Hackers may be able to use your brain against you, if you're using an EEG-measuring device like NeuroSky. One brain wave that an EEG can sense, called the P300, signals that an object is important or recognized. Mind Hacks summarizes the study on P300 signals called "On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces" (pdf).
One form of the not-very-reliable EEG ‘lie detector’ is based on this principle. Called the Guilty Knowledge Test, the idea is that the police would show you photos of the crime scene, and if you had actually been there, your P300 would kick in.
This new study was based on a similar principle. The researchers ran various experiments based on the same idea: they’d ask a question to make sure the key information was at the forefront of the study participant’s mind, and then they’d fire a bunch of information at the volunteer to pick out which was most associated with the P300.
For example, in one experiment participants were told they would have to type in the first digit of their newly acquired PIN number into the computer, but before this happened, the volunteers were shown a series of single digits, while the software recorded which numerals were most associated with the P300.
The P300 signal identified numbers in the subjects' PINs better than chance, but the hit rate was only 10-20%. Another study presented at the same conference looked into the possibility of users inputting passwords without consciously knowing the password.
The idea relies on implicit learning – which is where you learn connections between things without having any conscious knowledge of doing so.
For example, when playing a computer game like Guitar Hero or Dance Dance Revolution, the same short sequence of moves might come up several times but you might not be aware of it, because they would be embedded within a larger sequence.
However, simply by having encountered the sequence before you will do better the second time – because you have practised the response – even if you have no conscious memory of it.
Instead of having a login password, a game might be able to identify you based on how well you recognize and perform sequences.