Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/12/2013
04:31 PM
50%
50%

Researchers Analyze Brainwaves To Authenticate Users

Passwords may not need to be made of numbers and letters after all

It sounds like something straight out of science fiction: brainwaves taking the place of passwords in the name of authentication. But a new study by researchers from the U.C. Berkeley School of Information is turning fiction into reality.

The study (PDF) examined the brainwave signals of individuals performing specific actions to see whether they can be consistently matched to the right individual. To do this, the researchers recruited 15 college students to participate, asking them to allow their brainwaves to be recorded as they performed a series of repeatable tasks. Three were tasks everyone was asked to do, while four were ones where the users had individual secrets.

In the tasks where participants could choose a personal secret, they were asked to imagine performing a repetitive motion from a sport of their choice, singing a song of their choice, watching a series of on-screen images and silently counting the objects that match a color of their choice, or choose their own thought and focus on it for 10 seconds.

To measure the subjects' brainwaves, the team used the NeuroSky Mindset, a Bluetooth headset that records Electroencephalographic (EEG) activity. In the end, the team was able to match the brainwave signals with 99 percent accuracy.

"We are not trying to trace back from a brainwave signal to a specific person," explains Prof. John Chuang, who led the team. "That would be a much more difficult problem. Rather, our task is to determine if a presented brainwave signal matches the brainwave signals previously submitted by the user when they were setting up their pass-thought."

"In this case," he continues, "our experimental study found that we can with high accuracy make the determination whether a presented brainwave signal belongs to a user or not due to patterns in the brainwaves that are different for different individuals. We also found that it was not necessary to have users perform different mental tasks in order to achieve our level of authentication accuracy. Having our experimental subjects perform different mental tasks allows us to study whether certain types of tasks were preferred by users because of their enjoyability or ease of execution."

The team's findings were presented at the 17th International Conference on Financial Cryptography and Data Security in Japan this week. In a paper, the team argues that the embedding of EEG sensors in wireless headsets and other consumer electronics makes authenticating users based on their brainwave signals a realistic possibility.

"Obviously, using brainwaves for authentication [has been] the stuff of science-fiction for a very long time," Chuang says. "There [have] been a number of previous research studies looking at brainwave authentication, but they employ multichannel EEG technology in clinical settings. When the NeuroSky single-channel technology became available on the market, we decided to study whether brainwave authentication is feasible with these inexpensive consumer-grade devices in everyday [nonclinical] settings."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nannasin28
50%
50%
nannasin28,
User Rank: Apprentice
4/16/2013 | 2:57:06 AM
re: Researchers Analyze Brainwaves To Authenticate Users
Passwords and Trade secrets can and are obtained this way.-- 4N25
femtobeam
50%
50%
femtobeam,
User Rank: Apprentice
4/15/2013 | 4:54:14 PM
re: Researchers Analyze Brainwaves To Authenticate Users
Headsets are not necessary to read brainwave potentials. The sensitivity of sensors that can differentiate between brainwave potentials was first publicly demonstrated by Brainfingers- software.

It is now possible to interface with the brain via interactive hybrid networks, whether by internal or external sensors. The authors of the paper did not go into details about the big missing factor, the fact that this is not just about "reading" information from the brain for authentication, but also "writing" information to the brain from any source with access. Time stamping, Network re-routing, changing information on the fly, are all still possible during the transmission of brain waves. So are man in the middle attacks. Security and assurance of brainwaves as identity requires full network evaluation with these possibilities in mind. Falsifying brainwaves is possible, even in the subliminal domain, due to the speed of communications in relationship to the speed of brain action.

It is an infallible method of truthful information in that the subliminal mind does not lie, however, it is also possible to input subliminal messages that can be misinterpreted. Passwords and Trade secrets can and are obtained this way. Pain can be recorded from one individual and sent to the brain of another. Remote rape is already under scrutiny in Europe. This has implications far beyond the subject of this article.

The key to identity assurance is in time stamping and comparisons of multiple sources of information.

"We must have a physical off switch to protect individual human rights"

"It is all in the speed of light"

"In the future, we may all die from hearsay!" Robin L. Ore
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.