Researchers were able to glean sensitive personal information such as PIN numbers and credit card data from the brainwaves of people wearing headsets that allow users to control computer applications with their minds.
“The [Emotiv EPOC] headset,” which has been around since 2010, “reads brain activity related to facial movements, and uses this to infer your emotional state and intentions. This is then translated in software to control various applications, from games to photo viewers to an on-screen keyboard.” Some applications are capable of controlling remote objects, such as wheelchairs, and potentially even aerial drones.
The security researchers from Oxford, UC Berkeley and the University of Geneva claim they were able to use applications they developed to determine “PIN numbers, birth months, areas of residence,” and other personal information by showing headset-clad test subjects images of “ATM machines, debit cards, maps, people, and random numbers in a series of experiments.”
“The correct answer was found by the first guess in 20% of the cases for the experiment with the PIN, the debit cards, people, and the ATM machine,” the researchers wrote. “The location was exactly guessed for 30% of users, month of birth for almost 60% and the bank based on the ATM machines for almost 30%.”
The researchers envision a scenario in which a potential malicious attacker could write “brain spyware” allowing the harvesting of private information from the user.
—Posted by Alexander Reed Kelly.
“We simulated a scenario where someone writes a malicious app, the user downloads it and trusts the app, and actively supports all the calibration steps of the device to make the software work,” said Frank. In these seemingly innocuous calibration steps, which are standard for most games and other applications using the headsets, there could be the potential to harvest personal information.
“We realized that these devices are becoming increasingly popular — maybe in five, 10 years, it’s very likely that many households will have one,” Frank said. “At the same time, you can use all kinds of third-party apps for these devices. In this setting, as security researchers, we identified that there is a potential to make some bad stuff, to turn this technology against the user.” He said, however, that there was no immediate threat in using the devices. But the experiments devised by the researchers point to the devices’ darker potential.
br1dotcom (CC BY 2.0)
The Emotiv EPOC headset.