Privacy and security issues in Brain Computer Interfaces
Technologies that utilize the human brain energies for control have expanded in number and ease of use. A greater number of Brain-Computer Interfaces (BCIs) are being used in restorative and nonmedical fields, including advertising, gaming and media outlets. BCI- empowered innovation has an incredible potential to enhance and improve the quality of human lives. The BCI examined for this thesis is the Emotiv Insight, a 5 channel EEG headset used for monitoring brain activity and to control external devices such as, electronic wheelchairs and robotic arms. The functionality of BCIs is increasing in terms of treating motor disabilities, and enhancing abilities of users by extending their range of communication. The current problem is the consideration of security and privacy of the information being transmitted by the BCI technologies. The checks for the security and privacy in the use of the headsets and the devices, and the pairing connection, are not a high priority when utility is the design objective. This research study analyzed the various possibilities to capture information transmitted from the BCI and tested the feasibility for attacks, and vulnerability identification. The threats described in the study create an awareness of the implications for improved BCI security designs and for greater care in the production of the headsets so that privacy issues may be addressed. Systematic testing of the BCI technologies for security and privacy vulnerability is required before use. The research question pursued in this research is “What are the security and privacy vulnerabilities for information in the use of Brain Computer Interface devices?”. The developers of the hardware and the applications need to shift their focus from creating device longevity and portability, and consider the broader risks that include malicious intervention and service disruption. The successful attacks described in this research can be mitigated if manufacturers accept the performance costs associated with implementing the BLE 4.2 security standard in preference for the cheaper and more efficient BLE 4.0 standard that is generally used in the headsets. A comprehensive framework is required for developers to follow for better risk management and end-user protection. The research findings showed that with readily available basic hardware tools, information can be captured, read and manipulated. In addition, various types of attacks can be performed on the identified vulnerabilities and the intended purpose of the technology disrupted, changed, and corrupted. The implications of these findings are important for the users and their safety. The different types of attacks achieved in the laboratory included the following: • Passive eavesdropping: Listening to information transferred to the smartphone application from Emotiv Insight without the user’s knowledge. • Active interception: Interception of active information sent from the application to the headset. The intercepted data could be dropped or chosen to forward to the headset. • Denial of service: The connection of the Emotiv Insight to the smartphone application could be jammed by advertising bogus data packets. • Data modification attack: The intercepted data could be modified to a different data and forwarded to the Emotiv Insight to perform a different task. The importance of this thesis is to highlight the impact of the attacks and the level of damage that can be caused. It also points towards harm that may be caused to users dependent upon this technology for their daily life functionality. EEG headsets such as the Emotiv Insight are becoming increasing popular in terms of usability and functionality, and are easy to purchase. The EEG headsets have been used for medical applications, gameplay, learning, and in a wide variety of control situations. This research emphasizes the vulnerabilities in the devices that may be exploited and cause potential harm to users. The designers, developers, and manufacturers of these devices need to pay greater attention to protecting the confidentiality and integrity of information critical to the intended functionality.