Hackers have found a new way to steal passwords and PINs – by analysing your brainwave signals.
A new study carried out by Researchers at the University of Alabama at Birmingham and the University of California Riverside used data from electroencephalography (EEG) headsets.
The data from these headsets sense the electrical activity inside a person’s brain, and are used particularly by gamers who use them to control characters.
The EEG headsets may also monitor your brainwaves when you’re not playing, leaving a vulnerability to be exploited by hackers.
So, if you pause a game and check their password-protected accounts on your phone or computers, your passwords might be at risk of theft as the EEG headset is still functioning.
The study asked 12 people to use a physical keyboard to type a series of randomly generated PIN numbers and passwords into a text box while wearing a headset.
After the participants entered 200 characters, an algorithm created by the researchers was able to make guesses about the PINs.
They were able to guess the pin correctly with a 43.4% success rate, and six-character passwords with 37.3% accuracy.
“These emerging devices open immense opportunities for everyday users. However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology,” said Nitesh Saxena, one of the study’s authors.
Facebook is also working on mind-reading technologies that would allow you to type words “directly from your brain”.
As ambitious as this vision is, it raises privacy concerns with Facebook refusing to confirm whether in the future it may use this technology to for ad targeting.
“In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enters a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites,” added Saxena.
Researchers have suggested that the only way to tackle this vulnerability is for the EEG headset manufacturers to start disrupting the signals when a user is logging into accounts.
This article originally appeared in The Independent