Brainwave sensing headsets are becoming increasingly popular to control robotic toys and video games using just your mind, but tech experts fear that this new technology might make people vulnerable to password theft.
Researchers from the University of Alabama at Birmingham have conducted a study (currently in press) on these gadgets, also known as electroencephalograph (EEG) headsets, and showed that they can be used to work out a user's password if they are wearing it while doing something like online banking.
An EEG headset tracks the user’s visual processes and hand movements, so the researchers had 12 volunteers type a series of randomly generated PINs and passwords while wearing the headset. The team then used an algorithm to see if they could guess what the users were typing.
The software needed only 200 characters to start making an educated guess and was able to severely reduce the potential characters used. The odds for trying to guess a four-digit numerical PIN went from one in 10,000 to one in 20, and the chances of guessing a six-letter password went from about one in 500,000 to one in 500.
"In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate," co-author Professor Nitesh Saxena said in a statement, "by requesting that the user enters a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites.
"These emerging devices open immense opportunities for everyday users. However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology."
EEG headsets have been used in medicine for over 50 years to study the brain without having to pry the skull open. More recently, they have also been used to help people with disabilities interact with helpful tech. As these EEG headsets becomes cheaper, it's only natural that they may be used in popular gadgets.
"Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices," Saxena added. "It is important to analyze the potential security and privacy risks associated with this emerging technology to raise users' awareness of the risks and develop viable solutions to malicious attacks."
The researchers are looking at ways to make the EEG more secure, like adding noise to signals when the user is typing for example.
1