Hacking Brain-Computer Interfaces

In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article:

A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal information by presenting 30 headset-wearing subjects with images of ATM machines, debit cards, maps, people, and random numbers in a series of experiments. The paper, titled "On the Feasibility of Side-Channel Attacks with Brain Computer Interfaces," represents the first major attempt to uncover potential security risks in the use of the headsets.

This is a new development in spyware.

EDITED TO ADD (9/6): More articles. And here's a discussion of the pros and cons of this sort of technology.

Posted on September 5, 2012 at 6:06 AM • 22 Comments

Comments

b raffSeptember 5, 2012 6:36 AM

I guess a bunch of people will rush to say that we just have to not wear these things then, no biggie, only a fringe problem. Well, 20 years ago I wouldn't have thought that 99% of everyone I know would be to some extent geo-trackable since we all wear mobile phones.
I wouldn't be all that surprised if within 10 years these kind of BCI will be as popular as a bluetooth handsfree, perhaps in combo with see-trough VR-goggles so to make it easy to read a blog, videochat with spouse, kids, customers and so forth.

A Nonny BunnySeptember 5, 2012 7:36 AM

I really do not think this is a problem specific to brain-computer interfaces, or that they are any bigger there than for other user-interfaces.
A while ago there was mention of a sort of password system using knowledge of an implicitly known (but not explicitly known) sequence; using the fact you'll react faster for the 'known' sequence. You can use that same approach to get, say, someone's pin number using some game that deduces well-known number sequences. No need for a brain-computer interface.

vwmSeptember 5, 2012 7:54 AM

This is fascinating fundamental research.

So, we finally need longer ATM-PIN's, since you can not only brute-force the machine (that invalids the account after the third wrong guess), but you can also surreptitiously brute-force the user.

Clive RobinsonSeptember 5, 2012 8:26 AM

On the assumption attacks only improve with time this 15-40% improvment on guessing could relativly quickly become 30-80% or greater.

The question then becomes how long before "something you know" ceases to be a usefull authentication factor...

Dr. I. Needtob AtheSeptember 5, 2012 8:27 AM

The technology that could arise from being able to communicate with a computer by pure thought is so mind-boggling that it seems foolish to focus on security issues.

bcsSeptember 5, 2012 9:07 AM

What range can the BCI operate at? 1 inch? 3 inches? 6 feet? Whatever it is now, it can only go up.

Time to buy futures in tin-foil.

kashmarekSeptember 5, 2012 9:14 AM

I see this as similar to the "report" (read potential propoganda) that the iPhone security is so good that it is giving police departments fits over being able to acquire to contents of said phones. Well, the simple case is that those police departments are NOT supposed to be taking data from those phones in the first place, so why broadcast the fact that you no longer can get the data.

The answer: FUD. If you can't get the data, DON'T tell anybody! They can probably get the data as easily as before but want to create a false sense of security.

As for this "mind reading" device, probably FUD. If it was that good, it would be classified as top secret. Yes, these things have a tendency to get better over time, but economically better? Unlikely.

When the military doesn't want a plane or project, they sometimes say so, but Congress lets a contract anyway so they buddies in the military industrial complex can continue to pay their lobbyists or contribute to their PAC. Same here. This is to influence people (read: Congress) whether something actually gets delivered or not, is inconsequential.

kashmarekSeptember 5, 2012 9:16 AM

I agree with "llewelly". It is not so much as reading out what is in your brain, as eventually pushing into your brain that which "they" want you to have. If advertisments work, then move on to full mind control.

Clive RobinsonSeptember 5, 2012 11:36 AM

@ bcs,

Time to buy futures in tin-foil

Yes I'm told that in Europe you are nolonger alowed to use lead in the production of new items.

@ llewelly

... that's ok, it will only be used to advertise more garbage ..

Hmm if I remember rightly it was "Acient Egyptian Algebra" that made Fry realise he needed to test drive new underpants.

[Futrarma "Fish Full of Dollars" Series 1, which my son still thinks has the best bit where Bender squirts the pushy perfume sales assistant with motor oil].

kingsnakeSeptember 5, 2012 11:54 AM

First command I send the hacked interface is to make the person crap himself. Would lead to many awesomely funny Youtube videos if applied to appropriate public figures ...

Clive RobinsonSeptember 5, 2012 12:02 PM

@ kashmarek,

the simple case is that those police departments are NOT supposed to be taking data from those phones in the first place, so why broadcast the fact that you no longer can get the data

My first and still overriding thought was not FUD but "Lazy slobs on a power grab, to get more legislation to abuse". As was seen with New York Cops, prior to 9/11, why be fit enough to chase and arrest a suspect when all you need do was shoot them... (oh and a few bystanders for good measure as they were "obvious associates")

In the UK there is a public inquiry under way (despite the Met Police attempts to stop it),

http://www.bbc.co.uk/news/...

Where a police marksman in a car that pulled up alongside another car shot at the passenger in that car eight times through the window within a second without giving any warning. Six bullets hit the passenger who died (the footage was played on the evening news yesterday)...

Visgean@gmail.comSeptember 5, 2012 3:48 PM

It reminds me the Deamon of Daniel Suarez - he was actually mentioning this technique in the sequel the freedom..

JP (The Headless Horseman)September 5, 2012 6:06 PM

Not only can the tool be used to identify secret information, I expect the spywear can be adapted to idenitfy key terms, expressions, and phrases that increase the interest of the person. This immediately introduces several capabilities. Whether these are positive or negative depends on your ethics.

From a marketing point of view, knowing the hot buttons of a customer presents a targeted sales opportunity that makes Google ads look trivial.

From a criminal investigation, it makes the polygraph look weak. Does not mean this will be more accurate but definitely more high tech.

From a medical point of view, the possibllities in real time patient monitoring (for concious patients) is invaluable.

Interestingly, a limited form of this technology for daily use is soon to be available. How much work would it take to convert Google Glasses to Google Spywear. It indicates what you look at, what drives your interest, at least hints of what you are thinking about. A free game inside the headset for training the spywear and we have a whole new tech bubble.

And it doesn't even have a firewall. We'll all get sun burned.

JimSeptember 6, 2012 1:22 AM

Whoa. Wait a second. This is really out of left field to me. This is extremely interesting. This is a serious game changer on the horizon; the security of that little tiny bit of data storage in your head, however small, is extremely central to high quality security.

How long till they develop a way to get your PGP passphrase? Within 10 years the only option will to not be to use one of these things, and that will be about as practical as not using a cell phone today in order to avoid even transient location tracking.

Very serious indeed.

FaceDealSeptember 6, 2012 5:00 AM

Jim: "not using a cell phone today in order to avoid even transient location tracking."

Sorry, but it won't work in a near future.

Facedeals is already doing transient location tracking, without using your cell phone, in Nashville, Tennessee. Redpepper, the company behind Facedeals, says there are plans to expand nationwide in the near future.

onearmedspartanSeptember 6, 2012 8:18 AM

It doesn't get anymore 'backdoor' than the human brain. Its wild to think we can't even trust our own brain. Eventually, we will need a 24-way handshake to view our accounts.

paratrooperSeptember 6, 2012 10:29 PM

"How much work would it take to convert Google Glasses to Google Spywear. It indicates what you look at, what drives your interest, at least hints of what you are thinking about. A free game inside the headset for training the spywear and we have a whole new tech bubble. "

Watch ST:TNG Episode "The Game" - this is where it's going - total control of our minds through a chemically induced reward system for compliance.

FigureitoutSeptember 6, 2012 10:43 PM

@Bruce, the "More" link doesn't work for me, anyone else have that problem? I liked the CCLE link.

As fascinating as this may be and I don't like to limit creativity; I can't support this. I don't understand why people continue to push ahead with insecure machines, so no I don't think there should be any link (receiving or transmitting) to a brain. Once the tech is here it's here! And then it doesn't matter what you think...

Read this link, from the CCLE link Bruce gave. Steve Kirsch, in his quest to eradicate terrorism, is advocating tyranny. His line of thinking speaks for itself. Read between the lines for some psychological techniques he's hoping to employ (he's treating humans like animals) and the Orwellian doublethink/newspeak that people keep and will continue to keep falling for: http://www.skirsch.com/politics/plane/...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..