Study looks at how brainwaves can be used to nab passwords

(Tech Xplore)—Security sleuths have given us much to think about in recent years, reminding us, often alerting us, when our privacy may be at risk when using mobile and desktop items.

Nonetheless, the findings that suggest we are being tracked without our knowledge are this week matched with security concerns over headsets that could possibly be abused to help guess passwords.

At least those are findings from Nitesh Saxena, an associate professor at the University of Alabama, who has explored how brain-wave-sensing headsets could be used to guess passwords and PINs. The headset for the study uses the brain's EEG signals to control gadgets or computers.

Reporting in Popular Mechanics, Sophie Weiner said Saxena performed a study with subjects wearing their headset while typing random passwords and PINs into a screen. This was used to train the device to recognize the baseline level of EEG activity.

Tom Simonite in MIT Technology Review provided these details: The study participants entered random PINs and passwords while wearing the headset; the software in turn learned the link between their typing and brainwaves.

After observing a person entering about 200 characters, algorithms could make guesses at new characters entered by watching the EEG data.

"That could let a malicious game, say, snoop on someone taking a break to go on the Web," wrote Simonite. While not perfect, " it shortens the odds of guessing a four-digit numerical PIN from one in 10,000 to one in 20, and increases the chance of guessing a six-letter password by around 500,000 times, to roughly one in 500."

MIT Technology Review also said that "The new study tested the idea that a person who paused a gaming session and logged into a bank account while still wearing an EEG headset could be at risk from malicious software snooping on personal credentials via brain waves."

Fossbytes: "With the increasing work in the field of brain-computer interfaces, we are witnessing a new kind of security risk of brainwave hacking."

Popular Mechanics said programmers are being urged to strengthen security in brain-computer interfaces. "Scientists like Saxena want these results to motivate programmers to build in tougher security in their products."

Tom Simonite spoke of "brain-interface" security, and mentioned Alejandro Hernández, a security researcher with IOActive, who has reviewed the security of EEG hardware and related software. "His research indicated that a lot of EEG software in use today isn't well designed, and is easily hackable."

Simonite also noted a recent event which indicates an important discussion may be in the wings. "Last month, a lawyer and ethicist at the University of Zurich called for development of new legal frameworks around neurotechnology, including a 'right to mental privacy.'"