Headsets designed to allow players to control video games and robotic toys using their brains may also allow hackers to guess at passwords by monitoring players' brainwaves, according to researchers from the University of Alabama at Birmingham.
With only a handful of EEG (electroencephalograph) headsets on the market, researchers are calling for improved methods of securing the devices.
“These emerging devices open immense opportunities for everyday users," said Nitesh Saxena, Ph.D., associate professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences. "However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology."
To demonstrate how easily a hacker can use software to “eavesdrop” on a user’s brainwaves, researchers focused on the movements of 12 participants entering random PINs and passwords into a text box while outfitted with the two different types of headsets — one clinical grade and used for scientific research, the other meant for consumers.
Because the user’s typing inputs correspond with their visual processing in addition to the other related movements (hand, eye and head), researchers captured information concerning all of these movements using the headsets.
"In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites," Saxena said.
Although the use of EEG headsets is not yet widespread, researchers anticipate the technology to eventually become increasingly popular, particularly in the entertainment and gaming industries.
"Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices," Saxena said. "It is important to analyze the potential security and privacy risks associated with this emerging technology to raise users' awareness of the risks and develop viable solutions to malicious attacks."
For now, researchers recommend inserting noise whenever a user needs to type in a PIN or password while outfitted with an EEG set as one possible solution.