When typing, a user’s inputs correspond with their visual processing, hand, eye and head muscle movements. These movements are all captured by EEG headsets.
Researchers at the University of Alabama at Birmingham designed an experiment that required 12 users to type randomly generated passwords into a text box repeatedly while wearing an EEG headset. After typing 200 characters, an algorithm was able to make educated guesses about new characters based on the brainwave pattern.
The algorithm was able to increase the odds of guessing a four-digit numerical PIN from one in 10,000 to one in 20 and the odds of guessing a six-letter password from one in 500,000 to roughly one in 500.
“In a real-world attack, a hacker could facilitate the training step required for the malicious program to be most accurate, by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break, similar to the way CAPTCHA is used to verify users when logging onto websites,” Nitesh Saxena, associate professor at the University of Alabama at Birmingham said in a press release.