Posted by - Hearing Aids.

Insecure Hearing Aids

Security expert Constantine Grantcharov makes the case for future proofing internet-connected hearing aids.

Hearing Aid technology has evolved tremendously in the last 20 years. I bought my first hearing aids in 1996, and the big hype back then was that they were the first digital hearing aids on the market and that they were CICs (Completely-in-the-Canal). It was a major milestone to not only create a hearing aid that was minature, but also digital.

Skip forward 20 years, and we are at the cusp of the Internet-of-Things (IoT) revolution. Refrigerators, washing machines, lightbulbs, and other everyday items found in your home are now becoming “connected” – they are on the Internet and accessible from anywhere in the world. Hearing Aids too are starting to breakthrough into the IoT space and the possibilities of using hearing aids as more than just a means to hear are starting to take shape. Hearing aids like the ReSound LiNX and Starkey Halo that pair directly with your mobile phone are effectively replacing the wired earbuds or headphones you used to listen to music with. “Alright, wireless headphones!” you say, but that’s not super impressive – it’s natural extension of what a hearing aid can do.

However, imagine using your hearing aids to:

  • Open the front door of your house
  • Turn on your car as you approach
  • Post interesting sounds you hear directly on the internet – “Instagram for sounds”
  • And more

The possibilities are endless and only limited by human imagination. These ideas and applications are what are going to transform the hearing aid from a social stigma to a trendy next-generation wearable. Having a hearing aid in your ear will no longer be something you want to hide, but rather something you want to show off to your friends and family. I daresay that people with regular hearing will buy hearing-aid like devices just to access the technology that hearing aid users may one day take for granted.

Now, all of this is really great and wonderful, but we need to also address the dark side of internet-connected hearing aids. Hearing aids will need to become much more secure to survive in the world of IoT.

A statistic that I recently read and have discussed with my colleagues at length is:

70% of IoT devices on the market today are not secure.

For a market that is projected to reach billions of devices – that’s right billion with a ‘B’ – 70% is a staggeringly high number!

In recent news, IoT devices have been used to launch DDoS (Distributed Denial of Service) attacks against governments, corporations, and other entities, which take advantage of these insecure devices. These attacks are capable of flooding the internet with so many connections, that websites cannot handle the load and are knocked offline for regular users like you and I. The recent DDoS attack that took down Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times, was largely preventable, and only made possible by thousands of insecure IoT devices! Hearing aids too can fall victim to hacking attempts, and be used to mount such attacks. Just imagine your new pair of Oticon Opn’s taking down the New York Times!

Let’s get a little personal so that the dangers of insecure hearing aids are something that you would be able to relate to. I’ll illustrate these dangers with two scenarios:

  1. Imagine your hearing aids are paired to your phone at all times – like the ReSound LiNX and Starkey Halos. Yesterday, you received an email from a “friend” about some cool new app and you clicked the link to get it and installed it on your phone. Little did you know, the link in the email was malicious and you ended up installing an app from a hacker. Imagine that malicious app is able to capture all communication between your phone and your hearing aids. Later that day, you decide to call your bank to pay a bill. You are asked to answer some verification questions from the bank agent over the phone. Because your awesome new hearing aids are paired to your phone, the malicious app was able to passively listen to your entire conversation capturing answers to your security questions, account balance, and etc … and then upload to the hacker’s server. You’ve now just been compromised and your banking information is in the hands of a fraudster!
  2. Imagine you are successful CEO of a startup company that is just about to IPO and you have a great new pair of internet-connected hearing aids to help you go about negotiating the various aspects of the deal. Secrecy is of paramount importance as information about your company can affect its stock price and many other factors that can impact the success of the IPO. What you didn’t know is that that the great new pair of internet-connected hearing aids you bought had a zero-day exploit (i.e. a security bug previously unknown to the manufacturer) that allowed an attacker to listen and record your conversation in real-time. They’d be able to use that information to harm your company on the day of your big IPO. You might be targeted for insider-trading by regulatory bodies, face financial ruin, or even jail-time as result of this IPO-gone-bad scenario.

These are just two examples of what can happen when security is missing or not strong enough in a product like a hearing aid. These scenarios would previously not have been possible, because the hearing aid was a closed system with no outside connection, except during fittings at the Hearing Clinic. But going forward that will no longer be case.

Security, unfortunately, is often not well understood and brushed aside as an expensive overhead cost to manufacturers of IoT devices – until something goes horribly wrong. For hearing aid manufacturers, my message is that they need to pay attention and start integrating security into their solutions now. Security is often ineffective or greatly diminished when it’s “bolted-on” to an existing solution or product. For maximum protection of the end user, security must be at the core of every product starting at the time of design and followed through to implementation in both hardware and software.

I want to feel safe wearing my hearing aids 16+ hours a day knowing that my conversations remain private at all times and the technology they integrate with is not spying on me or causing malicious activities as result of the connection to the Internet. As hearing aid users, we should demand that hearing aid security be treated as a fundamental right for every single hearing user, not a privilege. Just like we can choose who we let through the front door to our house, we need to be able to securely choose what we digitally allow into our connected hearing aids.

Constantine Grantcharov

About Constantine Grantcharov

Constantine is a hearing aid user for 20+ years and is currently Sr. Embedded Security Systems Engineer at TrustPoint Innovation Technologies, Ltd. He received his B.A.Sc in Computer Engineering from the University of Toronto and has 8+ years in software design and development in secure real-time communication for embedded systems. At TrustPoint he is the Technical Lead for V2X Security Technology, is a contributor to IEEE 1609.2 / SCMS protocols for secure vehicle-to-vehicle (V2V) communication and collision avoidance, and works on general IoT security solutions.

LinkedIn: https://ca.linkedin.com/in/constantinegrantcharov

Twitter: @ConZ27

Last modified:

  • I’m not sure this is an issue with hearing aids. With Bluetooth, the wireless link between the hearing aids and the phones is encrypted. so that its contents can’t be overheard. However, once the information arrives within the phone it is decrypted. At that point it’s no different from any other audio input, i.e. it’s exactly like the input from the phone’s microphone.

    At this point, in theory, a malicious app that had been installed on the phone could capture the conversation and forward it on, but that’s a vulnerability in the phone, not the hearing aid. So I think that blaming the hearing aid is not valid. Of course, manufacturers need to make sure that the Bluetooth encryption is turned on, but from what I’ve seen, the industry is very aware of the dangers and is following best practice.

    It’s unlikely that any viruses could be loaded into a hearing aid. Because they’re designed to be very low power they don’t use the same operating systems as phones or PC, making it much more difficult to compromise them. That doesn’t mean we can be complacent, but hearing aids don’t appear to open any any new vulnerabilities which don’t affect any phone user..

    • Constantine

      Hi Nick, great comment about Bluetooth security – but you might be surprised to learn that Bluetooth is not as secure as people think. I’m not an expert in Bluetooth security, but I know there are known attacks against Bluetooth Low Energy (LE). Supposedly secure Bluetooth-enabled devices are often hacked at conferences like: BlackHat, Pwn2Own and DEFCon. Also, most people don’t question the quality of the security either – the fact that there is something there appeases them and that can lead to a false sense of security.

      Here is an article with some relevant information on Bluetooth: http://www.inc.com/joseph-steinberg/are-your-bluetooth-devices-secure-maybe-not.html. It might shine some light on the issues around it.

      For use cases strictly relating to hearing aids paired to phone, I agree the phone is more likely to be at fault for a security issue, but I wouldn’t say the hear aids are completely off the hook.

      Here is an example: I leave my phone at my desk to go to a meeting to discuss sensitive company information. However, my hearing aids are within Bluetooth range of my phone so they remain paired. Some sensitive information is discussed and even though the phone is not the same room as me, the Bluetooth link allowed an attacker to hear every word that was said in the meeting because of the microphones in the hearing aids. Who is at fault now? The phone or the hearing aid? I’d say the hearing aid enabled the information leak by extending the range of the compromised phone. At the end of the day, the customer will blame the hearing aids in that particular scenario because the hearing aid manufacturer chose to use Bluetooth and configured the security parameters of the Bluetooth connection to the compromised phone.

      Security needs to be pushed to the furthest edge of the system (i.e. the hearing aid), so that using it with a compromised phone doesn’t impact end-to-end security. For example, an Audiologist or HIS programming a hearing aid from the cloud should be able to do so securely even if the underlying phone used by the user is compromised. Because the security is between Hearing Aids and the Audiologist software, the phone is just the pipe that lets the two ends connect and its security is irrelevant.

      In many cases, security is quite tricky to implement and that is why the security company I work for partners with other companies to make sure that the implementation of security is correct based on the current and best practices of the security industry.

    • Constantine

      Just wanted to share an answer from Security Stack Exchange on the weaknesses of Bluetooth; some of it may be out-of-date but there are certainly things that still apply.

      https://security.stackexchange.com/questions/26356/what-can-an-attacker-do-with-bluetooth-and-how-should-it-be-mitigated