Could hackers tune into your brainwaves and steal your passwords?
While the widespread use of devices that monitor brainwaves might sound like a long way off, key figures like Elon Musk are investing big time and money in making them a reality. With one eye on this future, scientists have carried out a study to find out whether these things can be hacked and the brainwaves interpreted to decipher a password, with the findings suggesting that it is in fact entirely possible.
Today these kinds of devices take the form of electroencephalograph (EEG) headsets, with a few consumer options floating around, or more complicated versions for research purposes in the lab. But they won't always look that way, with scientists already chipping away at much more discreet solutions that resemble nothing more than sand-sized sensors inside your brain.
Whether inside the brain or out, these devices all work by measuring electrical signals coming from the brain as it goes about certain activities, converting those readings into input commands for a variety of applications, including drones, wheelchairs and prosthetic limbs.
This capability led scientists at the University of Alabama at Birmingham (UAB) to ponder how those readings could be used for nefarious purposes. So they conducted a study where 12 subjects were fitted with either a currently available EEG headset or a clinical-grade version, and were asked to enter a series of random PIN codes and passwords into a text box, simulating the act of logging into an online account.
The researchers then had a malicious software program train itself by taking cues from the user's typing and corresponding brainwaves. They found that after the user had entered around 200 characters, the software could make smarter guesses about the characters being entered based on nothing other than the corresponding brainwaves it had picked up.
So much so, that the odds of it guessing a four-digit PIN were shortened from one in 10,000 to one in 20. The chances of guessing a six-letter password were shortened from around one in 500,000 to around one in 500. The researchers say these results indicate that greater security is needed for these devices as they become more commonplace. One suggestion they have is the insertion of noise to drown out the brainwaves whenever a user is made to enter a PIN or a password.
"Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices," says Nitesh Saxena, associate professor at UAB and leader of the research. "It is important to analyze the potential security and privacy risks associated with this emerging technology to raise users' awareness of the risks and develop viable solutions to malicious attacks."
The research paper can be accessed online.