Are ‘brain hacks’ a cybersecurity threat to worry about?

• A literal ‘thought experiment’ has uncovered that using neurocomputing commercial devices could potentially expose sensitive personal info like PIN numbers 

Researchers at several preeminent universities have been studying the security effects of wearable neurocomputing technology that link up with a brain-computer interface, and the results are in: wearing a neuroheadset that can detect brain patterns, can be used to accurately detect sensitive personal information stored in the brain.

Scientists at the University of California, University of Oxford, and University of Geneva used an EPOC neuroheadset from neurocomputing startup EMOTIV, which uses electroencephalography (EEG) to wirelessly record electrical brain activity for research and comprehension purposes.

Non-invasive wearables with a brain-computer interface are slowly catching on, with development at a somewhat advanced level due to sizable military funding in the initial stages. Companies like Kernel, Qneuro, NeuroSky, and EMOTIV are rapidly moving toward widely-available devices and less-invasive BCI methods, with neuroheadsets becoming a more common commercial option. Even Facebook has been developing a BCI implant that reads brain activity and is able to decipher a basic set of words.

Not only do these neurocomputing devices record brain data, but newer ones like EMOTIV’s can also allow users to utilize mental commands when playing certain games or other applications. The thinking is that in the future, neurocomputing devices and algorithms can be harnessed for corporate functions like controlling unified messaging and exchanging “brain messages”, and perhaps even mundane tasks like ordering food online.

It might even be tapped for applications like online banking and other functions which utilize the sensitive data stored in our heads such as passwords and PIN numbers. And this is where things get dicey because the university researchers’ experiment found that the brain data can be tracked and analyzed by software within the headset itself.

In the experiment, P300 brainwaves were tracked as subjects saw images of everyday things: banks, people, locations, and number sequences. Some of those things happened to be meaningful to the subject.

The technology was able to recognize when a person was looking at meaningful information, and consequently was able to deduce a range of personal information, including where the person lived (accurate about 60% of the time), birth month (ditto 60% accuracy), bank branch (30% accuracy), and the first number of the subject’s PIN (40% accuracy).

The unnerving results illustrate that there could be a dark future where private thoughts can also be ‘hacked’. And what’s worse is that sensitive personal data can be hijacked using the very neurocomputing device that was enabling a better understanding of brain activity.

Fortunately, there is research underway to examine brain security as well. At the Usenix Security Conference, researchers unveiled an experimental technology that embeds passwords for apps and games within the brain on a subconscious level, so that the person has no conscious awareness of what the password is. The brain is simply trained to apply it when prompted, presumably by a visual clue.