certain neurological conditions is a promising research field, future work is needed to evaluate whether our results are consistent with experimentation over realistic biological topologies and even in vivo studies. Additionally, the study of the human-level impact attending to different dimensions, such as psychology or ethics, is outside the scope of this work (for more, see Denning et al.4).

Back to Top


Novel BCI generations bring countless benefits to society, improving their ability to offer better recording and stimulation resolutions. Moreover, the authors envision a future where the reduction in electrode size will result in broad coverage of the brain with single-neuron resolution. Although these improvements represent a paradigm change, vulnerabilities in these technologies open the door for cyberattacks to cause physical damage to users.

Based on previous concerns, this work presents a taxonomy of eight neural cyberattacks aiming to disrupt spontaneous neural activity by maliciously inducing neuronal stimulation or inhibition, exploring the possibility of recreating the effects of particular neuro-degenerative conditions. In this sense, two groups of cyberattacks are defined, based on either performing the attack at a particular time or during a temporal window. These cyberattacks have been evaluated over a neuronal topology modeling a particular region of a mouse’s visual cortex. Since there is presently a lack of realistic neuronal topologies, and following current literature, a CNN has been trained to surpass this limitation due to their similarities with biological ones.

The impact of each cyberattack has been measured and compared over a common neural topology, with Neural Nonce and Neural Jamming causing the most short-term damage, with a spike reduction of around 12% and 5% over spontaneous signaling, respectively. Neural Scanning and Neural Nonce are more suitable for long-term damage, causing an approximate spike reduction of 9% and 8%, respectively.

Back to Top


This work has been partially supported by Bit & Brain Technologies S.L. under the project CyberBrain, associated with the University of Murcia (Spain); the Swiss Federal Office for Defense Procurement (armasuisse) with the CyberSpec (CYD-C-2020003) project; and by the University of Zürich UZH. We thank Blausen Medicala and Harryartsb for their publicly available images.

Figure. Watch the authors discuss this work in the exclusive Communications video.

    1. Bonaci, T. et al. App stores for the brain: Privacy and security in brain-computer interfaces. IEEE Tech. and Society Mag. 34, 2 (June 2015), 32–39.

    2. Bysani, L.K. and Turuk, A.K. A survey on selective forwarding attack in wireless sensor networks. In 2011 Intern. Conf. on Devices and Communications, 1–5.

    3. Camara, C., Peris-Lopez, P., and Tapiador, J.E. Security and privacy issues in implantable medical devices: A comprehensive survey. J. of Biomedical Informatics 55 (2015), 272–289.

    4. Denning, T., Matsuoka, Y., and Kohno, T. Neurosecurity: Security and privacy for neural devices. Neurosurgical Focus FOC 27, 1 (2009), E7.

    5. Douceur, J.R. The Sybil attack. In Proceedings of the 1st Intern. Workshop on Peer-to-Peer Systems, P. Druschel, F. Kaashoek, and A. Rowstron (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg (January 2022), 251–260.

    6. Edwards, C.A. et al. Neurostimulation devices for the treatment of neurologic disorders. Mayo Clinic Proceedings 92, 9 (September 2017), 1427–1444.

    7. Gal, E. et al. Rich cell-type-specific network topology in neocortical microcircuitry. Nature Neuroscience 20, 7 (July 2017), 1004–1013.

    8. Halperin, D. et al. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In 2008 IEEE Symp. on Security and Privacy, 129–142.

    9. Hartmann, C.J. et al. An update on best practice of deep brain stimulation in Parkinson's disease. Therapeutic Advances in Neurological Disorders 12 (January 2019),

    10. Izhikevich, E.M. Simple model of spiking neurons. IEEE Transactions on Neural Networks 14, 6 (2003), 1569–1572.

    11. Kalfas, I., Kumar, S., and Vogels, R. Shape selectivity of middle superior temporal sulcus body patch neurons. eNeuro 4, 3 (2017).

    12. Kandel, E. Principles of Neural Science. McGraw-Hill, New York (2013).

    13. Kriegeskorte, N. Deep neural networks: A new framework for modeling biological vision and brain information processing. Annual Rev. of Vision Science 1, 1 (2015), 417–446.

    14. Kuzovkin, I. et al. Activations of deep convolutional neural networks are aligned with gamma band activity of human visual cortex. Communications Biology 1, 1 (August 2018), 107.

    15. Lindsay, G.W. Convolutional neural networks as a model of the visual system: Past, present, and future. J. of Cognitive Neuroscience 33, 10 (2021), 2017–2031.

    16. López Bernal, S. et al. Security in brain-computer interfaces: State-of-the-art, opportunities, and future challenges. ACM Computing Surveys 54, 1, Article 11 (January 2021).

    17. López Bernal, S. et al. Cyberattacks on miniature brain implants to disrupt spontaneous neural signaling. IEEE Access 8 (2020), 152204–152222.

    18. López Bernal, S., Huertas Celdrán, A., and Martínez Pérez, G. Neuronal jamming cyberattack over invasive BCIs affecting the resolution of tasks requiring visual capabilities. Computers & Security 112 (2022), 102534.

    19. Martinovic, I. et al. On the feasibility of side-channel attacks with brain-computer interfaces. In Proceedings of the 21st USENIX Conf. on Security Symposium (2012), 34.

    20. Musk, E. An integrated brain-machine interface platform with thousands of channels. J. of Medical Internet Research 21, 10 (October 2019), e16194.

    21. Rehman, A., Rehman, S.U., and Raheem, H. Sinkhole attacks in wireless sensor networks: A survey. Wireless Personal Communications 106, 4 (June 1, 2019), 2291–2313.

    22. Stallings, W. Cryptography and Network Security: Principles and Practice (7th ed.). Pearson, London (2017).

    23. Stimberg, M., Brette, R., and Goodman, D.F.M. Brian 2, an intuitive and efficient neural simulator. eLife 8 (August 2019), e47314.

    24. Takabi, H., Bhalotiya, A., and Alohaly, M. Brain computer interface (BCI) applications: Privacy threats and countermeasures. In IEEE 2nd Intern. Conf. on Collaboration and Internet Computing. (2016), 102–111.

    25. Vadlamani, S. et al. Jamming attacks on wireless networks: A taxonomic survey. Intern. J. of Production Economics 172 (2016), 76–94.

    26. Wirdatmadja, S.A. et al. Wireless optogenetic nanonetworks for brain stimulation: Device model and charging protocols. IEEE Transactions on NanoBioscience 16, 8 (2017), 859–872.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More