Researchers have demonstrated how a headset which uses your brain power to control other devices can be turned against you to grab passwords and PIN numbers.
According to MIT Technology Review, the $800 Epoc+ headset, designed by Emotiv, was designed to translate your brain’s EEG (electroencephalography) signals into commands for gadgets and PC systems.
However, a new study conducted by Nitesh Saxena, University of Alabama associate professor, demonstrates how this kind of fledgling technology can also be used for more nefarious means.
The study asked participants to wear the headset while typing random passwords and PIN numbers into a computer screen.
These activities were designed to train the researcher’s system in recognizing EEG activity levels, and after watching a participant for only 200 characters, the AI was able to accurately guess which letters were being typed based on brain waves.
While each guess was not perfect, the rates were still rather impressive.
The chance of the researcher’s AI guessing a four-digit random PIN number was reduced from approximately 1 in 10,000 to 1 in 20, and a six-letter password’s chance of a successful result was cut to 1 in 500.
The researcher says the results are significant as the Epoc+ headset is still in its infancy, and as technology improves, it is feasible that one day, cybercriminals — potentially taking advantage of games which require inputting numbers and letters — could use such technology to capture victim brainwaves.
As an example, a gamer pausing their session to login to social media, email, or online banking accounts could have their input hijacked by an attacker tuned into their brain waves and then either to guess these passwords or improve the success of brute-force attacks.
Speaking to the publication, Saxena said that the headset represents a “risk for today’s devices, and with more advanced devices much more could be done in future.”
“People need to think through the privacy and security models of these interfaces,” the professor added.
Emotiv hit back at the study, claiming that such an attack would be impractical for threat actors to take advantage of. However, IOActive security researcher Alejandro Hernández told the publication that the attack is “100 percent feasible.”
Researchers from the University of Washington have already demonstrated how games with subliminal images can change an individual’s brain waves, ripe for recording by an EEG handset for use in phishing campaigns.