{"id":81318,"date":"2016-09-17T16:17:14","date_gmt":"2016-09-17T20:17:14","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2024-07-05T12:08:15","modified_gmt":"2024-07-05T16:08:15","slug":"mind-readers-can-steal-your-info","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/mind-readers-can-steal-your-info\/","title":{"rendered":"Mind Readers Can Steal Your Biometric Info"},"content":{"rendered":"

\"Mind<\/a>By now, most people have come to the position that passwords<\/a> suck<\/a><\/strong>. The momentum for alternate means of authentication is growing<\/a>. Researchers are working on how to use biometric technology<\/strong> for mainstream login activities. As I have pointed out there is a number of emerging<\/a> biometric<\/a> techniques<\/a> like; iris scans<\/a>, facial recognition<\/a>, or behavioral characteristics<\/a>. All of these methods have flaws<\/strong>, which pose a problem for authentication non-repudiation.<\/a><\/p>\n

\"passwordsIn a post<\/a> at IEEE<\/a> Spectrum<\/a><\/em>, Megan Scudellari<\/a> writes that fingerprints can be stolen<\/a>, iris scans spoofed<\/a>, and facial recognition software<\/a> fooled. In the wake of these flaws, researchers have turned to brain waves as the next step in biometric identification<\/strong>. Biometric identification<\/a> is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. Unique identifiers include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures.<\/p>\n

The researchers are racing to prove how accurately and accessibly they can verify a person\u2019s identity using electroencephalograph<\/strong> (EEG<\/a>) data. An EEG<\/a> is a test that detects electrical activity in the brain using electrodes attached to the scalp. The IEEE article explains that as your eyes skim over these pixels you are reading and turn them into meaningful words, your brain cells are flickering with a pattern of electrical activity that is unique to you<\/strong>. These unique\u00a0patterns can be used like a password or biometric identification. In fact, researchers have taken to calling them \u201cpassthoughts<\/strong>\u201d.<\/p>\n

\"brain<\/a>Using brainwaves to authenticate people goes back a while. Back in 2012, I wrote about<\/a> the Muse headband sensor which promised to \u201ccreate a specific brainwave signature or a password they would never have to say out loud or type into a computer.\u201d More recently, psychologists and engineers at Binghamton University<\/a> in New York achieved 100 percent accuracy<\/a> at identifying individuals using brain waves<\/strong> captured with a skullcap with 30 electrodes. Scientists at the University of California at Berkeley have adopted a set of earbud sensors that worked with 80 percent accuracy<\/a>.<\/p>\n

The problem is our brains don\u2019t produce a single, clear signal that can be checked like a fingerprint. The article says our brains emit a messy, vibrant symphony of personal information<\/strong>, including one\u2019s emotional state, learning ability, and personality traits. The author contends that as EEG technology becomes cheaper, portable, and more ubiquitous\u2014not only for identity authentication, but in apps, games, and more\u2014 there\u2019s a high likelihood that someone will tap into that concerto of information for malicious purposes<\/strong>. Abdul Serwadda<\/a>, a cybersecurity researcher at Texas Tech University<\/a> told Spectrum;<\/em><\/p>\n

If you have these apps, you don\u2019t know what the app is reading from your brain or what [the app\u2019s creators are] going to use that information for, but you do know they\u2019re going to have a lot of information<\/em><\/p>\n

The Texas Tech team performed experiments to see if they could glean sensitive personal information<\/a> from brain data captured by two popular EEG-based authentication systems. Surprise, surprise: they were able to capture sensitive personal information from brain data<\/strong>.<\/p>\n

\"capture<\/a><\/p>\n

Mr. Serwadda presented his results<\/a> at the IEEE International Conference on Biometrics<\/a>. The Texas Tech researchers examined EEG-based authentication systems that claimed high levels of authentication accuracy. One system examined was the Berkley model, and the second was based on the Binghamton model. The article explains that these EEG-based authentication systems utilize specific features, or markers, of brain activity to identify a person<\/strong>, like isolating the melody of a specific orchestra instrument to identify a song.<\/p>\n

\"Listening\"<\/a>The researchers wanted to see if those markers also contained sensitive personal information\u2014in this case, a tendency for alcoholism. They ran old EEG scans which included alcoholics and non-alcoholics through the systems. Using the brain wave data, they were able to accurately identify 25% of the alcoholics in the sample. That\u2019s 25% of people who just lost their privacy. Mr. Serwadda said;<\/p>\n

We weren\u2019t surprised, because we know the brain signal is so rich in information \u2026 But it is scary. [Wearable brain measurement] is an application that\u2019s just about to go mainstream, and you can infer a lot of information about users.<\/em><\/p>\n

The researcher said that malicious third parties could mine brain data<\/strong> to make inferences about learning disabilities, mental illnesses, and more. He told Spectrum<\/em>, \u201cImagine if you made these things public, and insurance companies became aware of them \u2026 It would be terrible.\u201d<\/p>\n

IOActive<\/a> senior consultant Alejandro Hern\u00e1ndez told<\/a> The Register<\/a> <\/em>that dangerous vulnerabilities exist in EEG kits. EEG’s security problems are depressingly familiar results of bad software design, Hern\u00e1ndez said. EEG devices are vulnerable to man-in-the-middle attacks, as well as less-severe application vulnerabilities and ordinary crashes. Mr. Hern\u00e1ndez says.<\/p>\n

… some applications send the raw brain waves to another remote endpoint using the TCP\/IP protocol, that by design doesn\u2019t include security, and therefore this kind of traffic is prone to common network attacks such as man-in-the-middle where an attacker would be able to intercept and modify the EEG data sent.<\/em><\/p>\n

\"steal<\/a>The IOActive consultant found that components like the acquisition device, middleware, and endpoints lack authentication meaning an attacker can connect to a remote TCP port and steal raw EEG data. That same flaw lets attacks pull off the more dangerous reply attacks.<\/p>\n

Unfortunately, the researchers do not have a solution for how to secure such information<\/strong>\u2014though in the study, compromising a little on authentication accuracy did reduce the ability to detect who was an alcoholic. Mr. Serwadda hopes other research teams will now take privacy, and not just accuracy, into account when optimizing such systems. Professor Serwadda concludes, \u201cWe have to prepare for the movement of brain wave [assessment] into our daily lives.\u201d<\/p>\n

Rb-<\/strong><\/em><\/p>\n

Given the willingness of apps developers to sell share any info to any third party and the unwillingness of the public to take even basic steps to secure their info online, everyone’s deepest personal information can be hacked in the future.<\/em><\/p>\n

Another problem with passthoughts UC Berkeley’s John Chuang<\/a> identifies that stress, mood, alcohol, caffeine, medicine, and\u00a0mental\u00a0fatigue could change the electrical signals that are generated.<\/em><\/p>\n

Despite advances in logging in with your mind, there might always be a need for an old-fashioned eight-plus character phrase with no spaces. \u201cPasswords will never go away<\/strong>,\u201d says Berkeley’s Chuang. He reasons that\u00a0for a computer, a typed password may be the easiest way to verify identity, while a finger swipe may be best for\u00a0a touch screen.<\/em><\/p>\n

But we need to think beyond those to future devices\u2014wearables<\/strong>, for instance\u2014for which there will be neither a keyboard nor a touch screen.\u00a0\u201cFor each device, we must figure out what are the most natural, intuitive ways to tell the device that we are who we are,\u201d Professor Chuang says.\u00a0Going directly to the brain seems like an obvious choice.<\/em><\/p>\n

Related articles<\/h6>\n