Epoc+ is an $800 headset made by Emotiv that uses your brain’s EEG signals to control gadgets or computers. Now, a new study from Nitesh Saxena, an associate professor at the University of Alabama, has shown the headset could also be used to guess your passwords and PINs.
“I would say it’s a risk for today’s devices, and with more advanced devices much more could be done in future,” Saxena told MIT Technology Review. “People need to think though the privacy and security models of these interfaces.”
Saxena’s study had subjects wear the headset while typing random passwords and PINs into a screen. This was used to train the device to recognize the baseline level of EEG activity—Saxena says a hacker could accomplish this by using some kind of video game that would require inputting numbers and letters. After watching a person for only 200 characters, the headset could actually guess which letters the subject was typing based on their brain activity. Though the guesses the headset made weren’t perfect, it reduced the odds of guessing a random four digit pin from 1 in 10,000 to 1 in 20, and a six letter password by 500,000 times, to 1 in 500. That’s pretty impressive considering that headsets like the Epoc+ are fairly crude and the technology is sure to improve.
Scientists like Saxena want these results to motivate programmers to build in tougher security in their products. Emotiv responded to the study by saying that the kind of hack they portrayed was not feasible, but other computer security experts disagree. Tamara Bonaci, a researcher at University of Washington who was involved in a similar study, says this is a critical time for these issues. “The improvements have been tremendous over the last few years, and I expect that to continue,” she told MIT.