top of page

Study Shows Phishing Could Evolve to Target Brainwave Activity

Advancements in technology over recent years have made EEG headsets, which read and interpret brain activity into controlling software applications, available to consumers. A recent academic study examined exploiting such technology to obtain personal and financial information by attacking victims while wearing these headsets, and yielded surprising results that showed fraudsters could exploit such technologies in the not-too-distant future.

The Electroencephalography (EEG) headsets have been on the consumer market since 2010 and can be used for controls within software applications and games, and can also be a helpful tool for enabling disabled persons to more efficiently use a computer. Security researchers from the University of Oxford, UC Berkley and the University of Geneva sought to explore potential cyber-attacks using such technology in their research paper “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces.” In studies the researchers were able to obtain a headset user’s PIN, their birth month and the name of their banking institution with varying levels of success.

By showing numbers zero through nine to the EEG headset users in random order and monitoring their brainwave responses the researchers tried to guess the user’s PIN, and they were able to do so successfully on the first try 20 percent of the time. With similar tests, where stimuli would be presented to the test subject and their brain activity would be recorded with the consumer-grade EEG headsets, the researchers were able to correctly guess the subjects bank (based on pictures of ATM machines) 30 percent of the time and guess their birth month 60 percent of the time.

Consumers with these EEG headsets are able to download apps while developers can create applications from a common API which provides unrestricted access to the raw brainwave signals so it can be interpreted and used within the developer’s app. With the EEG headsets the user must calibrate the headset with the game or application, and this provides the opportunity for the attacker to present the stimuli that induces the thoughts and brain activity that will indicate the victim’s personal or financial information.

EEG headsets are not very common today and there have been no known attacks targeted at this technology yet. But fraudsters are quick to adjust to changes in technology as they look for new vulnerabilities. In several years these headsets could make their way into more homes and find more uses, providing fraudsters another channel of attack. Once these headsets are used to control web browsers and email clients fraudsters may find other ways to present stimuli and record brain-wave activity as means of phishing for sensitive information.

For more information:


bottom of page