A study presented at the recent Usenix conference demonstrated how it is possible to get private information from the brains of people who use commercial brain-computer interfaces – like NeuroSky and Emotiv.
These headsets are designed for gamers and are cheaper, less accurate versions of EEG devices – used by scientists to read the electrical activity of the brain by attaching electrodes to the surface of the scalp.
The new study, titled ‘On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces’ (available online as a pdf), took advantage of a reliable brain signal called the P300.
The P300 reflects the brain’s categorisation of something as relevant, important or meaningful. If you’re shown a series of photo portraits, for example, the P300 will kick in when you see photos of people you recognise but not to strangers.
One form of the not-very-reliable EEG ‘lie detector’ is based on this principle. Called the Guilty Knowledge Test, the idea is that the police would show you photos of the crime scene, and if you had actually been there, your P300 would kick in.
This new study was based on a similar principle. The researchers ran various experiments based on the same idea: they’d ask a question to make sure the key information was at the forefront of the study participant’s mind, and then they’d fire a bunch of information at the volunteer to pick out which was most associated with the P300.
For example, in one experiment participants were told they would have to type in the first digit of their newly acquired PIN number into the computer, but before this happened, the volunteers were shown a series of single digits, while the software recorded which numerals were most associated with the P300.
In another, the P300 was recorded while participants were shown pictures of branded credit cards and bank machines. Another experiment asked participants to think of their month of birth before showing them all the options, while another flashed up maps of the local area to determine their approximate home address.
You can see how the researchers were angling to get the equivalent of essential account details out of the volunteers.
Although the set-up was a little artificial, the researchers note that this sort of unconscious personal detail dredging could be incorporated into a game-like activity, so people would be unaware of what was really happening.
The test was a success scientifically, in that the key information was identified more often than chance, but fraudsters are unlikely to be eschewing email hacking for NeuroSky pwning anytime soon. The hit rate was about 10-20%.
Nevertheless, as a demonstration of a ‘hacking brain wave data from a commercial gaming equipment to get personal information’ you have to take your hat off to the research team.
Even more interestingly, perhaps, is the increasing trend for security technology to move towards the interface between mind and machine.
Another study presented at the same conference showed how people could input ‘passwords’ into a system without any conscious knowledge of knowing a password.
The idea relies on implicit learning – which is where you learn connections between things without having any conscious knowledge of doing so.
For example, when playing a computer game like Guitar Hero or Dance Dance Revolution, the same short sequence of moves might come up several times but you might not be aware of it, because they would be embedded within a larger sequence.
However, simply by having encountered the sequence before you will do better the second time – because you have practised the response – even if you have no conscious memory of it.
For each user, this new study embedded a newly generated ‘password of moves’ several times into a longer sequence and made sure they were well practised. Later, the software could identify each user by spitting out those moves again and checking the performance to see if they’d been encountered before. The participants were unaware of anything except that they were playing a game.
Looking at the bigger picture, the fact that computer security could rely on the fine detail of how the brain works could open up a whole new arena of security vulnerabilities.
Perhaps you could be covertly trained to enter someone else’s security details, or perhaps that last game you played actually trained you to leak your login details in another activity – all of which may be completely unnoticeable to your conscious mind.
Black hat neuroscientists may suddenly become very concerned with how these automatic effects could be influenced in very specific, and of course, very lucrative, ways.
Link to study on brain-based personal details hacking (via BoingBoing)
Link to unconscious password study.