
Your Brain Can Be Hacked - iProject
http://technorati.com/technology/article/your-brain-can-be-hacked/
======
Groxx
The paper's title is "On the Feasibility of Side-Channel Attacks with Brain-
Computer Interfaces". Given that, yeah, I can see how you could get a LOT of
information out of someone without them realizing it. If e.g. you're playing a
game, and the surroundings occasionally reflect something you've seen, that's
information that such an interface could detect. Maybe a NPC has a disorder
that runs in your family, and you react to it more strongly than others -
insurance companies would probably love to know it.

All of which is to say, if you assume the worst, and brain-computer interfaces
become ubiquitous, yes, I can see there being a serious potential for you to
leak things you don't want to leak, just by being exposed to something
similar. Done on a grand enough scale, the possibilities could be terrifying.

~~~
some1else
The experiments measured whether you have a brainwave amplitude peak 300ms
after being exposed to a known concept.

The subjects were asked specific questions on screen (for 2s) and flashed all
possible answers every half a second, multiple times. The PIN extraction lasts
90 seconds and even then it doesn't guarantee order of the 4 most recognised
numbers, with many subjects probably willingly trying to answer the question
in their mind.

Experiments with prominent results -- face recognition, month of birth --
don't specify their length, but compared to PIN sampling would last 90s -
100s. Once again the subjects are explicitly shown the question on screen and
are prepared to answer in their mind. Also, with face recognition we might get
false positives because people look alike.

What this paper builds on is the ability to register a response to perception
of something we're currently thinking about. Given that it references existing
keyboard input methods that take advantage of this capability, I think this
article makes it sound too much like the answers were unwilfully obtained from
the subjects, with a 40% success rate. It would actually be very interesting
to carry out this study in a different setting. If subjects were in their own
environment, using the gaming device as intended? If questions were being
asked subliminally or through in game messaging? The success rate might be a
lot closer to random guess?

Link to paper:
[https://www.usenix.org/system/files/conference/usenixsecurit...](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final56.pdf)

------
bgalbraith
OK, sensationalistic headlines aside, this is what is actually going on.

Using EEG, you can look for something called a P300 Event Related Potential
(ERP). This is a positive deflection from the baseline activity in the brain
signals approximately 300 milliseconds after an anticipated event occurs. Note
two key facts about this:

1) P300 actually varies by person; it can appear sooner or much later than 300
ms and have different amplitudes. Because of this, a training phase is
required to train the classifier.

2) The P300 happens when an event happens the subject is anticipating or
recognizes, so they have to be primed in some sense. For instance, the
researchers asked subjects to think of an imaginary PIN, then flashed single
digits at them one at a time and tried to infer what the first digit of the
PIN was by that. Because they were thinking of, say, 1234, when 1 flashed on
the screen, a P300 may have been generated.

What the researchers did was interesting, in that they made the case for
potential malware in a consumer BCI game. Their accuracy rates weren't that
great, however. This is a far far cry from nefarious agents pulling secret
info from your brain.

------
bluedanieru
"...via brute force methods."

Seriously, this registers barely above a lie detector for me. They have to
just guess my password and then, when they get it right, they'll record a
different brainwave pattern? Sounds simple enough. Okay, my passwords
typically consist of several words with some numbers thrown in. I wager we can
go through 40 trials each minute for 16 hours each day. How many _millions of
years_ do you have?

~~~
rd108
It's essentially the same idea, except that you elicit a particular brainwave
signal only when recognizing something you've already seen. I believe India
experimented with using it in murder trials a few years ago-- if the accused
elicits a P300 upon seeing the _actual_ murder weapon amongst a line-up of
dozens of other weapons, they must know a priori how the murder took place and
hence be guilty. Interesting times and there really are applications that
could benefit from this kind of analysis.

~~~
pstuart
Between Paul Ekman's work in behavioral science and detecting a persons pulse
rate from video (<http://www.youtube.com/watch?v=ONZcjs1Pjmk>), it seems like
one could have a pretty decent "lie detector" running on a smart phone.

