Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

High-End Gaming Devices Can Leak Personal Information

It’s almost as though the criminal hackers will be soon able to read your mind. And new research suggests that maybe they will be able to do so. Personal information, such as “bank cards, PIN numbers, area of living, the knowledge of the known persons,” might be inadvertently leaked through the use of brain-computer interface (BCI) devices used in high-end gaming consoles.

It’s almost as though the criminal hackers will be soon able to read your mind. And new research suggests that maybe they will be able to do so. Personal information, such as “bank cards, PIN numbers, area of living, the knowledge of the known persons,” might be inadvertently leaked through the use of brain-computer interface (BCI) devices used in high-end gaming consoles.

The researchers Ivan Martinovic, Doug Davies, Mario Frank, Daniele Perito, Tomas Ross, and Dawn Song said they wanted to see what kind of simple attacks could reveal personal information. Their talk “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces” was given in early August at the 3rd Usenix Workshop of Health Security and Privacy in Bellevue, Washington.

Leak Personal Information via Brain WavesThe authors point out that electroencephalography (EEG) is already becoming commonplace. It is used in neurofeedback therapy for attention deficit hyperactivity disorder (ADHD). It is used for epilepsy monitoring, and in diagnosing sleep disorders. It also has valid uses in studying sports and changes in alertness and drowsiness in drivers or the “mental workload of air-traffic control operators.” So why not monitor the BCI responses of game players?

Using inexpensive EEG signals generated from Neurosky and Emotiv gaming devices, which sell for between $200 and $300, the researchers were able to detect which of the images shown related to the user’s private or secret information, like information related to credit cards, PIN numbers, the persons known to the user, or the user’s area of residence, etc.

How does this work? When participants in the study were asked to memorize a four-digit PIN and then shown a series of random numbers, the researchers observed EEG spikes that would later allow them to infer which random number was most likely the first digit in the PIN with about 30% accuracy on the first try. That might seem low, but compare that figure with wildly guessing the first digit. With EEG you have a one in three chance of guessing the first digit.

When guessing a password, clues such as the definition of the password—for example, it must include a capital letter, a symbol, and an alphanumeric value of more than 8 characters—are very helpful. It allows an attacker to configure software such as John the Ripper to narrow the search. A narrowed search yields much faster results.

Researcher Dawn Song told Forbes.com the potential attack would be rather easy to pull off. “In this threat model, the attacker doesn’t need to compromise anything. He simply embeds the attack in an app, such as a game using [brain-machine interface] that the user downloads and plays. In this case, the malicious game designs and knows the visual stimuli the user is looking at and also gets the brain signal reading at the same time.”

The study’s authors point out that Microsoft’s Xbox 360, Nintendo’s Wii, or Sony’s Playstation3 already include sensors to infer user’s behavioral and physiological states. They do so by measuring hand pressure, heartbeat, facial and voice recognition, “gazetracking,” and motion. In time these, too, may have a statistical correlation with the user’s personal data.

The problem, then, is biometrics. Since we can’t change our minds and bodies respond to certain stimuli, maybe we should change how out gadgets interpret these responses. Unfortunately there are no easy answers here, but this is certainly something to consider going forward.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.