Example Security Review #4

By Tadayoshi Kohno at 9:18 am on December 31, 2007Comments Off on Example Security Review #4

John Kurkowski provided this example CSE 490K Security Review.

Move over, traditional HCI. No longer shall we be bound to computers by the unintuitive, linear input of keyboards and mice. Electronic gaming company Emotiv is about to kick it up a vertebra with BCI: brain-computer interaction. The company is developing a headset called Project Epoc that processes the wearer’s brain signals in order to communicate wirelessly with a PC or video game console. Emotiv already offers a developer’s kit which helps developers utilize the headset’s separate abilities to monitor the wearer’s 1) facial expressions, 2) emotional state, 3) intent, and any combination thereof. In short, Project Epoc “makes it possible for games to be controlled and influenced by the player’s mind.” So throw away your clunky controllers that still require hands (should I keep my Guitar Hero controller? Will I play air guitar with my mind now?). Thought-controlled games are the future, man.

Emotiv may think their product is revolutionary and would be used only for good, that is, entertainment at the expense of no one. But the product developers need to keep certain assets in mind.

  • Privacy of User’s Thought: the goal is to make sure user thoughts are known only to the headset as it records them and known to the game being played. This is important because people do not want to broadcast their emotional status and perhaps controversial (!) opinions to parties unknown. OK, most people don’t want this. Let’s just assume the apocalypse-prophesying-sandwich-board hobo’s thoughts are less important an asset in regards to this product.
  • Authenticated Sources And Destinations of Wireless Transmission: the headset should communicate with the desired equipment (PC, Xbox, etc.), and equipment should only accept communication with relevant headsets. As users play a game, they do not want interfering devices controlling their game. Authentication and availability of service are important assets. We’re talking about their thoughts here. No one should stop them. What is this, 1984? Brazil? Anyway, I can’t think of a reason you would want to broadcast/receive headset communication to/from somewhere besides where you are located, playing your game.
  • The User’s Brain: I think it goes without saying that the single organ that truly distinguishes humans as human is worth protecting. Emotiv claims electroencephalography, or EEG, is a non-invasive measurement of the electrical activity of the brain. Because the brain is central to Project Epoc’s operation, it is a very important security goal for Emotiv to make sure the device remains non-invasive.

Now you know what’s at stake. Yet who would take advantage of innocent gamers wearing this stylish crown?

  • Stalkers, Murderers, Vagabonds, etc: I know I want to know the emotional state of my girlfriend before I enter my home. Is she cool, or should I lay low at a bar tonight? Project Epoc sounds capable of monitoring these sorts of things. Imagine what undesirables could do to her with this information.
  • Professional Gaming Cheaters: this is a risk with any wireless device. Say we have a professional game player playing when money’s at stake. Can we say for sure it’s his headset controlling the game? This would be harder to monitor than if we just looked at his hands with a typical controller in them. So, a behind-the-scenes threat, who perhaps knows more or is higher skilled, could play for him. Just like the machine that everybody thought could play chess but it was actually a little person hiding inside, that’s cheating!
  • The Government: a threat to your privacy, as the government might like the same information as stalkers above, but measurements of your disloyalty more so. There is also a threat to authentication. Say you’re exceptionally skilled at a space combat game that uses Project Epoc. If the government intercepted and relayed your thoughts, originally intended for your PC, in order to control an army of real-life starfighters to slaughter real-life aliens, would you want to know? What if they were innocent aliens?

Not much information is publicly available about Project Epic. Nevertheless, allow me to conjecture some security weaknesses. Hopefully what I come up with is obvious and Emotiv already considered it. What if they haven’t?

  • Headset Modification: A possible weakness of Project Epoc is the inability for the helmet to know where it broadcasts thoughts. The intended destination is a PC or console owned by the wearer. What if it’s reconfigured to connect elsewhere too? The user is unaware; the thing still looks like any ordinary brainwave-reading headpiece lying around. And there’s no reason for the adversary-controlled receiver to ping the user back, informing him of the extra connection. A solution to this would be some form of intrusion detection that notifies the user if the helmet has been tampered with. And let this intrusion detection notify the user before he puts the helmet on, in case the device has been set from ‘non-invasively scan brainwaves’ to ‘kill’.
  • Obscure Wireless Protocol: This doesn’t eliminate the possibility of passively scanning the helmet’s transmissions. Emotiv is using a proprietary wireless protocol for communicating with Project Epoc. This is a weakness, because the security of wireless protocols ought to be examined by as many people as possible. Emotiv is gunning for security by obscurity. The solution is releasing the specifications of their protocol to security community scrutiny and making damn sure Project Epoc’s connection is not susceptible to cryptographic attacks (the traffic is encrypted, right?).
  • Disallowing Irrelevant Headsets: A receiver should only accept connections from Project Epoc headsets worn by people in the room. Otherwise, you let in the aforementioned threat of professional cheaters. Because the headset communicates wirelessly, this is difficult to verify on the receiver’s end. A solution might be to require the wearer to thoughtfully respond to a visual prompt on screen before starting up the game. But if the hidden cheater can see the screen too, this solves nothing. Another solution might be to require that relevant headsets be in the line of sight of the receiver, checking this by IR.

As cool as it sounds to strap up your dome for electroencephalography, there are genuine security risks Emotiv has to look into. Security isn’t a top concern in a lot of product advertisement but for the company’s sake I wouldn’t buy into the product until they address security. And they should confer about this with their third party developers, whose trustworthiness I haven’t even discussed here. Until this project dissolves or, if I were an optimist, more details are announced, I’ll be biting my nails in melancholy anticipation of Project Epoc.

Filed under: Announcements,Security ReviewsComments Off on Example Security Review #4

Comments are closed.