By Geeta Dayal... via Wired.com
Don’t you dare even think about your banking account password when you slap on those fancy new brainwave headsets.
Or at least that seems to be the lesson of a new study which found that sensitive personal information, such as PIN numbers and credit card data, can be gleaned from the brainwave data of users wearing popular consumer-grade EEG headsets.
A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled “On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces,” represents the first major attempt to uncover potential security risks in the use of the headsets.
“The correct answer was found by the first guess in 20% of the cases for the experiment with the PIN, the debit cards, people, and the ATM machine,” write the researchers. “The location was exactly guessed for 30% of users, month of birth for almost 60% and the bank based on the ATM machines for almost 30%.”
To detect the first digit of the PIN, researchers presented the subjects with numbers from 0 to 9, flashing on the screen in random order, one by one. Each number was repeated 16 times, over a total duration of 90 seconds. The subjects’ brainwaves were monitored for telltale peaks that would rat them out.
The EEG headsets, made by companies such as Emotiv Systems and NeuroSky, have become increasingly popular for gaming and other applications. For the study, the researchers used the Emotiv Epoc Neuroheadset, which retails for $299.
The researchers — Ivan Martinovic of Oxford University; Doug Davies, Mario Frank, Daniele Perito, and Dawn Song of UC Berkeley; and Tomas Ros of the University of Geneva — analyzed P300 peaks, an important component of event-related potentials — electrical potentials that happen after the user is presented with a stimulus.
The P300 “occurs approximately 300 milliseconds after an event happens,” said Frank, a postdoctoral researcher at Berkeley, in a phone interview with Wired. “The potential arises if you already prime your thoughts toward a particular event…. An attacker could try to prime the thoughts of the victim towards a particular secret that a victim has in mind. For instance, if you know the face of some person, you might be able to observe a brainwave pattern that is evidence of the user thinking about the face.”