“Securing the Exocortex” – Tamara Bonaci

Tamara Bonaci: Hello, all, I’m Tamara and I’m very glad to be here. Let me tell you a little bit something about myself. I’m a graduate student at the University of Washington, working at the electrical engineering department and my research involves private and security issues of emerging cyberphysical systems. Of which one is Exocortex, let me tell you something about our paper.

What is an Exocortex? Well, an exocortex is any variable or implanted computing machine that’s being used to augment brain’s biological high level cognitive processes and to assist the user with decision making. In this paper, we specifically focuses on one existing type of exocortexes, that’s brain computer interfaces where in order to communicate with an external environment, a user uses neurosignals.
In recent years we’ve seen a large increase in the application space for these devices. Now we have BCIs being used to control neuroprostethics or maybe a wheelchair. We have a device that was very popular for a few years in Japan, the [inaudible 00:01:22] system. The cat like ears were based on the observed emotion, the ears start wiggling, then on the other end of the spectrum we have the Mind Device, developed in collaboration between the Nielsen company and the neurofocus. The purpose of that device was to facilitate marketing and advertisement research.

What’s wrong with these devices? Nothing. Nothing in particular, except the way they are operating today, they can actually be used or misused to be more precise, to mount brains spyware attacks. Brain spyware attacks or brain spyware, are all the malicious applications aimed specifically at extracting private information about users. When I say private information I mean the privatest of the private, something like our prejudices, maybe our religious and political beliefs, maybe even our sexual orientation or as has been shown in the work by Martinovich and [inaudible 00:02:28] recently, our financial secrets like our credit card pins, our passwords and passcodes.

What’s the current state of the art? Currently, people have recognized the problem, they’re starting looking at it, but at the moment there’s no commercially available method that can resist these attacks. Moreover, from what we know from the neuroscientific community, if we were to try to deceive these devices or malicious attackers trying to extract information about us, that itself can be detected. Are you scared yet? Things are not so bad. Everything is not lost, however. The reason for that is very simple, even though the applications are many, these devices are only starting to be deployed, for now they are still only being used in constraint and controlled environments such as only a few medical institutions and only a few laboratory and scientific centers around the world.

If we are to learn anything from our recent past and from the situation we had with Internet and maybe smartphones, social networks, then we know that the time to do something about it is now, and we ought to address these privacy and potential security threats now. This is what we advocate in this paper, we say, the development phase is so early on that we can actually include these considerations from the design phase. We do acknowledge that this will have to be in this interdisciplinary approach, which will have to involve many disciplines, neuroscientists, security experts, engineers of different sorts, as well as legal experts and ethicists.

Us being engineers, we approach the problem from an engineering perspective and here we start following professor Wiener’s lead. We look at the BCI as a communication system between the brain and the external environment, except in this communication system instead of using our words or maybe text to communicate with the world, we use our neurosignals. If we look at these devices in such a way then we can see they consist of several components. Typically, you have a user using his varying [inaudible 00:04:44] cap or something else on their head, and the signals are being recorded and collected in the signal acquisition component, that signal is then typically being digitized and it’s being processed.

When it comes to signal processing we typically have two components, feature extraction and classification. Once we’ve reduced what user intention was, we can provide that information to the application, be that a neuroprosthetic control, or a game, or whatever it may be. If we look at the system in terms of our diagram, why are there potential privacy threats and why do they occur? It’s sort of simple why do they occur. With the current state of things in the recent years several manufacturers of these devices, in order to facilitate further research and deployment, have offered consumer grade devices and not only them, but they’ve also opened up the whole application development space to everyone.

Now you have a case where not only do you have access to a person’s signals if a person is using the device, but you can also develop an application, and this is where the things kind of get scary. You can imagine someone malicious doing several things. You can [inaudible 00:06:05] the signal processing component and do malicious things with it to try to extract information. Or, if you’re a more resourceful attacker, you can actually add your own signal processing component and run things in parallel, or, the scariest thing, you can develop your own malicious application where a person may be doing something completely benign, and yet you may be extracting private information.

Okay, that’s all very abstract. But how do we go and how do we begin extracting that private information and why does it work? As it turns out, the EEG signal, that noise looking like signal is extremely information rich, and it consists of many components, and it turns out that one component in particular is very useful for these types of attacks, that component is known as event related potential. What event related potential actually is, is the following, it’s a response associated with a specific sensory, cognitive, or [inaudible 00:07:10] event. It can be observed as either a positive or negative voltage peak, and it’s typically time locked to a stimulus, which means it has a very high temporal resolution.

These ERPs are a list of familiar stimuli or unexpected events. Now, if you think about it a little bit further, you kind of start seeing that you can go after private information in a twenty questions paradigm, in that sort of a setup where you have one main question that you want to get an answer to, and you have a set of possible answers, now in order to come to the correct one, you start asking questions so that you start narrowing down your set of possible answers until you reach the solution. What’s even more interesting about these ERPs is that you can go after this private data in both conscious way, in other words so that the person is aware of the stimuli you’re presenting, but also in a subliminal way, so that the stimuli are presented below a person’s conscious level of observing things.
What do we do when we want to go out a private information? We place an EEG cap on your head, we place the electrodes on the right locations, and then we provide a stimuli, which can, as I said, be either conscious and subconscious, and we record the exact moment in time when we provided a stimuli, and we record the whole EEG signal. After that, we let the user go, and then we start processing the signal. First of all, we need to get rid of noise, then we need to get rid of the mean of the signal, we need to do a little bit of averaging. As an end result, we have something like this.

Anyways, I can do it without. If you have a stimulus occurring at times 0, then if we’re looking at the p300 component, that component will typically be observed as a positive peak 300 milliseconds after the stimulus. The amplitude of that component will tell us a lot. If you’re reacting to something the amplitude will be higher than if something doesn’t have meaning to us. That’s nice, but very theoretical. Let me show you a real example of a threat of this sort that we’ve developed but not to try to go after your privatest of the private information, we developed it to facilitate our research to understand what’s going on and how do we prevent it.

The threat that we’ve developed is a game called [inaudible 00:09:58] Wheel, and it’s a game where we’re looking like something like this shown below, where a user sits in front of the screen and the point of the game is to control the position of the wheel so that the wheel goes through the tubes. You don’t want to hit the tubes, as you become more proficient in the game we made the tubes narrower and it becomes kind of harder to push the wheel through the tubes. It sounds like a simple game, with a twist, you’re controlling the game with your neurosignals, or your muscle signals, either EMG or EEG signals.

While you’re playing this game, we ask you something as simple as, we never go after your private information, we only ask some simple questions such as “What’s your favorite coffee shop?” And while you’re playing the game we flash you with the logos of coffee shops and we’re recording your EEG signals. The hypothesis being that when you recognize your favorite coffee shop, your ERP component that we’re looking at will be higher than for all the other logos, that’s how we go about it. Again, we’re never trying to extract anything that might be scary, might be privacy affecting.

Now, I kind of need to switch gears a little bit, after you’ve seen the game and after we explored it, we kind of want to know what’s the actual risk, we can talk of risk in this and that, we’re extracting information. Unless we can actually objectively quantify it, it stays in the realm of guessing. In order to know what’s actually going on, we again resorted to Wiener’s solution and we’re trying to cast this program to a known and very well explored models from game theory. We’re modeling this attack as a multiple access channel with generalized feedback. It’s a mouthful, I know, but it’s not that complicated.

Here’s what’s going on, we say “You’re intent to move the wheel up or down can be considered as one source and one message, for example, source 1 with the message x1”. Your private information about the fact that Starbucks is for example your favorite coffee shop, can be considered another source of information with the message x2. These two messages get combined into a recorded EEG signal, and that’s the signal that we observe from the outside, and that’s the signal that a malicious person would be able to observe as well.

Now, if a malicious person is able to provide feedback about the game, then what we will observe is the feedback C 1 is going to be the position of the wheel on the screen. But there may also be another source of feedback, and that source of feedback may come from the attacker’s ability to extract our private information. For example, if an attacker can with certainty deduce what’s our favorite coffee shop, they may stop flashing those stimuli, if not, they may continue doing that, so that’s the other source of feedback. Why do we need this?

This helps us provide a validated and very well researched mathematical framework to define what a successful attack is. It’s very simple, an attack is successful if an attack can actually decode our private information. But that itself may not be enough, we may need a little bit more. That little bit more is known to everyone doing something with security. We actually want that attack to remain hidden, because if you think about it in terms of our Flappy Wheel game, if the wheel stops moving on the screen even though you’re moving, for example, you hand, then the game isn’t really interesting and nothing’s happening and after a few seconds you’ll say “This is not working” and you’ll leave, and the attacker may have not gained enough information.

As long as the game’s progressing and everything’s fine, you’ll keep playing and the attack is successful, eventually. This is a successful attack, with the information theoretic framework we can define the probability of that successful attack happening, and then we can extend it further, we can also define the goal of a user, and I’ll talk a little bit more about it in a second, but once we know the goals of both of them, once we know the needed resources, we can move a little bit further and explore this in the game theoretic framework, and now we can see what the attacker needs to do to optimize the attack to use his resources in a best way, and what the user needs to do to prevent these attacks.

That’s the aspect that interests us the most, because we really want to prevent these attacks from happening. We now focus on the user, again, user’s goal is very intuitive, user wants to prevent all unauthorized parties from ever accessing and decoding our private data. Here comes our main contribution, at least the way I see it. We do have an approach to it, and what we propose is, let’s take that information reach EEG signal, and let’s acknowledge that there are many components in it, but that our legitimate BCI application only need a little piece of it, one or a few components.

Let’s use those needed components and let’s provide them into the application, but let’s never store or transmit the whole neurosignal, as it may provide information we are not willing to give. Okay, that may or may not make sense. It hopefully does, but how do we implement it and how do we go about it if that’s the approach we want to follow? In here we resort to existing technologies and we look back at the, for example, smartphone industry. In the smartphone industry, as many of you know, and many of you probably much better than I do, there’s something called private and identifying information. An example of that might be your phone book entries, your current location, the photos and the videos that you have.

As you all know, we don’t want to give access to that private identifying data to all of the applications and to the whole world. What typically happens is when you download the application, the application is granted certain rights, it can access some data, and some of the PIIs, but not all of them, and that’s the approach we’re proposing here. We’re saying neurosignals should be treated as a PII, and applications should have access only to the certain components. How do we go about it? Well, in a simple way, we propose adding a new component to our big block diagram, and that new component is called BCI anonymizer.

It sits between the signal acquisition and the signal processing part of the BCI. The main purpose of that is to protect our data, and how does it go about it? It’s secure and trusted system that takes the raw neurosignals and decomposes it into specific components. Then, if you have an application installed and that application has been given certain rights, then once the application requests access to certain components of our signal, our BCI anonymizer provides only those components, never the whole signal.

Of course, because of this architecture and because of the way we’re thinking about it, there are two challenging parts: first our BCI anonymizer has to be realized as part of a user system, it cannot be realized as a part of any external network or in the cloud. Because if it is, then we have a hard time making sure it’s secure and trusted. But there are known improvable secured solutions to organize it in the proposed way, to make it a part of a user system. Second challenging part is being able to decompose that information rich signal in real time, again, there are solutions to that problem and we’re currently working on it and exploring which solution will work for our application.

Okay, that seems reasonable and it could work, but as many of you probably know, smartphone security is not perfect, if anything people have identified several problems and I do want to acknowledge those. First of all, it might be the case that the operating system does not have sufficient control to control all the communications channels in order to prevent information leakage. In addition, some implementations may not give us as users enough ability to not give rights to certain aspects of our private data. Finally, and that’s something that I personally find the most challenging, it often requires that we understand which private data we’re giving and what can happen with that data.

Things become even more challenging within their own signals. Okay, but the nice thing about our approach is that by implementing it we actually avoid and solve all of these problems, we talk more about it in the paper, but inherently, because of the way our system is organizing and because of the way we’re going about it, you don’t have any of these three issues, which is nice. So that helps with quite a few problems. Even though it does, however, we do acknowledge that it only addresses this one specific private threat, and it’s going to be hopefully a good solution to that privacy threat, but other privacy threats may be identified.

Maybe some security threats can be identified. What we’re seeing is this solution will work for one problem, we still need an interdisciplinary approach where we will go about developing technical solutions for real life problems. Then on top of that, we will develop industry standards to prevent certain attacks from ever being mounted. We do believe those industry standards will have to be voluntary, and on top of that we will need regulatory rules and government impact on it.

With this, I would like to conclude my talk and I would like to remind us all in the spirit of this conference that it’s been almost 70 years since professor Wiener described the brain as an information processing system, and since he warned about possible problems with the melding of the human brain and computational machines. The first attacks on non invasive brain computer interfaces have happened, they’re there, so we do need to acknowledge that that may be happening, but we’re not doomed, things can be done to prevent these issues and we should act now, we should include privacy security usability and safety considerations into the design of these emerging technologies now, from the start.

With this technology we’re lucky, because we’re early enough into designing development phase that we can actually include all of these considerations into the system design from start. That’s important and it will make a huge difference. With that, I’ll finish, I would just like to acknowledge my coauthors and our good collaborators from another department, as well as our source of funding. Thank you for your attention.