'Mind hackers' could get secrets from your brainwaves

Could hackers get access to your bank details and PIN codes by reading your mind? It wouldn't be easy, but computer scientists reckon its theoretically possible using wireless EEG headsets like Emotiv's Epoc, which costs only $299. These are not yet mass-market devices, but people who use headsets to play games and control devices such as wheelchairs could conceivably have their brains hacked if they download rogue applications.

Ivan Martinovic, from the University of Oxford, explored the idea in his talk at the Usenix Security Symposium held in Seattle earlier this month (video). The team behind the research -- which also included members from the University of California at Berkeley and the University of Geneva -- has published at paper: On the Feasibility of Side-Channel Attacks with Brain-Computer Interface (PDF).

One aim of the research was to explore whether or not EEG headsets represented a threat to privacy. While there are many such headsets available, they used the Emotiv device because of its low cost and because the company makes its API available to researchers, and it has a software development kit (SDK) for developers.

Outside of medicine, where researchers have been studying electro-encephalograms for decades, EEG headsets are most often used for games and for control applications or both. For example, someone can use their brainwaves to shoot virtual fireballs in the Arena game, or to control a real toy helicopter. Usually, the control process involves mastering one command at a time, and facial expressions can be used, such as winks and smiles.

Beyond that, the brain responds naturally to external stimuli. One of the most useful is the P300 recognition response that peaks about 300 milliseconds after the user recognises something relevant. The team developed a recognition model by, for example, showing test subjects photographs of people they didn't know, and then showing them a face they did know: Barack Obama.

After that, you can try to detect unknown data. For example, if you had test subjects and photographs of their homes, you could find out who lived where by showing them the pictures and looking for the recognition response. The team did find homes correctly about 60 percent of the time.

By showing people images related to credit cards, PINs and so on, a hacker might also be able to discover private banking details. The researchers don't claim to have done this, but Martinovic told the symposium that "we could actually perform better than a pure random guess". They are now looking at "more sophisticated attacks".

The system could also be used for market research, or for interrogation purposes. For example, you could test a suspect with photographs of crime scenes, or rape victims.

Martinovic said: "we're interested in subconscious responses. Even if you try to lie, you will actually need more attention, and this will produce a better signal for us to detect."

Brainwaves are messy things to track, and a lot of pre-processing is required to extract a signal from the noise. Also, EEG headsets such as Emotiv's are not optimised to capture P300 signals. However, one day, brain hackers might be able to get useful signals without a subject's co-operation, perhaps by a combination of face- and brain-scanning. That really would be a threat to privacy.

Tan Le, Emotiv's co-founder, showed Epoc in a TED talk: A headset that reads your brainwaves