By tapping into brainwaves recorded by an EEG headset, hackers could potentially glean patterns and steal a person's passwords. Photo by Sebastian Kahnert/European Pressphoto Agency
July 3 (UPI) -- Hackers could tap into your brainwaves to steal sensitive passwords,warn researchers at the University of Alabama, Birmingham.
A new study suggests EEG headsets, the set of electrodes that records brain activity, are hackable. By observing a person's brainwaves as their surf the internet, hackers could glean neural patterns and successfully guess a user's password.
Though EEG headsets are mostly used in research, there are now several models on the open market, mostly advertised to video and computer game players. EEGs can tap into a person's brain power to remotely control robotic toys and video games.
Observing an EEG-wearer as he or she plays video games may not be all that worthwhile for hackers. But what if a user takes a break from gameplay to surf the web? And what if that person then logins into their online banking account?
"We do believe that this is going to be a real problem in the future as more and more of these BCI [brain-computer interface] devices get deployed for gaming and other day to day applications," Nitesh Saxena, an associate professor of computer and information sciences at UAB, told UPI via email. "The hacking scenario could involve such a switching between the gaming application and a website login."
"Many people already use these headsets for gaming purposes and they could be logging into different websites while wearing these," Saxena added.
Saxena and his colleagues conducted a proof-of-concept study to demonstrate the risks. The computer scientists had study participants type several randomly generated PINs and passwords on a keyboard while wearing an EEG headset. Software was then used to analyze each user's brainwaves as they typed the passwords.
Saxena says hackers could replicate this training stage of their experiment by having a user type in a series of numbers to restart a paused game, similar to how some websites use the text replication system known as CAPTCHA to distinguish between humans and bots.
Record users typing in random text enough times and computer algorithms can link letters to brainwaves, allowing the software to guess a user's password based on brain activity.
The software developed by Saxena and his colleagues was able to learn sufficient patterns after study participants had typed 200 characters.
"The algorithm was able to shorten the odds of a hacker's guessing a four-digit numerical PIN from one in 10,000 to one in 20 and increased the chance of guessing a six-letter password from about 500,000 to roughly one in 500," scientists confirmed in a news release.
Researchers say the security risk could be fixed by designing EEG headsets to emit obscuring electronic noise, disguising brainwaves, while users type in codes or passwords.