With a chilling hint of the not-so-distant future, researchers at the Usenix Security conference have demonstrated a zero-day vulnerability in your brain. Using a commercial off-the-shelf brain-computer interface, the researchers have shown that it’s possible to hack your brain, forcing you to reveal information that you’d rather keep secret.

As we’ve covered in the past, a brain-computer interface is a two-part device: There’s the hardware — which is usually a headset (an EEG; an electroencephalograph) with sensors that rest on your scalp — and software, which processes your brain activity and tries to work out what you’re trying to do (turn left, double click, open box, etc.) BCIs are generally used in a medical setting with very expensive equipment, but in the last few years cheaper, commercial offerings have emerged. For $200-300, you can buy an Emotiv (pictured above) or Neurosky BCI, go through a short training process, and begin mind controlling your computer.

Both of these commercial BCIs have an API — an interface that allows developers to use the BCI’s output in their own programs. In this case, the security researchers — from the Universities of Oxford and Geneva, and the University of California, Berkeley — created a custom program that was specially designed with the sole purpose of finding out sensitive data, such as the location of your home, your debit card PIN, which bank you use, and your date of birth. The researchers tried out their program on 28 participants (who were cooperative and didn’t know that they were being brain-hacked), and in general the experiments had a 10 to 40% chance of success of obtaining useful information (pictured above).

To extract this information, the researchers rely on what’s known as the P300 response — a very specific brainwave pattern (pictured right) that occurs when you recognize something that is meaningful (a person’s face), or when you recognize something that fits your current task (a hammer in the shed). The researchers basically designed a program that flashes up pictures of maps, banks, and card PINs, and makes a note every time your brain experiences a P300. Afterwards, it’s easy to pore through the data and work out — with fairly good accuracy — where a person banks, where they live, and so on.

In a real-world scenario, the researchers foresee a game that is specially tailored by hackers to extract sensitive information from your brain — or perhaps an attack vector that also uses social engineering to lull you into a false sense of security. It’s harder to extract data from someone who knows they’re being attacked — as interrogators and torturers well know.

Moving forward, this brain hack can only improve in efficacy as BCIs become cheaper, more accurate, and thus more extensively used. Really, your only defense is to not think about the topic — but if you’re proactively on the defensive, then the hacker has already messed up. The only viable solution that I can think of is to ensure that you don’t use your brain-computer interface with shady software, brain malware — but then again, in a science-fictional future, isn’t it almost guaranteed that the government would mandate the inclusion of brain-hacking software in the operating system itself?

Read: Real-life Avatar: The first mind-controlled robot surrogate, and MIT creates glucose fuel cell to power implanted brain-computer interfaces

Research paper: On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces