#neurosecurity

C. Brain Spyware - BCI-enabled Malicious Application

At the 2012 USENIX Security Symposium, Martinovic et al. [31] presented the first malicious software designed to detect a user’s private information using a BCI. They referred to is as the “brain spyware”. The authors used a commercially available BCI to present users with visual stimuli and record their EEG neural signals. They focused on the P300 response, and analyzed the recorded signals in order to detect users’: (a) 4-digit PINs, (b) bank information, (c) months of birth, (d) locations of residence, and (e) if they recognized the presented set of faces.

While the authors of [31] have focused only on the P300 response, it is not hard to imagine brain spyware applications being developed to extract private information about users’ memories, prejudices and beliefs, but also about their possible neurophysiological disorders. Currently, there does not seem to exist a way to resist these attacks. Moreover, recent results [28] show that attempts at willful deception can themselves be detected from an individual’s neural signals. Going a step further, the same authors [28] show that non-invasive brain stimulators, emitting imperceptible DC electrical currents, can be used to make a user’s responses noticeably slower when attempting to lie.

Thus, there is a growing need to address the potential privacy and security risks arising from the use of BCIs, in both medical and non-medical applications. As a first step, we are exploring which components of the EEG signal can be used to infer private information about a user, and quantifying the amount of exposed information.

V. THREAT MODEL

Consider an example model of an attacker who uses BCIs to extract private information about users. We assume this will involve non-invasive BCI devices, mostly intended for consumer use. Manufacturers of non-invasive EEG-based BCIs generally distribute software development kits and guides with their products, as well as technical support. Their intention is to promote application development, but such “open-development” platforms may compromise user privacy and security, since there is currently no review process, standards and guidelines in place to protect users, nor technical protection to restrict inappropriate or malicious BCI use.

As depicted in Figure 1, a typical BCI system consists of three main components: (R1) an acquisition system, (R2) an application, and (R34) a signal processing system, where the signal processing system consists of (R3) feature extraction and (R4) decoding (translation) algorithm components. The existing BCI open-development platforms typically grant every application developer full control over all four of these components. For the discussion of this paper, we will assume an attacker has an access to all of these resources (R1)–(R4). We next consider how an attacker uses these resources to develop malicious applications.

A. Types of Attackers 

In Figure 2, two types of attackers are shown (as described in the caption). We distinguish between these types based on the way an attacker analyzes recorded neural signals. The first type of an attacker extracts users’ private information by hijacking the legitimate components of a BCI system. Such an attacker exploits for malicious purposes those feature extraction and decoding algorithms that are intended for the legitimate BCI applications. The second type of an attacker extracts users’ private information by adding or replacing the legitimate BCI components. Such an attacker implements additional feature extraction and decoding algorithms, and either replaces or supplements the existing BCI components with the additional malicious code. As can be observed from the Figure, the difference between the two attacker types is only in the structure of the “brain malware” component.

B. Methods of Extracting Private Information

We consider scenarios where an attacker interacts with users by presenting them with specific sets of stimuli, and recording their responses to the presented stimuli. In the current literature, there are several well-established methods of presenting stimuli to users:

• Oddball paradigm - a technique where users are asked to react to specific stimuli, referred to as target stimuli, hidden as rare occurrences in a sequence of more common, non-target stimuli [23].

• Guilty knowledge test - a technique based on the hypothesis that a familiar stimulus evokes a different response when viewed in the context of similar, but unfamiliar items [44].

• Priming - a technique that uses an implicit memory effect where one stimulus may have an influence on a person’s response to a later stimulus [39].

We assume an attacker can use any of these methods to facilitate extraction of private information. In addition, an attacker can present malicious stimuli in an overt (conscious) fashion, as well as in a subliminal (unconscious) way, with subliminal stimulation defined as the process of affecting people by visual or audio stimuli of which they are completely unaware [15]. Ways of achieve unawareness typically include reducing a stimulus intensity or duration below the required level of conscious awareness.

C. Examples of “Brain Malware” Information Misuse

Private information about BCIs users, extracted using “brain malware”, may be of interest to multiple parties, those using it for greater good and potential improvement of the quality of humans lives, but also to those using it to increase their own (financial) gains, as well as those using it simply to harm others. One can easily imagine the following examples of concerning BCIs use:

Example 1: As exemplified in Farahaney’s work [22], an access to an individual’s memories and emotional responses might be used by police enforcement and government agencies during criminal investigation, as well as for crime and terrorism prevention.

Example 2: BCI-recorded neural signals may be used in a variety of entertainment and relaxation applications. A person’s emotional response and satisfaction/annoyment level may, for example, be used to provide better (more accurate) music and/or movie recommendations. Similarly, information about a person’s activity and anxiety levels may be used to tailor a more personalized training routine or a relaxation session.

Example 3: Personal information, extracted from neural signals, could also be used for targeted advertisement, where in addition to (or instead of) information about a person’s activities on the Internet, an advertiser/retailer would have a realtime access to a person’s level of interest, satisfaction, or frustration with the presented material.

Example 4: On the other end of the spectrum, however, the extracted information about a person’s memories, prejudices, beliefs or possible disorders could be used to manipulate a person or coerce her/him into doing something.

Example 5: Finally, the extracted neural information could also be used to cause physical or emotional harm to a person. Examples of such actions have already been observed in the literature. Denning et al. [21], presented the case of individuals who placed flashing animations on epilepsy support webpages, eliciting seizures in some patients with photosensitive epilepsy.

VI. THE NEED FOR A COORDINATED PREVENTION APPROACH

Issues arising from misuse or inappropriate use of BCI technology most likely do not pose a critical concern yet, considering their limited use outside of research communities. However, existing and emerging privacy and security threats may be viewed as an attack on human rights to privacy and dignity [13]. Thus, they deserve immediate attention and careful consideration. We suggest that methods to prevent and mitigate BCI-enabled privacy and security threats must be developed now, in the early design phase. Doing so will allows us to keep up with Privacy-by-Design [1] values, as well as with general values of privacy-enhancing technologies.

We view the development of prevention and mitigation tools as an interdisciplinary effort, involving neuroscientists, neural engineers, ethicists, as well as legal, security and privacy experts. The first step of this interdisciplinary approach should be an open discussion, aimed at answering the following questions: (i) Who all should be allowed an access to individuals’ neural signals? (ii) Which components of these neural signals should those entities have an access to? (iii) How noisy, distorted or distilled should these components be made before making them available? (iv) Which purposes are the entities allowed to use the neural signals for? and (v) What are the risks associated with the misuse of the provided components, i.e., what amount of private information can be extracted from the provided components?

We expect the answers to questions (i)–(v) will lead to a “triangle” approach towards enhancing privacy and security of BCI technology. On one vertex of the triangle, we expect to have legal experts and ethicists, defining a set of laws and policies to govern legal use of neural signals. As an example of possible legal intervention, the law could examine should the BCI platforms indeed be immunized for the apps they sell, or is some other balance between manufacturers and application developers more appropriate for BCI technologies.

On the second vertex, we expect to have a group of neuroscientists and engineers, in charge of developing and establishing a set of industry and research standards, methods, processes and practices for secure and privacy-preserving BCI systems. One such practice may, for example, require there to exist a centralized authority in charge of reviewing and validating every BCI application before allowing its use in general population. Finally, at the third vertex we expect BCI systems manufacturers and application developers, developing, implementing and using engineering practice, methods and tools, in order to prevent and mitigate specific classes of security and privacy attacks. Clearly the IEEE, and its standards process, could have a role here.

Read more »