 Two years ago, I was sitting in the Paris Hotel, the Thursday morning that Defcon was to start, and my phone rang. And I was a little nervous to answer it because I kind of knew what the phone call was about. And it was my doctor calling me back to tell me that the biopsy that I had had on a lump in my breast the day before I left for Defcon had come back positive and I had breast cancer. I share this with you because it's what actually ended up starting the research that I did that I'm going to share with you today. For those of you who have never been through chemo or don't know anyone who's gone through it, I think most people know that the, you know, the losing your hair, the throwing up, that's, you know, pretty much everyone knows about that. There's a lot of other side effects that come with chemotherapy. And one of them is called chemo-brain. And the regimen that I was on was ACT, which is Adria Mycin, Cytoxin, and Taxol. And another name for Adria Mycin is Doxorubicin hydrochloride. And that's the one that essentially pretty much kind of tries to destroy the mitochondria in your brain. It affects their energy levels. And it results in forgetfulness, memory lapses, difficulty concentrating or focusing on tasks, trouble with recall, remembering words or names. My team contestified to the fact that there have been many of a time in a conference where I've been like trying to put a sentence together and I cannot recall normal everyday words that most people know. I can't pull them out of my head. I'm getting better at it, but it still happens. And then also struggling to do more than one task at a time. As a hacker, our mind is our like most valuable tool. So losing my hair, my eyebrows, my eyelashes, even losing both breasts was not as traumatic or devastating to me as starting to lose my mind. So when the chemo ended, I kind of was hoping that it would just kind of all go back to normal and it didn't. So I started to try to research how to heal my brain. And in the process of that, I stumbled upon some research being done at Stanford and I believe it was SRI International, they were partnered and they were talking a lot about using the mind for authentication. And I kept like kind of putting that to the side like I really want to look at that but let's get this fixed first. Once I felt a little better about my own cognitive faculties, I went back and started looking at this research because I was very fascinated by this concept. And I wanted to know how far along they were with it. How does it actually work? I mean like really, how do you implant a password? How do you do this? So today I'm going to share kind of what I taught myself and what I've learned and kind of some of the like hackability of it or kind of the like where they're at with it as far as actually being a viable option. But so a little about myself before I start, I'm a security engineer and researcher with the digital cloak and my undergrad is in sociology, which is a psychology of group behavior as opposed to the individual. My minor was DVNC, which has served me well in this environment. My grad work and degrees are in security management and cybersecurity. So I kind of came into the security arena from the cyber area kind of late, but it can be done. The agenda for this talk is going to kind of cover some conceptual groundwork so you can kind of understand some of the research when I share it. I still can't feel the ends of my fingers either. It's neuropathy. So last time I spoke at DEF CON I was actually fortunate enough to have one of the researchers I cited that attended my talk. So if any of the researchers I mentioned in my talk actually happen to be sitting here like jump up and wave your arms so we can say hi and maybe have you come up and maybe tell us about your research better than I can maybe. So cognitive memory, this is, cognition is the mental action or process of acquiring knowledge and understanding through thought, experience or your senses or some combination of them. It's knowledge, attention, memory, judgment, evaluation, reasoning, problem solving, all of that. And it can be conscious or sub slash unconscious. It can be intuitive, which is the ability to acquire knowledge without understanding. So if you think of like instinct or it can be conceptual, so based on ideas or concepts like if you're in a classroom learning something. Consciousness can be defined from two different ways, biologically or philosophically. So your consciousness from a biological perspective refers to the idea of being like awake and aware of your surroundings and experiences in the people and things in your environment. And philosophically it can refer more to like having a soul or a sense of self. We're going to be focusing on the biologic consciousness here. Unconsciousness is when your ability to maintain an awareness of your environment or surrounding like stimulus has lost. And there's either a complete or near complete lack of responsiveness to your environment or any stimulus. There's a medical concept of being unconscious and a legal concept of being unconscious. So medically you can be unconscious kind of like from like a brain injury or perhaps like a drug induced unconsciousness that they'll do sometimes. But legally you could also be unconscious maybe if you're impaired from drugs or hypnosis or has anyone in here been like so tired they just can't even anymore. You're awake and you're standing up and you're like able to function but your mind just you're just done, right? So that can kind of go into the area of like legally unconscious in a way. But I'm not a lawyer so don't try to use that in court. So Sigmund Freud in 1893 was the first to use the term subconscious. And what I thought was really interesting was when I was trying to figure out like where they really drew a line between subconscious and unconscious it turns out that Sigmund Freud actually used the terms interchangeably because in his native German it was kind of almost the same word. And now the argument seems to be more of a kind of a semantic grammatical thing than a definitive thing. In general unconsciousness typically tends to refer to a state of awareness from a medical perspective. And subconscious tends to refer to an aspect of your psyche when discussing more of like a psychoanalytical environment. But if there's any shrinks in the audience who want to argue about it we can do that later. The best I can tell is it's more of a grammatical issue than a definitive one but I am going to differentiate in them in this talk. So for now just think of subconscious as a part of your consciousness that is not currently in your focal awareness. And there was a psychologist named Edwin Locke who put it really well I think he called it the alternative storehouse of knowledge and prior experience. And there's two main types of long term human memory. We have explicit and implicit memory. That was my obligatory cat slide for DEF CON. Explicit memory is also known as declarative memory. It's conscious and there's two kinds episodic and semantic. So episodic is more storing a personal experience like a kiss that really meant a lot to you or that you remember distinctly. And then semantic would be more like data about the kiss or a kiss. Implicit memory is anyone here ride bikes or can you ride a bike? So that's kind of a good example. I do triathlons and we train constantly to get things into our implicit memory so that when you're in the middle of a race it you're just your instinct. It kind of takes over. So it's basically acquired and used unconsciously and it can affect your thoughts and behaviors. And this is kind of where when we get to talking about implanting this is where they're putting the password. One of the most common forms is procedural which helps people performing certain tasks without awareness of actually performing it. People use explicit memory throughout the day like remembering an appointment or recalling an event from years ago. And implicit is more like an unintentional and subconscious form. So if you remember a specific driving lesson you had that's an example of explicit memory. But if your driving skill improves as a result of that lesson that is more the implicit memory. Memory is a tool versus memory is an object. They put forth that you can use it kind of both ways. So memory is treated as an object when you're recalling or recognizing like an actual memory. But then if you're talking about using it to serve as an authenticator this is more like where you would use it as a tool. And so why is this important? Because they're looking at this research as being considered potentially a subclass of behavioral biometric measurement. So this is where we're going to start to connect with the idea of implanting passwords as an option. So we're going to talk about encoding storage and retrieval. So with encoding this is processing information into the memory. And there's several different ways of encoding information. There's structural encoding which is how something looks. And an example would be if you had a word is it long is it short is it all uppercase or lower cases is it handwritten is it typed. Then mnemonic encoding is how something sounds so like how does a certain word sound. And then semantic encoding focuses more on the meaning and it requires a deeper level of processing than structural or mnemonic. And it usually results in a better memory because you're kind of creating an association. Storage is after the information enters your brain it has to be stored or maintained or forgotten. So there's a three stage model that was proposed by Richard Atkinson and Richard Chifrin. It's often used to describe this process. This is my attempt to make a representation of it. So essentially you have sensory memory, short term memory and long term memory. Sensory memory stores the incoming sensory information in detail but only for an instant. The capacity is very large but the information in it is unprocessed. Visual sensual memory is iconic memory and auditory sensory memory is called a koic memory. So then you get to short term memory and some of the information in sensory memory can transfer into short term memory and that can hold information for about 20 seconds. And rehearsing is a way that you can kind of keep information in your short term memory longer. So an example is like if someone like if you're parking your car and you're trying to remember like where did you park your car and you're walking to whatever and you're like P2, P2, P2, P2, it's kind of like a way to kind of keep it in your mind and get it in there a little better. Short term memory has a limited capacity and it can store about seven pieces of information give or take and these pieces of information can be small such as like individual numbers or letters or larger like familiar strings of numbers or words. So like if you're trying to remember the word cat, you're not going to remember C-A-T, you're going to remember the word cat and with the visual. So information can be kept in your working memory while you process or examine it. And then once you're done with it, it either is pretty much forgotten or it moves into your long term memory. Long term memory has an almost infinite capacity and the information usually stays there for the duration of a person's life. However, the big issue is it's there but you're not always able to retrieve it which is where the chemo kind of affected me was the data was in there. I was just not able to pull it out and that's what I was struggling with. So with retrieval, that's the process of getting the information out of your memory and they have these retrieval cues and those are stimuli that can kind of help you remember and they include associations, context and mood. So context is you can try to remember an event by putting yourself in the same context you were when it happened such as if someone lost a paddle from last night and they're trying to remember where it is. Sorry, that was for my boss. They could kind of go back to like where they remember they had at last and walk through if they can remember where they went next and see if they can find it along or you can do the same with your car keys if you've ever lost them. Associations, this is our equal opportunity gratuitous sexy photos. I hope I hit most everyone in the audience. If not, I'm so sorry but I only had so many slides in so much time. But the brain stores information is networks of associated concepts so recalling a particular word can be easy if another related word is recalled first. So here's an example if you if I show you guys like these sunbathers on the beach and then I ask you to spell the word bear you may be more likely to spell B-A-R-E instead of B-E-A-R because the picture kind of primed you and associated you to that particular spelling and then there's mood so if you're in the same mood you were during a particular event you can have maybe an easier time recalling the event like kind of a nostalgia type thing if you think about it. Here's our other cat. They told me I had to put so many cats in and so many sexy photos so I tried to make sure I got them all. Okay the human brain has about a billion neurons in it and each neuron forms about a thousand connections and this is about somewhere around a trillion connections I think. The challenge is if each neuron could only store a single memory running out of space will be a huge problem so you might only have maybe a few gigabytes of storage space like about the same as an iPod or a USB flash drive but because the neurons combine so that each one helps with many memories at a time it exponentially increases your brain's memory storage capacity to something closer to about 2.5 petabytes and the example I think it was something like 300 million hours of television shows is about the capacity to store in there because of the way the neurons can connect. Time check? Alright there are some limitations to memory. I think everyone in here has seen that gorilla basketball video so that's like inattentional blindness or the illusion of attention. You focus so much on one thing you completely miss other stuff going on. Sorry. There's false memories there's the illusion of confidence which interestingly enough apparently that's the opposite of imposter syndrome they have one. The illusion of cause there's a tendency to make casual connections between related facts that maybe are not accurate. This is where I want to get into the research. One word concept vocabulary thing is called brain computer interface. So the initial motivation behind brain computer interfaces was to develop the communication devices for the severely disabled. Seeing as that I only have a limited time to speak I won't go into the deep dive about how an individual can train their mu and beta brain waves to control a cursor and there's some fascinating stuff around visual evoked potentials but there's a plethora of research out there if you're super interested in that level of granularity. But I did want to point out there is some research by Dr. J. R. Wolpow and his research team is a starting point and then Dr. Niels Burbamer with the thought translation device. He's with the University of Tubingen in Germany and he has created this device that allows users to compose phrases and sentences electronically just by thinking them. So he's neat and you may also want to look at a paper out of Dartmouth College about the neurophone. It's a brain mobile phone interface using a wireless EEG headset and in their paper his team shares the details of a brain-controlled address book a dialing app they created. So the point is this is a super huge area of research but I haven't heard a lot of it on kind of our side of the house as far as the security of these things. But I did want to share the four key pieces of research that I found to be the most interesting and with the most potential. First there's this, wait, go back. So first I'm going to murder this man's name so I apologize ahead of time but Haristo Boshinov at Stanford was working with some cognitive scientists at Northwestern University and they designed a game that looks similar to Guitar Hero and this is called CISAL, Serial Interception Sequence Learning and it's an authentication procedure that they created this testing experiment around and they used mechanical Turk through Amazon to do their experiments. So I'm not sure how well that looks as far as like how you're able to look at your subject pool from an experimental perspective. I'm trying. I'm like all up on it. I do want to walk you through how it works but I want to make sure I get it right so I want to read it. The process of learning the password involves the use of a specially crafted computer game that resembles Guitar Hero. There are six buttons S, D, F, J, K and L and the user has to hit the corresponding key or note when the circle reaches the bottom fret. So during a typical training session of around 45 minutes a user will make about 4,000 key strokes and around 80% of these key strokes are being used to subconsciously teach you a 30 character password. Before running the game creates a random sequence of 30 letters chosen from the SD, F, J, K and L with no repeating characters. This equates to around 38 bits of entropy and the 30 character sequence is played back to the user three times in a row and then padded out with 18 random characters for a total of 108 items. The sequence is repeated five times and then there's a short pause and the entire process is repeated six more times and by this point the experimental results suggest that a 30 letter password is firmly implanted in your subconscious brain. The authentication requires that you play a round of the game but this time your 30 letter sequence is interspersed with other random 30 letter sequences. To pass the authentication you have to reliably perform your sequence. The research shows that even after two weeks you're able to recall the sequence. The next one is pass thoughts. So this is from Berkeley 2013. This technique combines three factors. Something you know, which is a thought, something you are, your brain patterns and then something you have, which is the EEG sensor for measuring the brainwaves. To authenticate with a pass thought you think your secret key while using the sensor. The key can be just about anything, a song, a phrase or a mental image and the thought itself is never transmitted, just a mathematical representation of the electrical signals your brain makes while you think it. Now if someone else were to figure out what you were thinking they still couldn't impersonate your pass thought in theory because every person thinks the same thing differently. So you know we could all think about the same song but we're not all gonna think about it exactly the same way as far as being registered electronically. Time check. Okay so this is how they did this one. The following tasks were repeated five times in each session for each subject. They had a breathing task so they had to close their eyes and focus on their breathing for 10 seconds. They had a simulated finger movement so subjects imagine in their mind that they are moving their right index finger up and down in sync with their breathing without actually moving their finger. There was a sports task where they selected a repetitive motion from a sport of their choosing and they imagined moving their body muscles to perform the motion. Then there was a song passage recitation task, an eye audio tone task, an object counting task and then at the very end they had a pass thought which they were asked to choose their own pass thought like a password but instead of choosing a sequence of letters or numbers they thought of a thought like a vision of their wedding or their child being born or the first time they got drunk or what have you and that they had to think about that for 10 seconds and then everything together became their pass thought. So this was some other interesting research that was done that kind of fed into the next one. It was on the feasibility of side channel attacks with brainwave computer interfaces. I do have these papers cited at the end of my slide deck so if you look them up on the torrent they'll be there but it studied the possibility of side channel attacks using commercial EEG types of headsets to reveal users personal information like their banks, ATMs or pin digits. Their approach was similar to a guilty knowledge test where items familiar to a user assumed to evoke different responses as compared to items that are unfamiliar and so for example when a person was shown images of many banks the brain response to the image of their bank had more of an interaction or evoked a higher like potential with the waves. The problem with their attack set up it was as intrusive and it could be easily detected by the user but that brought us to PEEP. So PEEP built upon their research and what they tried to do is create an actual keylogger slash malware and this actually was on fizz.org in June 29th and I'll read from the article it's a quote researchers at the University of Alabama at Birmingham suggested that brain wave sensing headsets also known as EEG need better security after a study reveals hackers could guess a user's passwords by monitoring their brain waves. So in contrast to the research I mentioned on the previous slide the folks at the University of Alabama wanted to test out a more surreptitious less intrusive approach that only required passive monitoring of brain signals as the user's type pins or passwords and so they called theirs PEEP which is passively eavesdropping private input via brain wave signals and this was University of Alabama and I think one gentleman from California Riverside. Now they extensively reference the research of the previous group with the side channel attacks and they named their keylogger PEEP and so according to their paper as the use of these devices which they're referring to the EEG gaming and entertainment devices headsets for any of you who game it becomes mainstream a user may enter passwords or private credentials to their computers or their mobile phones while they're wearing these devices and so they were studying the potential of introducing a malicious app to catcher those EEG signals and then process the signals to infer the sensitive key strokes so the gentleman and his team used one regular store-bought EEG headset that like anyone could buy at Best Buy or what have you and then they also used a clinical grade headset in their experiment and they were able to demonstrate how easy a malicious software program could passively eavesdrop on your brain waves so while typing on your inputs it could sense all of this and I think he was so I quote from the article in a real-world attack a hacker could facilitate the training step required for the malicious program to be the most accurate by requesting that the user enter a predefined set of numbers in order to restart the game after pausing it to take a break similar to a capture issues to verify certain users are logging in their research show that after a user entered 200 characters algorithms within the malicious software program can make educated guesses about new characters the user entered by monitoring the EEG data recorded the algorithm they created was able to shorten the odds of a hacker guessing a four-digit numerical pin from one in 10,000 to one in 20 and increase the chance of guessing a six-letter password from about one in 500,000 to roughly one in 500 so security posture versus a rubber hose type of crypto analysis the challenge in testing their hypothesis is that as far as I know especially at Stanford there's no studies that actually allow you to beat people during an experiment so I think in a way they were kind of sexifying their paper title you know no shade but after a long discussion with a psychologist friend my current opinion with sisal which is the guitar hero and past thoughts is there seems to be some dependence on the consistency of the entry of the authentication and by introducing an actual rubber hose type attack or some other similarly traumatic level of extraction this could affect the brain waves themselves so the ability to perform the action or the entry in a manner consistent with the password was set up it could affect that thus rendering and you know you even if you have it it's not going to work because it's not matching the brain waves because if you're relaxed when you're going through the implantation but you're being beaten with a rubber hose even if they get the string it's going to be different so starting with the the sisal or the guitar hero they were able to test retrieval but not under stress or trauma and they were able to test basic coercion trying to like fool the system and that went pretty well the potential tax against that one involved the use of remote authentication approach whether or not the attacker is allowed multiple extraction attempts if there's performance gaps eavesdropping none of this stuff's been tested just the retrieval has been tested with past thoughts a hacker might be able to defeat the system by using a phishing scheme that would trick you into thinking your past thought capturing the output maybe later playing it back and it was pointed out by the peep research team that the approach being used by them and the side channel attacks um my brain just went dead uh the the stuff is generated to for implantation with a random generator so you could probably go after it from the source by going after the random generator that that issues it versus the actual person who has it if that makes sense as to sisal and past thoughts they're still in a mostly theoretical stage as far as research and experimentation goes i didn't really see anyone addressing how memory could be affected by such things as drug use or injury or even degradation such as if you have an employee that's going through chemo and suddenly their brain is affected would they even be able to to use any of this um with that effect of the authentication pattern um so it i don't really see this being viable for use at large right now until some of those questions are answered and um like one you know we're all here at def con so what happens if you are have the password implanted while you're sober at work but then you've had a couple drinks and you need to finish a proposal are you gonna be able to authenticate or will being drunk or kind of drunk or even just slightly impaired affect that ability and that was another thing i didn't see addressed um cost was another big thing it's all well and good to propose this but what's the exact cost associated with implementing something like this and like would it be realistic to deploy so with sisal the training or encoding time was noted to be 45 minutes and with past thoughts it was two 40 to 50 minute sessions and so if you have a small organization five ten people that might be okay but i'm like trying to picture lockheed martin or something trying to do this with thousands of people trying to put each one of them through that um with sisal there are certain people this probably would work best with but factors such as mental capacity or psychological issues my sister-in-law works with special needs adults who do stuff at the airport and have to go through security checkpoints so especially with like the guitar hero type of thing would there be certain people that just wouldn't be able to authenticate this way just legitimately they just from a handicap perspective they can't do it you know even some of our wounded warriors like who don't have hands to do this kind of intricate type of authentication and then things like parkinson seizures what if the individual is blind and can't even see i mean i i didn't really see any of this addressed as far as like using it in a real world on a large scale um all in all i think it's fascinating with potential but the research is still in a pretty early stage the sample groups also if anyone here grad school scientific research test groups so the sisal size experiment number one was done with 35 participants number two had two groups 32 and 80 participants for a total of 147 but they didn't clarify if any of those were duplicates from the first to second experiment so it actually might have been a smaller a smaller group number um based on my own experience i'm not sure 147 represents a solid sample other than whether or not it warrants further study i do think it warrants further study but so far it's still very theoretical the past thoughts material i read was based on research on a group of a total of 15 subjects the side channel attack research had 28 subjects and the peep research had a whopping 12 subjects so again this is still really kind of in very theoretical stage and a pool of 12 subjects to me is not a huge sample size from a research perspective except for maybe to to do further research um my thoughts around hackability sisal refers to the rubber hose i just really don't see that i don't i don't see how they really addressed it i think they just use the word because it sounded cool um the theory that the knowledge is not consciously accessible to the individual i'm still not sure on that um i have a psychologist friend and he's in agreement with me like if you can put it in you can take it out um and there's ways to do that for sisal a good potential attack vector might be the again like i said the random number generator or the random password generator and in their paper the past thought team pointed out they were not vulnerable to shoulder surfing because their system was invisible but they felt they were very vulnerable to both social engineering and dictionary attacks as their system stood however it was their hope that with advances in signal recording and processing technology it would allow for a much more detailed capture of the thought itself and that would protect better against some of the dictionary attacks and they also felt they were fairly vulnerable to phishing attacks where if you could get someone to click on something and record their thoughts while they were clicking they were kind of vulnerable from that perspective sisal's not designed to prevent eavesdropping or shoulder surfing attacks so i imagine a good video recording of them performing the sequence could allow an attacker to replicate it and considering how many security video cameras are insecure this is like definitely a distinct possibility and i believe they did say that in some of the experiments the the error ratio was just enough that if someone knew that person sequence there were times they were able to impersonate it um i talked to my my psychologist friend about um using hypnosis to potentially extract it that i've done a little more research into and i'm not sure that's really a viable like vector uh but he and i are actually still discussing that at length so maybe i'll have more on that in the future another thing sisal's a flash application so i'll just put that right there um that was my first big like okay um and sisal's authentication project process is potentially vulnerable to attack um if even an untrained person is able to like mimic or degrade their performance to match the person they've watched authenticate um and then the authentication based on keystroke dynamics similar to authentication based on the thought the past thoughts um so it looks at their typing rhythm and what they're thinking at the same time with the so i don't i i think they just just still need to do more research so in closing i think much of this is still in the experimental stage and it's going to be really interesting to see if anything actually comes of it especially considering trying to deploy it across a a large environment or organization or a very varied population like a bigger sample size than 12 um check my time so some of my research i have the papers there are links to them but you don't have to click them uh you can just google the name of the paper in google scholar it'll come right up and then the last thing i wanted to leave you with is it was kind of interesting about halfway through my research someone mentioned to me oh my god have you read this it's a book called hard-boiled wonderland and the end of the world and it was written by Haruki Murakami and it's actually from 1985 85 and what i thought was really interesting is it's i'm not going to spoil it if you want to read it but it's a parallel narrative type setup one of the narrators is called a calcu tech and it's a human data processor encryption system who's been trained to use their subconscious as an encryption key and the other narrator is a newcomer to a strange isolated town and i'll leave it there so i don't spoil it but if you find this interesting i actually thought it was pretty fascinating that back in 1985 even like fantasy authors were thinking about the idea of using the mind to authenticate and for encryption so that's all i have i can do questions now if anyone has them