Hackers Can Now Steal Passwords through EEG Headset Malware


A study from the University of Alabama at Birmingham (UAB) suggests that hackers can use malware for EEG (electroencephalography) headsets to monitor users’ brainwaves and guess their passwords.

According to the researchers, people using their EEG headset while checking password-protected accounts could be putting themselves at risk of getting hacked.

In the study, the researchers simulated logging into personal accounts by asking 12 people to type random PINs and passwords. The participants did the task wearing an EEG headset which recorded their brain activity as they conducted visual processes, along with their head, hand and eye movement.

Using a malicious software, the researchers were able to tap into the EEG’s recorded data. From the users’ repeated typing action, the malware was able to train itself to understand how a user types and the corresponding brain movement.

The team found that after a participant enters 200 characters, algorithms within their malicious software could make educated guesses in determining the characters written by the participants.

The malware was able to significantly improve the odds of a hacker predicting a four-digit pin from 1 in 10,000 to an outstanding 1 in 20.  Likewise, the malware’s algorithm heightened the chances of guessing a six-character password to around 1 in 500 from 1 in 500,000.

Nitesha Saxena, an author of the study and associate professor at the UAB’S Department of Computer and Information Sciences, states that emerging devices such as EEG headsets may open immense opportunity for the public but they also raise significant privacy and security issues.

Who is at risk?

Initially used for scientific research, EEG technology was later developed for neuroprosthetic applications. In this field, disabled patients use EEG devices to control prosthetic limbs by thinking of the required movement. Recently, however, EEG headsets have entered the entertainment and gaming markets, allowing users to control robotic toys or characters in a video game.

According to Saxena, in a real-world attack, a hacker’s malware can learn more about a gamer’s typing behavior and corresponding brain activity by asking the individual to enter a predefined set of characters to restart a game after pausing. From repeatedly doing this, the malware can be more familiar with a user’s brain activity and help a hacker narrow down odds in guess PINs and passwords.

To date, there have only been a handful of EEG headsets in the market. But as the devices are now more accessible, users such as gamers and persons with disability are at risk of hacking whenever they log into accounts with their headset on.

Saxena states that given the increasing popularity of EEG headsets and the numerous applications for EEG technology, EEG will inevitably become part of the public’s daily lives. Facebook, in particular, is looking into “mind-reading technologies” that let users type words directly from their brain. Privacy advocates were alarmed at the thought of the social media giant will use the technology to sell advertisements.

With the emerging technologies, Saxena states that it is now more important to analyze privacy and security threats. For the EEG headset issue, Saxena and his team propose the insertion of noise whenever a user types a password while wearing the headset.

Leave a Comment

Scroll to Top