Security of Internet-Connected Hearing Aids

Security expert Constantine Grantcharov makes the case for future proofing internet-connected hearing aids.

Hearing aid technology has evolved tremendously in the last 20 years. I bought my first hearing aids in 1996, and the big hype back then was that they were the first digital hearing aids on the market and that they were CICs (Completely-In-Canal). It was a major milestone to not only create a hearing aid that was miniature, but also digital.

Skip forward 20 years, and we are at the cusp of the Internet-of-Things (IoT) revolution. Refrigerators, washing machines, lightbulbs, and other everyday items found in your home are now becoming “connected” – they are on the Internet and accessible from anywhere in the world. Hearing aids too are starting to breakthrough into the IoT space and the possibilities of using hearing aids as more than just a means to hear are starting to take shape.

Hearing aids like the ReSound LiNX and Starkey Halo that pair directly with your mobile phone are effectively replacing the wired earbuds or headphones you used to listen to music with. “Alright, wireless headphones!” you say, but that’s not super impressive – it’s natural extension of what a hearing aid can do.

However, imagine using your hearing aids to:

  • Open the front door of your house
  • Turn on your car as you approach
  • Post interesting sounds you hear directly on the internet – “Instagram for sounds”
  • And more

The possibilities are endless and only limited by human imagination. These ideas and applications are what are going to transform the hearing aid from a social stigma to a trendy next-generation wearable. Having a hearing aid in your ear will no longer be something you want to hide, but rather something you want to show off to your friends and family. I daresay that people with regular hearing will buy hearing-aid like devices just to access the technology that hearing aid users may one day take for granted.

Now, all of this is really great and wonderful, but we need to also address the dark side of internet-connected hearing aids. Hearing aids will need to become much more secure to survive in the world of IoT.

A statistic that I recently read and have discussed with my colleagues at length is:

70% of IoT devices on the market today are not secure.

For a market that is projected to reach billions of devices – that’s right billion with a ‘B’ – 70% is a staggeringly high number!

In recent news, IoT devices have been used to launch DDoS (Distributed Denial of Service) attacks against governments, corporations, and other entities, which take advantage of these insecure devices. These attacks are capable of flooding the internet with so many connections, that websites cannot handle the load and are knocked offline for regular users like you and I. The recent DDoS attack that took down Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times, was largely preventable, and only made possible by thousands of insecure IoT devices! Hearing aids too can fall victim to hacking attempts, and be used to mount such attacks. Just imagine your new pair of Oticon Opn’s taking down the New York Times!

Let’s get a little personal so that the dangers of insecure hearing aids are something that you would be able to relate to. I’ll illustrate these dangers with two scenarios:

  1. Imagine your hearing aids are paired to your phone at all times – like the ReSound LiNX and Starkey Halos. Yesterday, you received an email from a “friend” about some cool new app and you clicked the link to get it and installed it on your phone. Little did you know, the link in the email was malicious and you ended up installing an app from a hacker. Imagine that malicious app is able to capture all communication between your phone and your hearing aids. Later that day, you decide to call your bank to pay a bill. You are asked to answer some verification questions from the bank agent over the phone. Because your awesome new hearing aids are paired to your phone, the malicious app was able to passively listen to your entire conversation capturing answers to your security questions, account balance, and etc … and then upload to the hacker’s server. You’ve now just been compromised and your banking information is in the hands of a fraudster!
  2. Imagine you are successful CEO of a startup company that is just about to IPO and you have a great new pair of internet-connected hearing aids to help you go about negotiating the various aspects of the deal. Secrecy is of paramount importance as information about your company can affect its stock price and many other factors that can impact the success of the IPO. What you didn’t know is that that the great new pair of internet-connected hearing aids you bought had a zero-day exploit (i.e. a security bug previously unknown to the manufacturer) that allowed an attacker to listen and record your conversation in real-time. They’d be able to use that information to harm your company on the day of your big IPO. You might be targeted for insider-trading by regulatory bodies, face financial ruin, or even jail-time as result of this IPO-gone-bad scenario.

These are just two examples of what can happen when security is missing or not strong enough in a product like a hearing aid. These scenarios would previously not have been possible, because the hearing aid was a closed system with no outside connection, except during fittings at the hearing clinic. But going forward that will no longer be case.

Security, unfortunately, is often not well understood and brushed aside as an expensive overhead cost to manufacturers of IoT devices – until something goes horribly wrong. For hearing aid manufacturers, my message is that they need to pay attention and start integrating security into their solutions now. Security is often ineffective or greatly diminished when it’s “bolted-on” to an existing solution or product. For maximum protection of the end user, security must be at the core of every product starting at the time of design and followed through to implementation in both hardware and software.

I want to feel safe wearing my hearing aids 16+ hours a day knowing that my conversations remain private at all times and the technology they integrate with is not spying on me or causing malicious activities as result of the connection to the Internet. As hearing aid users, we should demand that hearing aid security be treated as a fundamental right for every single hearing user, not a privilege. Just like we can choose who we let through the front door to our house, we need to be able to securely choose what we digitally allow into our connected hearing aids.