Skip to content

How Ethical Hackers Can Cure Blindness

A capture-process-inject attack chain maps 1:1 to a vision restoration pipeline. I mapped every stage through TARA.

bci neurosecurity qif tara clinical-mapping vision-restoration dual-use interview-analysis

One day, the blind will be able to see their service dogs, and even share memes with the rest of us.

Unreal Engine renders textures and objects without needing to know what they are — just transform data (position, rotation, scale). Who’s to say this isn’t possible for neural rendering? Your eyes are already rendering this screen.

When they do, what would that look like? Besides just more meme spamming, I mean… if we were to redesign the browser and optimize it for the brain, where do we start? Would it look like DOS? White phosphenes are easier to induce after all.

Per a recent interview between Y Combinator and Max Hodak, co-founder of Neuralink, Big Pharma executives are now likely repositioning themselves for a digital future. Full transcript.

Over the past 3 months, I’ve asked how a security engineer with an admiration for art and therapy can bring a fresh lens on how BCIs can not only continue rapid innovations but also do so in a fashion that’s secure and protects the user’s free agency.

During my endeavors, I realized what now is clearly obvious — that by mapping and threat modeling attacks with a risk score using what’s already in the DSM provides a dual-lens perspective that may potentially provide therapeutic analogues. You can see the full clinical TARA view here.

The same stimulation that Max alludes to in the interview to stimulate dopamine receptors can introduce threat vectors. That’s where my work is different because rather than entering BCI research through the front door, I am entering through the backdoor. That’s how my brain was trained by design. The Greeks didn’t build the Trojan Horse to go through the front door, but rather, to get past a barrier they couldn’t breach head-on.

For me, this is my metaphorical barrier — using security-backed research and science. I don’t come from the world of BCIs but the past 3 months have taught me immensely that while the industry is busy bringing medical equity to the subset of our population that need it the most, my goal is to ensure we have not only the security frameworks that BCI companies can reference, but also identify how unique backgrounds can bring a fresh perspective to the engineering world of BCIs.

What if the same attack chain a hacker uses to compromise a brain-computer interface is the exact same pipeline a clinician needs to restore sight? That’s not a hypothetical. I mapped it.

Here’s the chain: capture the world with a sensor, process it into neural-compatible signals, and inject it into the visual system. An attacker does this to manipulate what someone sees. A clinician does it to give sight to someone who lost it. The physics doesn’t care about intent.

The Attack Chain That Cures Blindness

My proposed TARA threat catalog contains 109 attack techniques mapped across the BCI stack. When I traced the full capture-to-injection pipeline for vision, 11 TARA techniques formed a 5-stage chain — and every single stage has a clinical analogue:

Stage 1 — Capture | Sense the physical environment QIF-T0090 WiFi CSI body sensing | Band: S1→S3 | Status: DEMONSTRATED

Stage 2 — Eavesdrop | Extract signal features QIF-T0003 Signal eavesdropping | Band: S1→S2 | Status: DEMONSTRATED

Stage 3 — Encode | Convert to neural-compatible format QIF-T0067 Phase dynamics replay | Band: S1→I0→N1-N7 | Status: DEMONSTRATED

Stage 4 — Inject | Deliver to neural tissue QIF-T0001, T0009, T0010, T0014 | Band: I0→N1-N7 | Status: DEMONSTRATED

Stage 5 — Replay | Sustain continuous stimulation QIF-T0107 Neural nonce replay | Band: I0→N1 | Status: THEORETICAL

The pivot point is T0067 — phase dynamics replay. In attack mode, it replays or synthesizes neural trajectories to spoof legitimate brain activity. In clinical mode, it’s the exact mechanism cochlear implants and retinal prostheses use to encode sensory information into stimulation patterns the brain can interpret. Same physics. Different governance.

The API of the Brain

Hodak explains the retina as a layered compression pipeline: roughly 126 million rods and cones connect to bipolar cells, which compress down to about 1.2-1.5 million retinal ganglion cells that form the optic nerve — roughly a 100x compression before the signal even reaches the brain. (Hodak cites higher figures in the interview; standard neuroscience estimates are ~120M rods + 6M cones. The compression ratio holds either way.)

Science Corp’s retinal prosthesis bypasses the dead rods and cones to stimulate the bipolar cells directly — upstream of the compression layer. In the PRIMAvera pivotal trial (38 patients), the final NEJM results showed a mean improvement of 25.5 letters of visual acuity, with the best patient gaining 59 letters. This dramatically outperformed Second Sight’s Argus II, which stimulated the ganglion cells downstream of the compression and produced limited real-world utility — and eventually left 350+ patients with obsolete, unsupported devices.

Hodak puts it simply: “You can think of that as like the API of the brain.” If you can characterize the signal representations at each layer, you can write to them. The brain handles the rest through plasticity.

The brain is not a black box — it is a layered signal processing system, and each layer has discoverable input/output characteristics. A Stanford team decoded speech at 62 words per minute from intracortical recordings (Willett et al. 2023, Nature; 23.8% word error rate — imperfect, but approaching natural conversation speed). Neuralink’s PRIME study reported wireless motor decoding at 8.0 bits/second in their first human participant (Neuralink blog, 2024). The engineering challenge is getting the right signals into the right layer at the right resolution.

If researchers can reconstruct 3D body pose through walls using WiFi signals alone (DensePose from WiFi, CMU 2023), and if mmWave radar can produce millimeter-level 3D geometry (PanoRadar, MobiCom 2024), then the sensor capability to capture the physical world for a vision pipeline already exists. Coupling it with OCR and AI scene understanding to produce a neural-compatible render is an integration challenge, not a physics barrier. The components exist — it’s the safety, ethics, and latency engineering that determine when and how they come together. That’s why clinical testing takes so long, but it’s exciting to see where the world is heading.

The Sensor Rabbit Hole

This is where I went down a rabbit hole inspired by depth sensors like the Kinect. I built a prototype using Three.js shaders that simulates the principle behind depth-sensing hardware — taking a standard video feed and displacing every pixel based on luminance to reconstruct spatial depth. The depth visualizations I built are rough, but the principle is sound: all you need is a sensor and the right processing pipeline to reconstruct a usable representation of the world.

During this research, I discovered that white phosphenes are the easiest visual percept to induce electrically — most cortical and retinal prostheses start there because the threshold is lowest and the response is most reliable. That’s why the depth visualization renders in grayscale. But a grayscale world is not enough. So I used AI to reintroduce color — the model infers what colors the environment should contain based on object recognition and scene context, then maps them back onto the depth field. The result is a simulation of what a vision restoration pipeline could look like: capture in whatever modality the sensor provides, reconstruct depth, then let AI fill in the color information that the raw stimulation cannot carry.

The AI here works the same way Unreal Engine does — it uses depth and transforms to reconstruct a scene, not raw pixel data. The choice to model this around a Kinect-style depth sensor is intentional. Hardware sensors return geometry — distance, surface, edges — and that data is deterministic. A Kinect doesn’t hallucinate a wall that isn’t there. AI sits on top as a color reconstruction layer, not as the rendering engine itself. It infers what colors should be present based on object recognition and scene context, then paints them onto the depth field. But the depth field exists with or without the AI.

I’m proposing this as a guardrail for human-continuity: a patient’s primary sensory experience should never fully depend on software that can crash, be corrupted, or go offline for a patch. Think about what that means in practice. A vision prosthesis running a software update at 2 AM — does the patient go blind for 90 seconds? With a hardware-first architecture, no. The AI color layer drops out, so the world goes grayscale temporarily. But the depth sensor is still feeding spatial data. The patient still sees the room, the doorway, the stairs. Color comes back when the update finishes. You lose the paint, not the canvas.

None of this requires inventing new rendering technology. Physics simulations, particle shaders, ray-tracing — all of it already exists in gaming engines like Unreal and Unity. The same GPU pipelines that render photorealistic game worlds in real time can reconstruct a visual scene from sensor data. The tooling is mature, optimized, and battle-tested across millions of devices. The gap is not in rendering capability. It is in the interface between the render output and the biological system that needs to receive it.

And that got me thinking. Theoretically, the phone already in someone’s pocket has everything you need — LiDAR on newer iPhones, the TrueDepth camera, accelerometers, gyroscopes. You don’t need a dedicated depth sensor bolted to someone’s head. The phone is always with them. It’s always collecting spatial data. Pair that with OCR and AI models and you have a real-time rendering pipeline that could feed a visual prosthesis.

But here’s the security engineering perspective: the moment you make the phone the sensor for a BCI vision system, you’ve introduced an attack surface that didn’t exist before. The phone connects to cell towers, Wi-Fi, Bluetooth. It runs third-party apps. It syncs to the cloud. Every one of those is a vector. An attacker who compromises the phone now has a pathway to manipulate what gets fed to the implant — and by extension, what the user sees.

That’s exactly why I’m approaching this from security first. For the sake of demonstrating from a security engineering perspective, I modeled the concept around a Kinect-style sensor — isolated, no network stack, no app store. The simulation shows the vision reconstruction principle without introducing the risks that come with a consumer device. But make no mistake: the industry will reach for the phone. And when it does, the security architecture needs to already be there.

This maps directly to what TARA catalogs at the I0 boundary — the interface between external hardware and biology. Whether the sensor is a Kinect, a phone, or AR glasses, the signal has to pass through a trust boundary before it reaches the implant. That’s where Neurowall sits.

Walking the Chain: What Works, What Doesn’t

Now that I’ve laid out the chain and the sensor question, let me walk through each stage with honest labels on what’s demonstrated today, what’s feasible near-term, and what’s still theoretical.

Stage 1: Capture — The Physics Ceiling

Cameras work. Every vision prosthesis in clinical trials uses a camera mounted on glasses. But WiFi Channel State Information (T0090) can reconstruct 3D body pose through walls — DensePose from WiFi (CMU, 2023) achieves body-part UV mapping from WiFi CSI signals, no camera required.

The problem is resolution. Standard WiFi operates at 2.4 GHz (~12.5 cm wavelength) and 5 GHz (~6 cm wavelength). These wavelengths set a practical resolution floor for RF-based sensing — you cannot resolve features smaller than the wavelength of the signal you’re using. Deep learning adds learned priors from training data, but it cannot exceed the physics — below the wavelength scale, it’s filling in gaps from statistical inference, not measuring.

Resolution by frequency:

  • 2.4 GHz (12.5 cm wavelength) — Room occupancy, breathing detection
  • 5 GHz (6 cm wavelength) — Body pose, gait, gestures
  • 60 GHz / mmWave (5 mm wavelength) — Hand gestures, facial features
  • 77 GHz / automotive radar (3.9 mm wavelength) — mm-level geometry (PanoRadar, MobiCom 2024)

WiFi alone cannot produce the resolution needed for a visual scene. But mmWave radar at 77 GHz achieves millimeter-level geometry. PanoRadar (MobiCom 2024) demonstrated panoramic 3D reconstruction from a single spinning radar. RF-based 3D Gaussian Splatting from radar is an active research area — rendering novel views from radio signals alone, no camera. Feasible near-term, but not yet integrated into any BCI pipeline.

Camera capture = demonstrated and in clinical use. WiFi/radar capture for BCI = theoretically possible but resolution-limited. mmWave capture = feasible near-term but not yet coupled to neural encoding.

Stage 2: Process — Game Engines Already Know How

If gaming engines can identify and create texture models based on an object’s dimension, density (sheen, surface, hue, saturation, lighting, depth), and relation in vector space — then the future is looking very positive. The tools already exist:

  • BionicVisionXR (Unity-based): Real-time phosphene simulation running at VR display rates. Renders what a prosthetic user would actually perceive through a given electrode array.
  • 3D Gaussian Splatting (SIGGRAPH 2023): 100+ FPS photorealistic novel-view synthesis. Already has Unreal Engine plugins.
  • 4D Gaussian Splatting (CVPR 2024): 82 FPS for dynamic scenes. Time-varying geometry.

Here’s the counterintuitive finding: photorealism is not what prosthetic vision needs. Elnabawy et al. (2022) demonstrated that simplified visual representations — generated by a GAN to produce high-contrast, clip-art-style imagery — outperform photorealistic rendering for prosthetic users. The visual cortex, working with limited electrode resolution, does better with less information, not more.

The bottleneck is live sensor to scene reconstruction in real time. Material estimation takes ~3 seconds per object. The components exist separately — sensors capture geometry, AI estimates materials, engines render — but no integrated pipeline runs the full chain at the latency a prosthesis demands (<50ms). Each piece works. The plumbing between them doesn’t exist yet.

Individual rendering components = demonstrated. Full sensor-to-render at prosthetic latency = not yet demonstrated. Simplified rendering for prosthetic users = demonstrated to outperform photorealism.

Stage 3: Encode — Teaching the Brain to See

This is where T0067 (phase dynamics replay) sits. The sensor captured the world, the engine rendered it, and now the signal has to be translated into something neural tissue can interpret.

The encoding problem is not just “send a signal” — it’s “send a signal the brain will interpret as vision.” AI is driving the real progress here:

  • End-to-end optimization (de Ruyter van Steveninck, J Vision 2022): Optimizes the visual scene-to-stimulation mapping using a differentiable phosphene simulator.
  • Hybrid Neural Autoencoders (Granley, NeurIPS 2022): Combine physics-based phosphene models with learned encoding.
  • Human-in-the-Loop optimization (Granley, NeurIPS 2023): Patient provides feedback to iteratively refine the encoding model. The patient is literally training the encoder.
  • Differentiable phosphene simulation (van der Grinten et al., eLife 2024): Makes the entire pipeline end-to-end differentiable — from image to stimulation to predicted percept — so gradient descent can optimize the encoding.

Bandwidth reality across delivery methods:

  • PRIMA (photovoltaic, subretinal) — 378 channels | ~3.8 kbps estimated* | <10ms estimated* | In pivotal trial
  • Argus II (epiretinal) — 60 channels | ~600 bps estimated | ~20ms | Defunct
  • Utah array (cortical) — 96-1024 channels | ~10-100 kbps | <5ms | Research
  • FlexLED (optogenetic, epiretinal) — 8,192 micro-LEDs | ~82 kbps estimated | ~5ms | Preclinical

*Estimated from published specs (378 pixels, 30 Hz frame rate, 0.7-9.8ms pulse width). Not published as cited specifications.

PRIMA is a write-only, passive implant — no bidirectional communication. The encoding is done entirely on the glasses-mounted processor. This matters for security because it means there’s no way to validate signals at the implant itself.

Subretinal encoding (PRIMA) = demonstrated in clinical trial. AI-optimized encoding = demonstrated in research. Full sensor-to-encode-to-stimulate from non-camera input = not yet demonstrated.

Stage 4: Inject — The I0 Boundary Problem

This maps to multiple TARA injection techniques: T0001 (electromagnetic injection), T0009 (amplitude modulation), T0010 (ELF entrainment), T0014 (photonic/optogenetic injection). In attack mode, these inject unauthorized signals. In clinical mode, they deliver therapeutic stimulation. The injection physics is identical.

Every injection technique crosses the I0 boundary — the interface between hardware and biology in QIF. For PRIMA, the I0 boundary is at the glasses processor: the implant is passive, so there’s no way to validate signals at the implant itself. The goggles are the last trust boundary. Compromise the goggles, compromise the visual input.

This means the Neurowall concept — signal validation at I0 — must run on the external processor for passive implants. The implant can’t protect itself. The architecture has to protect it.

Signal injection for vision restoration = demonstrated and in clinical use. Security validation at I0 for these devices = not implemented in any current clinical system.

Stage 5: Replay — Sustaining Vision

T0107 (neural nonce replay) in attack mode replays previously valid neural signals to bypass authentication. In clinical mode, this is just… continuous stimulation. A retinal prosthesis that stops replaying the encoded visual signal every frame would produce blackout, not vision.

Continuous stimulation replay = demonstrated (every working prosthesis does this). Replay validation / freshness checking for therapeutic systems = not implemented.

The Gap Analysis

Here’s what’s missing to connect the full pipeline for clinical use:

Gap 1: Sensor-to-scene reconstruction at prosthetic latency (<50ms) Components exist separately. No integrated pipeline runs end-to-end at the required speed. Severity: Critical — this is the primary engineering bottleneck. Feasibility: Near-term (2-4 years). Each component is individually fast enough; the integration work is engineering, not physics.

Gap 2: Non-camera sensor encoding pathways All current clinical systems use cameras. No encoding pipeline takes WiFi CSI, mmWave radar, or LiDAR as input. Severity: High — limits prosthetic vision to camera-sighted scenarios. Feasibility: Medium-term (3-5 years). The encoding AI is sensor-agnostic in principle — it needs geometry and features, not pixels specifically. But nobody has trained an encoder on radar input.

Gap 3: Security architecture at I0 for passive implants PRIMA’s passive photovoltaic design means zero computational capacity for signal validation. All trust resides in the glasses. No current prosthesis implements any signal validation, replay detection, or authentication. Severity: High today, Critical as devices become consumer-facing. Feasibility: Near-term. The Neurowall concept is architecturally defined; implementation requires engineering a lightweight validation layer on the glasses processor.

Gap 4: Regulatory framework for dual-use techniques The same techniques classified as attacks in TARA are used therapeutically. No regulatory framework explicitly addresses this boundary. FDA 510(k)/PMA evaluates safety of intended use, not adversarial misuse. Severity: Medium — not blocking clinical use, but blocking responsible deployment at scale. Feasibility: Long-term (5-10 years). Policy gap, not an engineering gap.

The Flip

The attack chain: WiFi sense → eavesdrop → synthesize neural trajectory → inject → replay. The clinical chain: Sense environment → extract features → encode for neural interface → stimulate → sustain.

Same chain. Same physics. Same TARA technique IDs. The difference is:

Consent — Attack: Absent. Therapy: Informed, documented, IRB-approved.

Calibration — Attack: Uncalibrated or weaponized. Therapy: Patient-specific, clinically validated.

Validation — Attack: Bypasses or doesn’t exist. Therapy: Safety bounds, impedance monitoring.

Oversight — Attack: None. Therapy: Clinical team, FDA regulation, IEC 60601.

Intent — Attack: Disrupt, surveil, manipulate. Therapy: Restore function.

TARA wasn’t built to catalog cures. But when you map 109 attack techniques across the BCI stack with enough granularity, the therapeutic analogues fall out because the physics is shared. The governance is what separates the two. The therapeutic overlap analysis maps this dual-use boundary technique by technique.

What Would a Phosphene Browser Look Like?

So let’s say we get there. The pipeline works. Someone who was blind can now perceive the world through a prosthetic visual system. What does a web browser look like through 378 phosphenes?

Start with the math. PRIMA’s implant is roughly a 19x20 grid of light points. That’s less resolution than a Commodore 64 character cell. You’re not rendering Chrome. You’re not rendering a modern UI at all. You’re working with something closer to pixel art — or cave paintings.

And that’s where art comes in. Art has always been about compression. A Japanese calligrapher conveys an entire concept in three brushstrokes. Mondrian built a visual language out of rectangles and primary colors. Cave paintings at Lascaux told stories with outlines and negative space. The entire history of visual art is a masterclass in how to communicate maximum meaning through minimum signal. That’s exactly the design problem a phosphene display presents.

The research backs this up. Elnabawy’s GAN-based simplification (2022) showed that stripping images down to high-contrast clip-art-style representations improved recognition for prosthetic users. The brain doesn’t need photorealism — it needs edges, contrast, and structure. An artist already knows this instinctively. A painter decides what to leave out. A phosphene display forces the same decision computationally.

So the first phosphene browser wouldn’t look like Safari. It might look like a woodcut. Bold outlines. High contrast. Negative space doing the heavy lifting. Text rendered as shapes the brain can learn to associate with letters — not pixel-perfect fonts, but gestures toward letterforms that plasticity fills in over time. Navigation through spatial memory and gesture, not scrolling through a feed.

The primary experience should be art, not a command line. Nobody wants to wake up and see a terminal. Imagine your OS for seeing the world boots up and it bluescreens. Your vision just… crashes. A cursor blinking in a void where the world used to be. That cannot happen. The default experience has to be beautiful, intuitive, and human — something closer to watercolor than to a shell prompt.

That’s what I set out to answer with the Runemate concept. Pairing the old with the new. Like a Rosetta Stone but without all the baggage of legacy. Traditional computing crashes because it was built on layers of abstraction that assume the user can reboot, reinstall, or switch devices. Rebooting or restarting a neural implant is not a viable recovery strategy — it introduces a cascade of safety and security implications. Power cycling disrupts therapeutic stimulation schedules, may worsen glial scarring at the electrode-tissue boundary, and does nothing to reverse any neuroplastic rewiring that occurred during the failure. The implant restarts; the brain does not. Any neural pathway changes that happened while the system was compromised persist in the patient’s biology regardless of the device’s operational state. There is no “reinstall” for vision that the brain has already adapted around. Runemate is a proposed domain-specific language designed from scratch for the neural interface boundary — no inherited failure modes from systems that were never built to touch biology.

But a terminal can still come in handy for troubleshooting, so the user is always in control of the AI. If an AI is deciding what to show you through 378 points of light — compressing the entire visual world into a grid smaller than a QR code — the user needs a way to override it when something goes wrong. To say “show me more detail here” or “switch modes” or “why did you filter that out.” Not as the daily experience. As the escape hatch. The same way most people never open a terminal on their Mac, but the ones who do are the ones who actually understand what their machine is doing.

This is a security architecture question as much as a design question. The AI that compresses the visual world into phosphene patterns has enormous power over what the user perceives. If the user can’t inspect, override, or audit that AI’s decisions, they’ve traded one form of blindness for another — seeing only what an algorithm decides to show them. Art first. Terminal when you need it. The user stays in control.

White phosphenes are easier to induce — lower current thresholds, more reliable perception. That’s a design constraint that pushes toward high-contrast, monochrome aesthetics. Not because it’s a limitation, but because the physics rewards simplicity. At 378 phosphenes, every point of light has to earn its place. That’s not a terminal. That’s a canvas.

Digital Adderall, Digital Ambien

The vision pipeline isn’t the only place the dual-lens shows up. Hodak’s most commercially significant observation: non-invasive brain stimulation could deliver “a digital Ambien or like a digital Adderall” — targeting specific brain regions to induce focus or sleep without pharmaceuticals, potentially as a consumer device that does not require surgery. He frames this as an industry direction, not a Science Corp project — Hodak explicitly states “I don’t work on ultrasound.”

This is not speculative. A systematic review of 35 human transcranial focused ultrasound studies (677 subjects) found dose-dependent cognitive and mood effects with no severe adverse events. A controlled study showed 30 seconds of tFUS to the right prefrontal cortex produced mood improvement lasting 30+ minutes and measurably altered resting-state fMRI connectivity.

The difference between a digital Adderall and a neural attack is not the physics. It is consent, dosage calibration, and oversight. The same pattern. Every time.

”We Thought Neuroscience Would Teach AI. It’s Been the Other Way Around.”

One of Hodak’s most striking observations: “I can tell you 10 years ago we thought it would go the other way and that the AI people would learn a lot from neuroscience and it’s really been the other way around.”

The same cross-domain transfer applies to neurosecurity. What cybersecurity has learned about signal integrity, access control, threat modeling, and defense-in-depth applies to the BCI attack surface. QIF is the hypothesis that security engineering — built over decades for silicon systems — provides the missing implementation layer for BCI protection. The principles transfer because the underlying physics of signal processing is shared. Different substrate, same architecture.

Bio-Hybrid: The Permanent Attack Surface

Hodak’s bio-hybrid neural interfaces program is building probes that grow into the brain using living neurons. A preprint (not yet peer-reviewed) showed engrafted optogenetically-enabled neurons survived, integrated with host brain tissue, and transmitted information enabling goal-directed behavior in mice. The pitch: biological integration eliminates the foreign-body immune response that degrades conventional electrodes over time.

The security implication: a bio-hybrid implant cannot be removed without destroying the neural tissue it has integrated with. Every conventional BCI at least has a theoretical extraction path. Bio-hybrid interfaces are permanent by design. Hodak has written about this boundary since 2016, when he explored where the line between a person and their device blurs at high bandwidth. By December 2025, he put it more directly: “You could really, in a very fundamental sense, talk about redrawing the border around a brain, possibly to include four hemispheres, or a device, or a whole group of people.”

In QIF terms, this is the I0 boundary — the hardware-biology interface where silicon meets tissue. The proposed neural firewall concept sits at exactly this boundary because it is the last point where signal validation is technically possible before the signal becomes biology.

”I Worry More About Twitter”

Hodak explicitly downplays BCI security risks: he is more concerned about social media’s influence on cognition than about someone hacking a brain implant. His reasoning — current BCIs have limited bandwidth, physical access requirements, and the attack surface is small compared to the information firehose people voluntarily consume.

He is right about the current state. Today’s implanted BCIs are low-bandwidth, require surgical placement, and serve small patient populations.

He is wrong about the trajectory. The entire interview is a roadmap for making BCIs higher-bandwidth, less invasive (ultrasound), consumer-facing (digital Adderall), and permanently integrated (bio-hybrid). Every advance he describes expands the attack surface he dismisses. Denning, Matsuoka, and Kohno defined neurosecurity in 2009. Pycroft et al. cataloged brainjacking attacks against implanted stimulators in 2016. Ienca and Haselager framed neurocrime as an extension of cybercrime to neural devices that same year. A 2021 ACM survey mapped the full BCI lifecycle attack taxonomy. And Meng et al. demonstrated in 2023 that EEG-based BCIs are vulnerable to backdoor attacks via narrow-period pulse injection into training data.

This is not a criticism of Hodak’s engineering. It is an observation that the security architecture needs to be designed now, while the bandwidth is low and the patient population is small, not after consumer stimulation devices ship at scale.

What This Means

This use-case validates something about the QIF architecture: the 11-band model and the I0 boundary aren’t just security concepts. They’re the same boundaries that clinical engineering has to deal with. The I0 boundary where Neurowall sits is the same boundary where PRIMA’s encoding happens. The signal validation that prevents an attack is the same signal validation that ensures a prosthesis delivers the right stimulation.

Security and clinical safety are not separate problems at the neural interface. They’re the same problem described in different vocabularies.

That’s why a security engineer can enter this field through the backdoor and find something useful to say about clinical applications. The architecture is shared. The threat model is the safety model, inverted.

About Qinnovate

Qinnovate is an open research initiative building the security and governance layer for brain-computer interfaces. The BCI industry is moving fast — restoring vision, decoding speech, stimulating cognition. But nobody is building the security architecture at the same pace.

That is the gap Qinnovate exists to close. QIF is a proposed 11-band security model that maps the full BCI stack from physical signal integrity to governance policy. The TARA threat catalog maps 109 attack techniques across every neural band region, scored by NISS. The therapeutic overlap analysis maps where clinical applications and attack techniques share the same physical mechanisms — because the difference between treatment and threat is governance, not physics.

Every tool, dataset, and mapping is open source. Every AI contribution is documented. Every claim is classified by evidence level and held to neuromodesty constraints — because the field does not need more hype. It needs engineering.

If the next decade of neurotechnology is going to be built by companies like Science Corp and Neuralink, the security architecture needs to be built in parallel — not bolted on after the first breach. Explore the full framework.

Source: “How to Build the Future: Max Hodak” by Garry Tan (Y Combinator), published March 9, 2026. Full transcript.

Written with AI assistance (Claude). All claims verified by the author. QIF, TARA, and NISS are proposed frameworks, not validated standards. Research claims classified per evidence level: DEMONSTRATED (published, reproduced), FEASIBLE (components exist, integration pending), or THEORETICAL (architecturally sound, not yet built).

References

Science Corp / PRIMA

Neuralink

WiFi Sensing & RF Imaging

  • Geng J, et al. “DensePose From WiFi.” arXiv:2301.00250, 2023. arXiv
  • Li H, et al. “PanoRadar: Enabling Visual Recognition at Radio Frequency.” ACM MobiCom 2024. DOI: 10.1145/3636534.3649369
  • GSRF. “Complex-Valued 3D Gaussian Splatting for Efficient Radio-Frequency Data Synthesis.” Reported as NeurIPS 2025. Note: No DOI or indexed URL located at time of publication. Citation retained based on conference program reference; independent verification pending.
  • Liu J, et al. “Wireless Sensing for Human Activity: A Survey.” IEEE Communications Surveys & Tutorials 21(2):1810-1836, 2019.

Neural Encoding for Vision Prosthetics

  • de Ruyter van Steveninck J, et al. “End-to-End Optimization of Prosthetic Vision.” J Vision 22(2):20, 2022. DOI: 10.1167/jov.22.2.20
  • Granley J, Beyeler M. “Hybrid Neural Autoencoders for Stimulus Encoding in Visual and Other Sensory Neuroprostheses.” NeurIPS 2022.
  • Granley J, et al. “Human-in-the-Loop Optimization for Deep Stimulus Encoding in Visual Prostheses.” NeurIPS 2023.
  • van der Grinten M, de Ruyter van Steveninck J, et al. “Towards Biologically Plausible Phosphene Simulation for the Differentiable Optimization of Visual Cortical Prostheses.” eLife 13:e85812, 2024. DOI: 10.7554/eLife.85812
  • Elnabawy R, et al. “PVGAN: A Generative Adversarial Network for Object Simplification in Prosthetic Vision.” J Neural Engineering, 2022. PMID: 35981530

Game Engine Rendering & 3D Reconstruction

  • Kerbl B, et al. “3D Gaussian Splatting for Real-Time Radiance Field Rendering.” ACM Trans Graphics (SIGGRAPH) 42(4):139, 2023. DOI: 10.1145/3592433
  • Lin JT, et al. “BionicVisionXR: An Open-Source Virtual Reality Toolbox for Bionic Vision Research.” bioRxiv 2024.
  • Wu G, et al. “4D Gaussian Splatting for Real-Time Dynamic Scene Rendering.” CVPR 2024.

Neurostimulation & Dual-Use

  • Sanguinetti JL, et al. “Transcranial Focused Ultrasound to the Right Prefrontal Cortex Improves Mood.” Front Hum Neurosci 14:52, 2020. PMID: 32184714
  • Sarica C, et al. “Human Studies of Transcranial Ultrasound Neuromodulation: Systematic Review.” Brain Stimulation 15(3):737-746, 2022. PMID: 35533835
  • Tennison MN, Moreno JD. “Neuroscience, Ethics, and National Security.” PLoS Biol 10(3):e1001289, 2012. DOI: 10.1371/journal.pbio.1001289

BCI Security

  • Denning T, Matsuoka Y, Kohno T. “Neurosecurity: Security and Privacy for Neural Devices.” Neurosurg Focus 27(1):E7, 2009. DOI: 10.3171/2009.4.FOCUS0985
  • Pycroft L, et al. “Brainjacking: Implant Security Issues in Invasive Neuromodulation.” World Neurosurg 92:454-462, 2016. PMID: 27184896
  • Ienca M, Haselager P. “Hacking the Brain: BCI Technology and the Ethics of Neurosecurity.” Ethics Inf Technol 18(2):117-129, 2016. DOI: 10.1007/s10676-016-9398-9
  • Lopez Bernal S, et al. “Security in Brain-Computer Interfaces: State-of-the-Art.” ACM Comput Surv 54(1):1-35, 2021. DOI: 10.1145/3427376
  • Meng L, et al. “EEG-Based BCIs are Vulnerable to Backdoor Attacks.” IEEE Trans Neural Syst Rehabil Eng 31:2224-2234, 2023. PMID: 37145943

Bio-Hybrid Interfaces

  • Boufidis D, et al. “Bio-inspired Electronics: Soft, Biohybrid, and Living Neural Interfaces.” Nat Commun 16:1861, 2025. DOI: 10.1038/s41467-025-57016-0
  • Boulingre M, et al. “Biohybrid Neural Interfaces: Improving Biological Integration.” Chem Commun 59(100):14745-14758, 2023. PMID: 37991846

Neural Decoding & Plasticity

  • Willett FR, et al. “A High-Performance Speech Neuroprosthesis.” Nature 620:1031-1036, 2023. DOI: 10.1038/s41586-023-06377-x
  • Xu L, et al. “Review of Brain Encoding and Decoding Mechanisms for EEG-based BCI.” Cogn Neurodynamics 15(4):569-584, 2021. PMID: 34367361

Second Sight / Argus II

Vision Prostheses (Additional)

  • Sahel JA, et al. “Partial Recovery of Visual Function in a Blind Patient After Optogenetic Therapy.” Nature Medicine 27:1223-1229, 2021. DOI: 10.1038/s41591-021-01351-4
  • Beauchamp MS, et al. “Dynamic Stimulation of Visual Cortex Produces Form Vision in Sighted and Blind Humans.” Cell 181(4):774-783, 2020. DOI: 10.1016/j.cell.2020.04.033

Journalism & Interviews