Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

High-End Gaming Devices Can Leak Personal Information

It’s almost as though the criminal hackers will be soon able to read your mind. And new research suggests that maybe they will be able to do so. Personal information, such as “bank cards, PIN numbers, area of living, the knowledge of the known persons,” might be inadvertently leaked through the use of brain-computer interface (BCI) devices used in high-end gaming consoles.

It’s almost as though the criminal hackers will be soon able to read your mind. And new research suggests that maybe they will be able to do so. Personal information, such as “bank cards, PIN numbers, area of living, the knowledge of the known persons,” might be inadvertently leaked through the use of brain-computer interface (BCI) devices used in high-end gaming consoles.

The researchers Ivan Martinovic, Doug Davies, Mario Frank, Daniele Perito, Tomas Ross, and Dawn Song said they wanted to see what kind of simple attacks could reveal personal information. Their talk “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces” was given in early August at the 3rd Usenix Workshop of Health Security and Privacy in Bellevue, Washington.

Leak Personal Information via Brain WavesThe authors point out that electroencephalography (EEG) is already becoming commonplace. It is used in neurofeedback therapy for attention deficit hyperactivity disorder (ADHD). It is used for epilepsy monitoring, and in diagnosing sleep disorders. It also has valid uses in studying sports and changes in alertness and drowsiness in drivers or the “mental workload of air-traffic control operators.” So why not monitor the BCI responses of game players?

Using inexpensive EEG signals generated from Neurosky and Emotiv gaming devices, which sell for between $200 and $300, the researchers were able to detect which of the images shown related to the user’s private or secret information, like information related to credit cards, PIN numbers, the persons known to the user, or the user’s area of residence, etc.

How does this work? When participants in the study were asked to memorize a four-digit PIN and then shown a series of random numbers, the researchers observed EEG spikes that would later allow them to infer which random number was most likely the first digit in the PIN with about 30% accuracy on the first try. That might seem low, but compare that figure with wildly guessing the first digit. With EEG you have a one in three chance of guessing the first digit.

When guessing a password, clues such as the definition of the password—for example, it must include a capital letter, a symbol, and an alphanumeric value of more than 8 characters—are very helpful. It allows an attacker to configure software such as John the Ripper to narrow the search. A narrowed search yields much faster results.

Researcher Dawn Song told Forbes.com the potential attack would be rather easy to pull off. “In this threat model, the attacker doesn’t need to compromise anything. He simply embeds the attack in an app, such as a game using [brain-machine interface] that the user downloads and plays. In this case, the malicious game designs and knows the visual stimuli the user is looking at and also gets the brain signal reading at the same time.”

The study’s authors point out that Microsoft’s Xbox 360, Nintendo’s Wii, or Sony’s Playstation3 already include sensors to infer user’s behavioral and physiological states. They do so by measuring hand pressure, heartbeat, facial and voice recognition, “gazetracking,” and motion. In time these, too, may have a statistical correlation with the user’s personal data.

The problem, then, is biometrics. Since we can’t change our minds and bodies respond to certain stimuli, maybe we should change how out gadgets interpret these responses. Unfortunately there are no easy answers here, but this is certainly something to consider going forward.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Cyberwarfare

U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.