Conference Paper

Poster: Towards a Framework for Assessing Vulnerabilities of Brainwave Authentication Systems

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

In the quest to devise new alternatives to password-based authentication, behavioral biometrics have become more and more appealing due to the improved usability that comes with their unobtrusiveness. One such type of biometric are brainwaves, which can be nowadays easily measured and used to prove a person's identity. Given the potential for this technology to be adopted in the near future, it is paramount to analyze its security implications. Furthermore, recent advances in brain computer interfaces make feasible the usage of brainwaves to prove users' identity. This work presents a comprehensive framework for assessing the vulnerabilities of brainwave authentication systems, incorporating new attack vectors that target specific features of brain biometrics. Resting on this theoretical groundwork, we analyze the existing literature on attacks and countermeasures, identifying gaps and providing a foundation for future research. Furthermore, we evaluated a subset of attacks identified through the framework and report our preliminary results.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... B IOMETRICS authentication [1] refers to the use of a person's unique physiological or behavioural characteristics, such as fingerprints, finger veins, faces, or gaits, to verify his/her identity. While biometric authentication offers many advantages over traditional authentication methods such as secret authentication, there are still some weaknesses of biometric authentication in terms of accuracy and security/privacy [2], [3], [4], [5], [6]. First, false positives (accepting an unauthorized person as a valid user) and false negatives (rejecting a valid user) are major concerns due to the inherent fuzziness of biometric data. ...
Preprint
Existing fuzzy extractors and similar methods provide an effective way for extracting a secret key from a user's biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user's secret (e.g., a password) and a user's biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (reusable/reissued identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable averaged computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of only 448 bytes.
Article
Existing fuzzy extractor and similar methods provide an effective way for extracting a secret key from a user’s biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user’s secret (e.g., a password) and a user’s biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials, which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (renewable biometrics-based identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of 448 bytes.
Article
Brainwaves have demonstrated to be unique enough across individuals to be useful as biometrics. They also provide promising advantages over traditional means of authentication, such as resistance to external observability, revocability, and intrinsic liveness detection. However, most of the research so far has been conducted with expensive, bulky, medical-grade helmets, which offer limited applicability for everyday usage. With the aim to bring brainwave authentication and its benefits closer to real world deployment, we investigate brain biometrics with consumer devices. We conduct a comprehensive measurement experiment and user study that compare five authentication tasks on a user sample up to 10 times larger than those from previous studies, introducing three novel techniques based on cognitive semantic processing. Furthermore, we apply our analysis on high-quality open brainwave data obtained with a medical-grade headset, to assess the differences. We investigate both the performance, security, and usability of the different options and use this evidence to elicit design and research recommendations. Our results show that it is possible to achieve Equal Error Rates as low as 7.2% (a reduction between 68-72% with respect to existing approaches) based on brain responses to images with current inexpensive technology. We show that the common practice of testing authentication systems only with known attacker data is unrealistic and may lead to overly optimistic evaluations. With regard to adoption, users call for simpler devices, faster authentication, and better privacy.
Article
Driven by an increasing number of connected medical devices, Internet of Medical Things (IoMT), as an application of Internet of Things (IoT) in healthcare, is developed to help collect, analyze and transmit medical data. During the outbreak of pandemic like COVID-19, IoMT can be useful to monitor the status of patients and detect main symptoms remotely, by using various smart sensors. However, due to the lack of emotional care in current IoMT, it is still a challenge to reach an efficient medical process. Especially under COVID-19, there is a need to monitor emotion status among particular people like elderly. In this work, we propose an emotion-aware healthcare monitoring system in IoMT, based on brainwaves. With the fast development of EEG (electroencephalography) sensors in current headsets and some devices, brainwave-based emotion detection becomes feasible. The IoMT devices are used to capture the brainwaves of a patient in a scenario of smart home. Also, our system involves the analysis of touch behavior as the second layer to enhance the brainwave-based emotion recognition. In the user study with 60 participants, the results indicate the viability and effectiveness of our approach in detecting emotion like comfortable and uncomfortable, which can complement existing emotion-aware healthcare applications and mechanisms.
Conference Paper
In the coming period of Internet of Things (IoT), user authentication is one important and essential security mechanism to protect assets from unauthorized access. Textual passwords are the most widely adopted authentication method, but have well-known limitations in the aspects of both security and usability. As an alternative, biometric authentication has attracted much attention, which can verify users based on their biometric features. With the fast development of EEG (electro-encephalography) sensors in current headsets and personal devices, user authentication based on brainwaves becomes feasible. Due to its potential adoption, there is an increasing need to secure such emerging authentication method. In this work, we focus on a brainwave-based computer-screen unlock mechanism, which can validate users based on their brainwave signals when seeing different images. Then, we analyze the security of such brainwave-based scheme and identify a kind of reaction spoofing attack where an attacker can try to imitate the mental reaction (either familiar or unfamiliar) of a legitimate user. In the user study, we show the feasibility and viability of such attack.
Article
Full-text available
Cryptographic frameworks depend on key sharing for ensuring security of data. While the keys in cryptographic frameworks must be correctly reproducible and not unequivocally connected to the identity of a user, in biometric frameworks this is different. Joining cryptography techniques with biometrics can solve these issues. We present a biometric authentication method based on the discrete logarithm problem and Bose-Chaudhuri-Hocquenghem (BCH) codes, perform its security analysis, and demonstrate its security characteristics. We evaluate a biometric cryptosystem using our own dataset of electroencephalography (EEG) data collected from 42 subjects. The experimental results show that the described biometric user authentication system is effective, achieving an Equal Error Rate (ERR) of 0.024.
Article
Full-text available
Brain–computer interfacing technologies are used as assistive technologies for patients as well as healthy subjects to control devices solely by brain activity. Yet the risks associated with the misuse of these technologies remain largely unexplored. Recent findings have shown that BCIs are potentially vulnerable to cybercriminality. This opens the prospect of “neurocrime”: extending the range of computer-crime to neural devices. This paper explores a type of neurocrime that we call brain-hacking as it aims at the illicit access to and manipulation of neural information and computation. As neural computation underlies cognition, behavior and our self-determination as persons, a careful analysis of the emerging risks of malicious brain-hacking is paramount, and ethical safeguards against these risks should be considered early in design and regulation. This contribution is aimed at raising awareness of the emerging risk of malicious brain-hacking and takes a first step in developing an ethical and legal reflection on those risks.
Conference Paper
Full-text available
Brain-Computer Interfaces (BCI) are becoming increasingly popular in medical and non-medical areas. Unfortunately , manufacturers of BCI devices focus on application development, without paying much attention to security and privacy related issues. Indeed, an increasing number of attacks to BCI applications underline the existence of such issues. For example, malicious developers of third-party applications could extract private information of users. In this paper, we focus on security and privacy of BCI applications. In particular, we classify BCI applications into four usage scenarios: 1) neuromedical applications, 2) user authentication, 3) gaming and entertainment, and 4) smartphone-based applications. For each usage scenario, we discuss security and privacy issues and possible countermeasures.
Conference Paper
Full-text available
Brain computer interfaces (BCI) are becoming increasingly popular in the gaming and entertainment industries. Consumer-grade BCI devices are available for a few hundred dollars and are used in a variety of applications, such as video games, hands-free keyboards, or as an assistant in relaxation training. There are application stores similar to the ones used for smart phones, where application developers have access to an API to collect data from the BCI devices. The security risks involved in using consumer-grade BCI devices have never been studied and the impact of malicious software with access to the device is unexplored. We take a first step in studying the security implications of such devices and demonstrate that this upcoming technology could be turned against users to reveal their private and secret information. We use inexpensive electroencephalography (EEG) based BCI devices to test the feasibility of simple, yet effective, attacks. The captured EEG signal could reveal the user's private information about, e.g., bank cards, PIN numbers, area of living, the knowledge of the known persons. This is the first attempt to study the security implications of consumer-grade BCI devices. We show that the entropy of the private information is decreased on the average by approximately 15%-40% compared to random guessing attacks.
Conference Paper
Full-text available
Electroencephalography (EEG) is the recording of electrical activity occurring in the brain, which is recorded from the scalp through placement of voltage sensitive electrodes. It has been repeatedly demonstrated that the brain emits voltage fluctuations on a continuous basis. These fluctuations are a reflection of the on-going brain dynamics, which present as a series of fluctuations that have characteristic waveforms and amplitude patterns, depending on the cognitive state of the subject. A number of published reports have indicated that there is enough depth in the EEG recording, rendering it suitable as a tool for person authentication. This idea has a solid underpinning in that recent evidence suggests much of the on-going EEG recordable activity within brains has a genetic component. This study presents the common steps for developing a human identification systems based on EEG signals. It will also present some of the important techniques used.
Article
Full-text available
Because biometrics-based authentication offers several advantages over other authentication methods, there has been a significant surge in the use of biometrics for user authentication in recent years. It is important that such biometrics-based authentication systems be designed to withstand attacks when employed in security-critical applications, especially in unattended remote applications such as e-commerce. In this paper we outline the inherent strengths of biometrics-based authentication, identify the weak links in systems employing biometrics-based authentication, and present new solutions for eliminating some of these weak links. Although, for illustration purposes, fingerprint authentication is used throughout, our analysis extends to other biometrics-based methods.
Article
Brainwaves, which reflect brain electrical activity and have been studied for a long time in the domain of cognitive neuroscience, have recently been proposed as a promising biometric approach due to their unique advantages of confidentiality, resistance to spoofing/circumvention, sensitivity to emotional and mental state, continuous nature, and cancelability. Recent research efforts have explored many possible ways of using brain biometrics and demonstrated that they are a promising candidate for more robust and secure personal identification and authentication. Although existing research on brain biometrics has obtained some intriguing insights, much work is still necessary to achieve a reliable ready-to-deploy brain biometric system. This article aims to provide a detailed survey of the current literature and outline the scientific work conducted on brain biometric systems. It provides an up-to-date review of state-of-the-art acquisition, collection, processing, and analysis of brainwave signals, publicly available databases, feature extraction and selection, and classifiers. Furthermore, it highlights some of the emerging open research problems for brain biometrics, including multimodality, security, permanence, and stability.
Book
In the last fifteen years, a recognizable surge in the field of Brain Computer Interface (BCI) research and development has emerged. This emergence has sprung from a variety of factors. For one, inexpensive computer hardware and software is now available and can support the complex high-speed analyses of brain activity that is essential is BCI. Another factor is the greater understanding of the central nervous system, including the abundance of new information on the nature and functional correlates of brain signals and improved methods for recording these signals in both the short-term and long-term. And the third, and perhaps most significant factor, is the new recognition of the needs and abilities of people disabled by disorders such as cerebral palsy, spinal cord injury, stroke, amyotrophic lateral sclerosis (ALS), multiple sclerosis, and muscular dystrophies. The severely disabled are now able to live for many years and even those with severely limited voluntary muscle control can now be given the most basic means of communication and control because of the recent advances in the technology, research, and applications of BCI.
Biometric template security: Challenges and solutions. In 13th European signal processing conference
  • Arun Anil K Jain
  • Umut Ross
  • Uludag
Anil K Jain, Arun Ross, and Umut Uludag. 2005. Biometric template security: Challenges and solutions. In 13th European signal processing conference. IEEE Computer Society, Antalya, Turkey, 1-4.
Robertas Damavs evivc ius Rytis Maskeli=unas Egidijus Kazanavivc ius and Marcin Wo'zniak
Brain hacking: What Bill Gates and other tech titans want with our mind
  • Ali Velshi
  • Hussein Saddique
Ali Velshi and Hussein Saddique. 2017. Brain hacking: What Bill Gates and other tech titans want with our mind. Retrieved July 31, 2019 from https://www.nbcnews.com/tech/technews/brain-hacking-what-bill-gatesother-tech-titans-want-ourn833156
  • Emotivsystems
EmotivSystems. 2019. Emotiv Epoc Headset. Retrieved July 31, 2019 from https://www.emotiv.com/epoc/
  • Qiong Gui
  • Maria V Ruiz-Blondet
  • Sarah Laszlo
  • Zhanpeng Jin
Qiong Gui, Maria V. Ruiz-Blondet, Sarah Laszlo, and Zhanpeng Jin. 2019. A Survey on Brain Biometrics. ACM Computing Surveys (CSUR) 51, 6 (feb 2019), 112:1-112:38.
Measuring Strength of Authentication. Discussion draft 1. Information Technology Laboratory
  • Nist
NIST. 2015. Measuring Strength of Authentication. Discussion draft 1. Information Technology Laboratory.
A Survey on Brain Biometrics
  • Abo-Zahhad Mohammed