Posted Tuesday, Aug. 28, 2012, at 10:01 AM
A woman watches a commercial film while wearing an EEG headset in 2008. Off-the-shelf versions of these devices may now be capable of extracting private information from the user's mind.
Photo by Yoshikazu Tsuno/AFP/Getty Images
In recent years, advances in electroencephalography, or EEG, have led to devices like Emotiv's neuroheadset, a $300 toy that can tap into your brain waves to let you play a computer game with your mind. That is very cool. But wait—could there be any privacy or security risks here?
That's the question that a team of researchers from Oxford, UC-Berkeley, and the University of Geneva asked in a new paper, which they published online here. Their answer: You bet there could.
The researchers asked students to don Emotiv headsets, then flashed images of things like ATM machines, bank cards, maps, and people's faces on a screen and watched to see which ones sparked flickers of attention in their brains. From that information, the researchers were able to correctly guess the users' bank and PIN numbers on the first try about 20 percent of the time. They correctly guessed the students' birth months 60 percent of the time.
That's far from perfect, of course—but it's also a lot better than random chance. In short, the researchers showed that even some of the cheapest commercially available brain scanners could help criminals extract private information from users.
Don't panic just yet, though. Before cybercrooks can hack your mind, they have to get you to wear the headset. And unless they trick you, you'd probably know an attack was occurring if you started seeing a bunch of random PIN numbers flash on your screen while hooked up to the gizmo.
The researchers suggest that hackers' most likely tactic would be subterfuge of some sort, such as displaying the stimuli in a relatively unobtrusive way in the course of what otherwise appears to be an everyday program, such as a game or quiz. Given that the API for most of these devices is open, the researchers add ominously in the paper's last sentence, "the development of new attacks can be achieved with relative ease and is only limited by the attacker’s own creativity.”