Passwords can be stolen through our brainwaves, new study claims

30 Jun 2017

EEG headsets on display. Image: wideonet/Shutterstock

If you thought your mentally stored password was enough to protect you from hackers, you might want to think again … or not.

2017 has been the year of major cyberattacks, with CIOs from thousands of companies frantically trying to patch and protect their systems from damage caused by the likes of WannaCry and Petya/GoldenEye.

This requires people to possess a series of different passwords, each more complex than the next, to truly protect themselves. While many write these down somewhere, some are able to memorise them.

But now it seems that not even our minds can protect our passwords from hackers who have the right tools and software.

Electroencephalograph (EEG) headsets – which can read a person’s brainwaves to perform functions such as playing a video game – have become increasingly common and affordable, to the point that they now cost just a few hundred euro in some cases.

Now however, a study from the University of Alabama at Birmingham suggests that these headsets pose a risk to users as hackers can potentially tap into their brainwave data and discover their passwords.

Sounding like something from science fiction, the team led by Nitesh Saxena found that a person who paused a video game and logged into a bank account while wearing an EEG headset was at risk of having their passwords or other sensitive data stolen by a malicious software program.

Using a small study sample of just 12 people, the researchers asked the participants to type a series of randomly generated PINs and passwords into a text box as if they were logging into an online account, while wearing an EEG headset.

“In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites,” Saxena explained.

Drastically cuts odds of cracking password

Typically, after a person entered 200 characters into the box, the software’s algorithms were able to make a good guess as to what the user’s password was.

For PINs, the odds of a hacker being able to guess the four-digit code went down from one in 10,000, to one in 20, while the chance of guessing a six-letter password fell from about one in 500,000, to roughly one in 500.

Given the small nature of the study, larger sample sizes will be needed to determine this worrying vulnerability, with Saxena adding that it shines a light on a little-considered area of cybersecurity.

“It is important to analyse the potential security and privacy risks associated with this emerging technology, to raise users’ awareness of the risks and develop viable solutions to malicious attacks.”

EEG headsets on display. Image: wideonet/Shutterstock

Colm Gorey was a senior journalist with Silicon Republic