Hackers Could Use Brainwaves To Make Educated Guesses On Passwords And PINs

Hackers can crack PINs and passwords through through monitoring brainwaves through  Electroencephalograph (EEG) headsets.

Research conducted by the University of Alabama in the US, discovered that if a person wearing an EEG headset, used to control computer games through sensing brainwave patterns, were to pause the game an login into a password or PIN protected account, malicious software could be used to intercept the brainwave data and then used to extract the login details.

Though this may sound a little on the sci-fi side of technology, the researchers found through testing consumer and clinical-grade EEG headsets that when a person types in a password or PIN, the EEG headset picks up their visual processing and head movements, as well as hand, eye and head muscle movements.

After imputing 200 characters, malicious software with smart algorithms could make educated guesses to what a user’s passwords might be based on their corresponding EEG data.

The shorter the password or PIN the easier it is for malicious software to crack it through such educated guesses.

Brainwave hacking

“In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites,” explained Nitesh Saxena, associate professor in the UAB College of Arts and Sciences Department of Computer and Information Sciences.

“These emerging devices open immense opportunities for everyday users,” she added. “However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology.”

EEG headsets tend to be devices found commonly in the medical field, though there are headsets in the market aimed at people who want to control games in a different fashion to controllers or mouse and keyboards.

In a world where phishing and ransomware seems to be an easier way swipe credentials from unsuspecting people, going to the trouble of hacking an EEG headset may be a stretch for hackers beyond a lab environment,

But Saxena warned that it is important to keep an eye out for potential vulnerabilities in such emerging technologies.

“It is important to analyse the potential security and privacy risks associated with this emerging technology to raise users’ awareness of the risks and develop viable solutions to malicious attacks,” she said.