Hackers can steal passwords by ‘reading your brainwaves’, research reveals

Researchers have discovered that it is possible to steal sensitive information by reading a person`s brainwaves. Computer scientists conducted a study looking at electroencephalograph (EEG) headsets, which are increasingly being used in the gaming sphere to let players control device play-ware with their minds. If someone playing a video game while wearing an EEG headset chooses to log into an online banking account, their brainwaves could be used to reliably guess their passwords, researchers from the University of Alabama at Birmingham (UAB) and the University of California Riverside discovered. Hackers with access to malicious software designed to read data coming from EEG headsets could discover sensitive information. The researchers asked a group of 12 individuals to type a string of randomly generated PIN numbers and passwords into a text box while wearing consumer and high-end medical grade EEG headsets. When a person does this, brainwaves are generated as the individual thinks about the password and then coordinates their hand, eye and head muscle movements to type on a keyboard and move the mouse on the screen to click on the text box, the study revealed. These neural signals are captured by the EEG headset as data, and the researchers found that once a user had entered 200 characters using a physical keyboard, computer algorithms were able to guess four-digit PIN numbers with a 46.5 per cent success rate, while six-character passwords could be guessed with a 37.3 per cent success rate. When they carried out the same test with a virtual keyboard, the computer algorithms were able to predict four-digit PIN numbers with a 43.4 per cent success rate, while tests on a virtual keyboard similar to a smartphone`s keypad or an ATM machine`s keypad showed a 47.5 per cent correctly predicting four-digit PIN numbers. Their results are published in an open access paper entitled PEEP: Passively Eavesdropping Private Input via Brainwave Signals that was presented at the 21st Financial Cryptography and Data Security 2017 conference in Malta in April. “In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break,” said Dr Nitesh Saxena, an associate professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences, who co-authored the paper. “Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices. “It is important to analyse the potential security and privacy risks associated with this emerging technology to raise users` awareness of the risks and develop viable solutions to malicious attacks.”