Side channel attacks with Brain-Computer Interfaces

Article about paper:
http://www.extremetech.com/extreme/...man-brain-successfully-extract-sensitive-data

The paper:
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final56.pdf

In this paper, we designed and carried out a number of experiments which show the feasibility of using a cheap consumer-level BCI gaming device to partially reveal private and secret information of the users. In these experiments, a user takes part in classification tasks made of different images (i.e., stimuli). By analyzing the captured EEG signal, we were able to detect which of the presented stimuli are related to the user’s private or secret information, like information related to credit cards, PIN numbers, the persons known to the user, or the user’s area of residence, etc. The experiments demonstrate that the information leakage from the user, measured by the information entropy is 10 %-20% of the overall information, which can increase up to  43 %.

The simplicity of our experiments suggests the possibility of more sophisticated attacks. For example, an uninformed user could be easily engaged into “mindgames” that camouflage the interrogation of the user and make them more cooperative. Furthermore, with the ever increasing quality of devices, success rates of attacks will likely improve.

 

Unless I am missing something this just reads as another form of a polygraph, not really a "side-channel attack"...

 

I made the subject a shortened version of the paper's title which was "On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces". As for whether "side-channel attack" is the ideal phrase, I'm not sure. It seems reasonable to me because I tend to associate that phrase with an approach that exploits information that is inadvertently leaked by the target system.

It sounds as though our brains leak information in the sense that when we are exposed to stimuli that has special significance to us there is special brain activity that can be externally measured. I'd agree that polygraphs too attempt to exploit information that is leaked by our bodies.

 

The first article mentions that "if you are proactively on the defensive, then the hacker has already messed up." ..."It’s harder to extract data from someone who knows they’re being attacked — as interrogators and torturers well know."

Even though it sounds like the brain "leaks" information, in this case it appears that it was teased out of the participants (whom were not told the nature of the experiment) with further analysis of the raw data responses.

Not a leak directly, but certainly clues.

-- Tom

 

Whatever terms we use, I think such approaches to acquiring information are interesting but also somewhat frightening. Be it a device designed to measure brain activity... a camera capturing pupil response, temperature, blood flow, posture/gestures... voice analysis looking for signs of emotion or health... or even some kind of pheromone detector... there are technological and automated approaches to monitoring the information given off by our bodies and those clues (with and/or without other data) can be used to zero in on things that we would in many cases not wish to be known to arbitrary observers. Various motives already exist, and along with our ever growing exposure to technology comes ever grown opportunities to carry that out.