Carrying our Insecurities with Us: The Risks of Implanted Medical Devices in Secure Spaces

Conference:  BlackHat USA 2020



The presentation discusses the risks associated with personal electronic devices (PEDs) in secure facilities and the need for a balance between protecting classified information and accommodating the workforce.
  • PEDs pose a high risk to security in secure facilities due to their two-way communication capabilities and numerous sensors.
  • Bluetooth, commonly used in PEDs, has security vulnerabilities that can be exploited.
  • Reasonable accommodations must be made for the workforce, including medical exemptions.
  • Protecting the workforce and classified information is important and requires a balance of risks and benefits.
The presenter mentions the risk of Siri giving away classified information if a PED is brought into a secure facility. They also discuss the possibility of hacking PEDs, but note that it is not ethical to attempt this on devices implanted in live humans.


This talk explores the contradiction of allowing increasingly smart Implanted Medical Devices (IMD) in secure spaces through the combination of policy amendments and technical mitigations. The number of IMDs in use in the United States has been steadily increasing as new technologies emerge and improve. In the context of the U.S national security workforce, current guiding policy prohibits the possession and use of many portable electronic devices (PEDs) and "smart" devices, including smart IMDs, in secure spaces. Given that these smart devices are increasingly connected by two-way communications protocols, have embedded memory, possess a number of mixed-modality transducers, and are trained to adapt to their environment and host with artificial intelligence (AI) algorithms, they represent significant concerns to the security of protected data, while also delivering increasing, and often medically necessary, benefits to their users. By analyzing the risks and benefits of various policy considerations, we conclude that there is a need to amend Intelligence Community Policy Memorandum (ICPM) 2005-700-1, Annex D, Part I to include smart IMDs to remain compliant with Intelligence Community Policy Guidance (ICPG) 110.1. Additionally, we propose a series of technical and policy mitigations applicable to these smart IMDs that balance the simultaneous constraints of medical necessity and security.