Researchers Hack Brainwaves to Reveal PIN Numbers, Other Personal Data

[Eugen Leitl]

http://www.wired.com/threatlevel/2012/08/brainwave-hacking/?utm_source=twitter&utm_medium=socialmedia&utm_campaign=twitterclickthru


Threat Level


Researchers Hack Brainwaves to Reveal PIN Numbers, Other Personal Data

    By Geeta Dayal 08.29.12 7:58 PM

The bdeveloper editionb of the Emotiv Epoc headset b if you think you can
handle it. Photo: drbakker/Flickr

Donbt you dare even think about your banking account password when you slap
on those fancy new brainwave headsets.

Or at least that seems to be the lesson of a new study which found that
sensitive personal information, such as PIN numbers and credit card data, can
be gleaned from the brainwave data of users wearing popular consumer-grade
EEG headsets.

A team of security researchers from Oxford, UC Berkeley, and the University
of Geneva say that they were able to deduce digits of PIN numbers, birth
months, areas of residence and other personal information by presenting 30
headset-wearing subjects with images of ATM machines, debit cards, maps,
people, and random numbers in a series of experiments. The paper, titled bOn
the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,b
represents the first major attempt to uncover potential security risks in the
use of the headsets.

bThe correct answer was found by the first guess in 20% of the cases for the
experiment with the PIN, the debit cards, people, and the ATM machine,b write
the researchers. bThe location was exactly guessed for 30% of users, month of
birth for almost 60% and the bank based on the ATM machines for almost 30%.b

To detect the first digit of the PIN, researchers presented the subjects with
numbers from 0 to 9, flashing on the screen in random order, one by one. Each
number was repeated 16 times, over a total duration of 90 seconds. The
subjectsb brainwaves were monitored for telltale peaks that would rat them
out.

The EEG headsets, made by companies such as Emotiv Systems and NeuroSky, have
become increasingly popular for gaming and other applications. For the study,
the researchers used the Emotiv Epoc Neuroheadset, which retails for $299.

The researchers b Ivan Martinovic of Oxford University; Doug Davies, Mario
Frank, Daniele Perito, and Dawn Song of UC Berkeley; and Tomas Ros of the
University of Geneva b analyzed P300 peaks, an important component of
event-related potentials b electrical potentials that happen after the user
is presented with a stimulus.

The P300 boccurs approximately 300 milliseconds after an event happens,b said
Frank, a postdoctoral researcher at Berkeley, in a phone interview with
Wired. bThe potential arises if you already prime your thoughts toward a
particular eventb&. An attacker could try to prime the thoughts of the victim
towards a particular secret that a victim has in mind. For instance, if you
know the face of some person, you might be able to observe a brainwave
pattern that is evidence of the user thinking about the face.b

bBrain Spywareb

Emotiv and NeuroSky both have bapp stores,b where users of the devices can
download third-party applications. The applications use a common API for
access to the EEG device.

bIn the case of the EEG devices, this API provides unrestricted access to the
raw EEG signal,b write the researchers. bFurthermore, such applications have
complete control over the stimuli that can be presented to the users.b

The researchers envision a scenario in which a potential malicious attacker
could write bbrain spywareb to harvest private information from the user,
which could be legitimately downloaded as an app.

bWe simulated a scenario where someone writes a malicious app, the user
downloads it and trusts the app, and actively supports all the calibration
steps of the device to make the software work,b said Frank. In these
seemingly innocuous calibration steps, which are standard for most games and
other applications using the headsets, there could be the potential to
harvest personal information.

bWe realized that these devices are becoming increasingly popular b maybe in
five, 10 years, itbs very likely that many households will have one,b Frank
said. bAt the same time, you can use all kinds of third-party apps for these
devices. In this setting, as security researchers, we identified that there
is a potential to make some bad stuff, to turn this technology against the
user.b He said, however, that there was no immediate threat in using the
devices. But the experiments devised by the researchers point to the devicesb
darker potential.

bThe simplicity of our experiments suggests the possibility of more
sophisticated attacks,b write the researchers, warning that bwith the
ever-increasing quality of devices, success rate of attacks will likely
improve.b Geeta Dayal

Geeta Dayal is a staff writer at Wired, based in San Francisco. She is the
author of Another Green World, a recent book on Brian Eno.