Emotiv EPOC EEG headset
EEG headsets that let you control computers with your mind are exciting technologies, but computer scientists say hackers can read your brainwaves to steal sensitive data Emotiv

If you thought your password was safe in your brain, think again. Researchers have discovered that it is possible to steal sensitive information by reading a person's brainwaves.

Computer scientists from the University of Alabama at Birmingham (UAB) and the University of California Riverside conducted a study looking at electroencephalograph (EEG) headsets, which are increasingly being used in the gaming sphere to let players control games with their minds.

The researchers discovered that if you had a user playing a video game using a EEG headset, if the user then paused the game and logged into their online banking account while wearing the headset, their brainwaves could be used to reliably guess their passwords.

So if you were a hacker and you had malicious software designed to read data coming from EEG headsets (essentially a keylogger for brainwaves), then you could get the software to quietly access the data and discover sensitive information.

Analysing brainwaves

The computer scientists asked a group of 12 individuals to type a string of randomly generated PIN numbers and passwords into a text box while wearing consumer EEG headsets and high-end medical grade EEG headsets.

When a person does this, brainwaves are generated as the individual thinks about the password and then coordinates their hand, eye and head muscle movements to type on a keyboard and move the mouse on the screen to click on the text box.

These neural signals are captured by the EEG headset as data, and the researchers found that once a user had entered 200 characters using a physical keyboard, computer algorithms were able to guess four-digit PIN numbers with a 46.5% success rate, while six-character passwords could be guessed with a 37.3% success rate.

When they carried out the same test with a virtual keyboard, the computer algorithms were able to predict four-digit PIN numbers with a 43.4% success rate, while tests on a virtual keyboard similar to a smartphone's keypad or an ATM machine's keypad showed a 47.5% changing in correctly predicting four-digit PIN numbers.

Their results are published in an open access paper entitled "PEEP: Passively Eavesdropping Private Input via Brainwave Signals" that was presented at the 21st Financial Cryptography and Data Security 2017 conference in Malta in April.

EEG headsets on the rise

"In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites," said Dr Nitesh Saxena, an associate professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences who co-authored the paper.

"Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices.

"It is important to analyse the potential security and privacy risks associated with this emerging technology to raise users' awareness of the risks and develop viable solutions to malicious attacks."