PEEP

Passively Eavesdropping Private Input via Brainwave Signals

New emerging devices open up immense opportunities for everyday users. At the same time, they may raise significant security and privacy threats. One such device, forming the central focus of this work, is an EEG headset, which allows a user to control her computer only using her thoughts.
In this study, we show how such a malicious EEG device or a malicious application having access to EEG signals recorded by the device can be turned into a new form of a keylogger, called PEEP, that passively eavesdrops over user’s sensitive typed input, specifically numeric PINs and textual passwords, by analyzing the corresponding neural signals. PEEP works because user’s input is correlated with user’s innate visual processing as well as hand, eye, and head muscle movements, all of which are explicitly or implicitly captured by the EEG device.
Our contributions are two-fold. First, we design and develop PEEP against a commodity EEG headset and a higher-end medical-scale EEG device based on machine learning techniques. Second, we conduct the comprehensive evaluation with multiple users to demonstrate the feasibility of PEEP for inferring PINs and passwords as they are typed on a physical keyboard, a virtual keyboard, and an ATM-style numeric keypad. Our results show that PEEP can extract sensitive in-put with an accuracy significantly higher than a random guessing classifier. Com-pared to prior work on this subject, PEEP is highly surreptitious as it only requires passive monitoring of brain signals, not deliberate, and active strategies that may trigger suspicion and be detected by the user. Also, PEEP achieves orders of magnitude higher accuracies compared to prior active PIN inferring attacks. Our work serves to raise awareness to a potentially hard-to-address threat arising from EEG devices which may remain attached to the users almost invariably soon.
 

People

Faculty

• Nitesh Saxena

Student

• Ajaya Neupane (@UAB; PhD 2017)
• Md Lutfor Rahman (MS student; currently doing PhD. at UCR)

Publication

• Disease Detector: A Disease Inference Attack Using Brainwave Signals Associated with Body Postures
  Anuradha Mandal and Nitesh Saxena
  In the International Conference on Privacy, Security and Trust (PST), 2024.
• SoK: Your Mind Tells a Lot About You: On the Privacy Leakage   via Brainwave Devices
  Anuradha Mandal and Nitesh Saxena
  In the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), May 2022
• PEEP: Passively Eavesdropping Private Input via Brainwave Signals
  Ajaya Neupane, Md. Lutfor Rahman and Nitesh Saxena
  In Financial Cryptography and Data Security (FC), April 2017
  [pdf]

Media Coverage

• Using Brainwaves to Guess Passwords, MIT Technology Review, May 5, 2017
• Hackers can use brainwave signals to steal passwords, MSN, July 3 , 2017
• Study finds hackers could use brainwaves to steal passwords, UAB, June 28, 2017
• Hackers could soon tap into your brainwaves to guess your passwords, IBT Times, May 9, 2017
• Hackers could monitor your BRAINWAVES to steal passwords, Daily Mail, June 30, 2017
• Brainwave-Reading Headsets Could Help Hackers Guess Your Password, Popular Mechanics, May 5, 2017
• How Your Brainwaves Can Be Used To Steal Passwords And Private Data, Fossbytes, May 6, 2017
• How hackers can hijack brainwaves to capture your passwords, ZDNet, May 8, 2017
• Brainwave-Reading Headsets Could Help Hackers Guess Your Passwords, Yahoo Tech, May 8 , 2017
• Tu cerebro revelará contraseñas a los hackers, Media-Tics, May 16, 2017
• Les pirates pourraient-ils détourner vos ondes cérébrales pour subtiliser vos mots de passe Une experience suggere que cela n est pas improbable, Developpez.com, May 8, 2017
• Piratear el cerebro para robar contraseñas, Influencers (Comunicado de prensa) (blog), May 12, 2017
• Los pensamientos también pueden ser pirateados, tendencias21 May 14, 2017
• Estudio revela cómo se pueden descifrar contraseñas analizando ondas cerebrales, Por Jhoanell Angulo, May 9, 2017
• Onde cerebrali, la nuova frontiera dell’hackeraggio, Linkiesta, May 17, 2017
• Hoe hackers wachtwoorden kunnen stelen via hersengolven, DataNews, May 8, 2017
• Hackers could soon tap into your brainwaves to guess your passwords, secnews24, May 9, 2017
• Hackers could soon tap into your brainwaves to guess your passwords, Europe Breaking News, May 9, 2017
• Beware! Hackers could use your brainwaves to guess your password, Ripples Nigeria, May 9, 2017
• Malicious Software: University Study Unveils How Headsets Can Use Brainwaves To Steal Passwords, University Herald, May 6, 2017
• A simple neyrointerfeys for “reading” of passwords in mind , Rusbase, May 5, 2017
• PINs and passwords easy to hack, thanks to brainwave tech, Deccan Chronicle, July 1, 2017
• CYBER CRIMINALS COULD MONITOR YOUR BRAINWAVES IN ORDER TO STEAL PASSWORDS, Live 24 News, July 1, 2017
• Computer Scientists: Passwords Can be Acquired from Brain Waves, InfoSecurity Magazine, June 30, 2017
• Brainwave Tech Could Make It Easier For Hackers To Steal Passwords, IFL Science, June 30, 2017
• Research shows brainwaves may well betray passwords to hackers (VIDEO), ZDNet, July 7, 2017
• Hackers can steal PINs, passwords from your brainwaves: Study,  Indian Express, June 30, 2017
• Cybercriminals could soon be able to hack your BRAINWAVES to steal passwords and empty bank accounts, scientists warn, The Sun, June 30, 2017
• Hackers Could Use Brainwaves To Make Educated Guesses On Passwords And PINs, Silicon, June 30, 2017
• UAB study: hackers can use brainwave-sensing headsets to steal personal information, AL.com, June 30, 2017