Scientists have warned that hackers can steal a user’s passwords by monitoring their thoughts. Researchers, including those of Indian origin, at the University of Alabama at Birmingham in the US have suggested that brainwave-sensing headsets require better security.
The Electroencephalograph (EEG) headsets let users control video games and robotic toys with the mind. A person who paused a video game and logged into his bank account while wearing an EEG headset was prone to have his passwords or other sensitive data stolen by a malicious software programme, researchers found.
“These emerging devices open immense opportunities for everyday users,” said Nitesh Saxena, associate professor from University of Alabama.
“However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology,” said Saxena.
The team also included an PhD student named Ajaya Neupane. For the study, researchers used one EEG headset which is currently available to consumers online and one clinical-grade headset used for scientific research to demonstrate how easily a malicious software programme could passively eavesdrop on a user’s brainwaves.
While typing, a user’s inputs correspond with their visual processing, as well as hand, eye and head muscle movements. EEG headsets capture all these movements.
12 people were asked to type a series of randomly generated PINs and passwords into a text box as if they were logging into an online account while wearing an EEG headset, in order for the software to train itself on the user’s typing and the corresponding brainwave.
“In a real-world attack, a hacker could facilitate the training step required for the malicious programme to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites,” Saxena said.
The team found that, after a user entered 200 characters, algorithms within the malicious software programme could make educated guesses about new characters the user entered by monitoring the EEG data recorded.
The algorithm was able to shorten the odds of a hacker’s guessing a four-digit numerical PIN from one in 10,000 to one in 20 and increased the chance of guessing a six-letter password from about 500,000 to roughly one in 500.
“Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices,” Saxena said.
“It is important to analyse the potential security and privacy risks associated with this emerging technology to raise users’ awareness of the risks and develop viable solutions to malicious attacks,” he said.
(With inputs from PTI)