By Heather Hamilton, contributing writer
Brainwave-sensing headsets may be used to unveil your password, according to a study by a team of researchers at the University of Alabama at Birmingham. The headsets, known as electroencephalograph headsets, are essentially portable EEG machines used to measure electrical activity in the brain. The headsets have been increasingly used in consumer-centric solutions, such as to control video games and robotic toys, but their security is so lax that the brainwaves may be monitored. The good news is that there are very few on the market, meaning that there’s ample opportunity for improvement before they reach the mainstream.
Nitesh Saxena, associate professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences, said in an interview on Phys.org: “These emerging devices open immense opportunities for everyday users. However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology.”
Saxena, together with Ph.D. student Ajaya Neupane and former master’s student Md Lutfor Rahman, compared an EEG headset easily available to consumers online to one clinical-grade EEG device used in scientific research and demonstrated how the software program might capture and use brainwaves. When a user is typing, their visual processing, hand, eye, and head muscle movements are captured by the EEG headset.
To conduct the research, the team had 12 people wearing EEG headsets type a series of PINs and passwords into text boxes as though they were logging into an account. Saxena explains: “In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites.”
The malicious software program could make educated guesses about new characters entered by the user after the user entered only 200 characters, based on the EEG data record. The algorithm shortened the odds of guessing a four-digit numerical PIN from one in 10,000 to one in 20 and increased the chance of guessing a password containing six letters from one in 500,000 to one in 500.
“Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices,” explained Saxena. “It is important to analyze the potential security and privacy risks associated with this emerging technology to raise users’ awareness of the risks and develop viable solutions to malicious attacks.”
In an article from MIT Technology Review, he continued: “I would say it’s a risk for today’s devices, and with more advanced devices, much more could be done in the future. People need to think through the privacy and security models of these interfaces.”
Saxena and his team suggest inserting noise whenever a user types in a PIN or password if wearing an EEG headset.
Source: MIT Technology Review, Nitesh Saxena, PEEP study, The Independent Daily Edition, Phys.org
Image Source: Wikimedia Commons
Learn more about Electronic Products Magazine