Hacking the Brain using EEG
Brain computer interfaces (BCI) are becoming increasingly popular in the gaming and entertainment industries. Consumer-grade BCI devices are available for a few hundred dollars and are used in a variety of applications, such as video games, hands-free keyboards, or as an assistant in relaxation training. And also neuromarketing research. There are application stores similar to the ones used for smart phones, where application developers have access to an API to collect data from the BCI devices.The security risks involved in using consumer-grade BCI devices have never been studied and the impact of malicious software with access to the device is unexplored. Researchers take a first step in studying the security implications of such devices and demonstrate that this upcoming technology could be turned against users to reveal their private and secret information. They used inexpensive electroencephalography (EEG) based BCI devices to test the feasibility of simple, yet effective, attacks. The captured EEG signal could reveal the user’s private information about bank cards, PIN numbers, area of living, the knowledge of the known persons. This is the first attempt to study the security implications of consumer-grade BCI devices. They showed that the entropy of the private information is decreased on the average by approximately 15 % – 40 % compared to random guessing attacks!
The study “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces” was conducted by Ivan Martinovic, Doug Davies, Mario Frank, Daniele Perito, Tomas Ros, and Dawn Song. The authors point out that it is just such a commercial off the shelf brain computer interface—costing a few hundred dollars—that can run the brain-hacking show. The researchers, who are from the universities of Oxford and Geneva and University of California, Berkeley, tested their mind-reading program using an Emotiv EEG device on 28 participants. After having a look at the devices’ security implications, they have concluded that the technology can be turned against people to reveal information the victims assume is secret. After carrying out a number of experiments, they showed the feasibility of using a cheap consumer-level BCI gaming device to partially reveal private information of the users. By analyzing EEG signals in their experiments, they were able to detect which of presented stimuli were related to the user’s private information—credit cards, PIN numbers, persons known to the user, and user’s residence.
