Hackers can steal passwords and PINs by analysing your brainwave signals, a new study has found.
Researchers from the University of Alabama at Birmingham and the University of California Riverside collected data from electroencephalography (EEG) headsets, which sense the electrical activity inside a person’s brain.
They’re growing increasingly popular amongst gamers, who can use them to control characters using their brain signals.
Crucially, however, EEG headsets also monitor your brainwaves when you’re not playing.
Users who paused a game but left their EEG headset on while checking their password-protected accounts could be vulnerable to hackers, the researchers found.
They asked 12 people to use a physical keyboard to type a series of randomly generated PIN numbers and passwords into a text box while wearing a headset.
After they had entered 200 characters, an algorithm created by the researchers was able to make educated guesses about the PINs with a 43.4 per cent success rate, and six-character passwords with 37.3 per cent accuracy.
“These emerging devices open immense opportunities for everyday users. However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology,” said Nitesh Saxena, one of the study’s authors.
Facebook is working on mind-reading technologies that would let you type words “directly from your brain”.
It’s an ambitious vision that has caused concern amongst privacy advocates, and the company has refused to confirm or deny if it will use people’s thoughts to sell ads.
“In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites,” added Saxena.
The researchers have called for EEG headset manufacturers to start disrupting the signals when a user is logging into accounts.