The lesson here seems to be, “don’t wear an EEG headset while using the ATM.” Wired reports that researchers at Oxford, UC Berkeley and the University of Geneva were able to decipher their test subjects’ “PIN numbers, birth months, areas of residence and other personal information” just by presenting them with associative pictures while hooked up to EEG headsets. For instance, researchers said they were able to successfully mind-hack some users’ PIN numbers just by showing them pictures of ATMs, debit cards and all digits 0 through 9 in a quick sequence.
The researchers say that this could be a problem if brain wave-enabled computer headsets such as the Emotiv EPOC become more popular in households in the coming years. Berkeley researcher Mario Frank said that the researchers “simulated a scenario where someone writes a malicious app, the user downloads it and trusts the app, and actively supports all the calibration steps of the [EEG] device to make the software work.” Once the app is trusted, it could then present the user with a series of images or tasks designed to conjure up certain information, such as banking PIN numbers or Social Security numbers.
“You can use all kinds of third-party apps for these devices,” Frank told Wired. “In this setting, as security researchers, we identified that there is a potential to make some bad stuff, to turn this technology against the user.”
