Using EEG-Based BCI Devices to Subliminally Probe for Private Information.

EEG-based Brain-Computer-Interfaces are becoming available as consumer-grade devices, used in applications from gaming to learning programs with neuro-feedback loops. While enabling attractive applications, their proliferation introduces novel privacy concerns and security threats. One such example are attacks in which adversaries compromise EEG-based BCI devices and analyze the user's brain activity in order to infer private information such as their bank or area-of-living. In this paper, we propose and analyze a more serious threat - a subliminal attack in which, given that the visual probing lasts for less than 13.3 milliseconds, the existence of any stimulus is below ones cognitive perception. We show that even under such limitation, the attacker can still analyze subliminal brain activity in response to the rapid visual stimuli and consequently infer private information about the user. By running a proof-of-concept study with 27 participants, we experimentally evaluate the feasibility of subliminal attacks using EEG-based BCI devices. While not perfect, our results show that it is indeed feasible for attackers to subliminally learn probabilistic information about their victims.