The latest cyber-attack vector may be the human brain, according to computer scientists from the University of Alabama at Birmingham and the University of California Riverside.
The study used electroencephalograph (EEG) headsets on research subjects, a type of user input which is increasingly used in video games. According to that study, if a user pauses their game and manually inputs a password to authenticate their online banking, the password could be acquired from their brain waves.
The 12 research subjects were asked to input a string of randomly generated passwords and PIN numbers by typing on their keyboards. While doing so they wore both consumer and medical quality EEG headsets. Theoretically, malware that targets the EEG headset output could acquire a user's password if they're thinking about it. The algorithms used by the researchers guessed four digit PIN numbers with a 46.5% success rate, and guessed six character passwords with a 37.3% success rate.
“In a real world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites, “ said Nitesh Saxena, one of the authors of the paper.
Saxena had further commentary about the study's findings. "Given the growing popularity of EEG headsets and the variety of ways in which they could be used, it is inevitable that they will become part of our daily lives, including while using other devices. It is important to analyze the potential security and privacy risks associated with this emerging technology to raise users' awareness of the risks and develop viable solutions to malicious attacks."
A Canadian information security analyst who prefers not to be named considered other cybersecurity implications of the research's findings. “(The EEG attack method) is not exactly subtle, but could be an interrogation technique. I think that would be counted as potentially self-incrimination, so probably not court admissible.”