For secrets, nowhere’s safer than the inside of your head, right? Wrong. Commercially sold electrode-headsets, often used in gaming, can be hacked to extract your ATM PIN, birthday month, location, and more, according to Wired.
It’s a whole new era of phishing attacks. Instead of tricking you into giving up sensitive information with convincing e-mails, hackers could tap into your gaming headsets and pull the information out of your brainwaves that are converted into data streams.
The headset in question is the Emotiv EPOC headset, which is used for a number of computer interaction purposes, including gaming. It taps into the player’s brain waves to control what’s happening on the screen via a set of electrodes that sit on the top of your forehead when in use. The software collects your thoughts and translates them into data that can be extracted using an application programming interface, or API.
A new paper called “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces” shows how the attack is performed. The research team got a hold of the brainwave data stream using the API and performed five experiments to see if they could gather a PIN number, bank account information, location information, month of birth, and facial-recognition information.
Each experiment flashed a sequence of pictures on a computer screen. For example, when trying to extract bank account information, test subjects saw pictures of ATM machines and debit cards. In the PIN test, they were shown a series of numbers.
The researchers then studied the “event-related potential,” or the electrical change in the brain that, in this case, signals that the subject recognizes or has a connection to what they’ve just seen on the screen.
For the PIN test, debit cards, and ATM machines researchers correctly guessed the sensitive information for 20 percent of the victims on the first try. For the bank based on the ATM, as well as the location of their homes, researchers correctly guessed for 30 percent of the test subjects. The most successful test was the month of birth, which researcher pinned down correctly for 60 percent of the subjects.
The scariest part of this isn’t necessarily that the brainwaves give up this kind of information, but the fact that it’s available in an API form that is currently accessible by anyone. The Emotiv EPOC headset allows any developer to create apps based on that API, which researchers say could lead to “brain spyware.” Indeed, many of these apps include a bit of “calibration” or regular installation that could be used to show victims these kinds of pictures and steal the brainwave data.
Check out the research report below: