QIF-T0073

critical

Ear-canal neural eavesdropping via modified consumer earbud (supply chain in-ear EEG)

Tier 4 — Demonstrated (Case Study / Observational)

Legacy status: EMERGING

The ear canal is 5-10mm from temporal cortex through the canal wall and temporal bone — close enough for a conductive ear tip with a high-gain biopotential amplifier to capture cortical EEG. Commercial in-ear EEG has been proven viable (Idun Guardian, cEEGrid, Cognionics). In a supply chain attack, a consumer earbud is modified to include: (1) a conductive silicone ear tip that makes galvanic contact with ear canal skin, (2) a sub-$5 biopotential amplifier (e.g., ADS1299 or TI ADS129x family) hidden in the earbud housing, and (3) modified firmware that multiplexes captured EEG data alongside normal audio. The captured signals include auditory evoked potentials (AEP), P300 attention markers, N400 semantic processing indicators, and alpha/theta power reflecting cognitive state. Generic earbuds lacking proprietary authentication (unlike Apple AirPods with W1/H1 chip) are the attack surface. The attacker gets continuous neural telemetry from a device the target wears voluntarily for hours daily. This is the bridge technique between QIF-T0072 (acoustic eavesdropping) and QIF-T0074 (cognitive inference): it turns a consumer audio device into a covert neural recording platform.

Technique Details

Tactic: QIF-S.RP
Status: EMERGING
Bands: S1, I0, N1, N2, N3

✚ Therapeutic Application

Conductive ear tip and embedded biopotential amplifier in consumer earbud captures in-ear EEG from temporal cortex via ear canal proximity

Clinical Analog

In-ear EEG for seizure detection, sleep staging, cognitive monitoring

Treats

epilepsy monitoring (continuous ambulatory EEG)
sleep disorder diagnosis
ADHD attention monitoring
anesthesia depth monitoring

Neural Impact

5 of 7 neural bands affected

S1 I0 N1 N2 N3

Drag to rotate. Click a region to learn more.

Click or hover over a glowing region to see the attack techniques targeting it and their severity.

DSM-5-TR Diagnostic Mappings

Diagnostic category references for threat modeling, not diagnostic claims.

F43.2 Adjustment Disorder F45 Somatoform disorders F44.4 Conversion Disorder F82 Developmental Coordination Disorder F84 Pervasive developmental disorders F32 Major Depressive Disorder F41.0 Panic Disorder F10 Alcohol-related disorders (F10) F01 Vascular dementia F20 Schizophrenia Spectrum F90 ADHD F30 Manic episode F41.1 Generalized Anxiety Disorder

Pathway: N3 (cerebellar cortex/deep cerebellar nuclei) → motor coordination; N2 (medulla/pons) → vital functions

Following Poldrack (2006), brain region disruption does not uniquely predict psychiatric outcomes.

Scoring

NISS v1.1 NISS:1.1/BI:N/CR:L/CD:L/CV:I/RV:F/NP:N

CVSS v4.0 CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

2.7Low

Governance

Neurorights at Risk

This technique threatens 3 of the 4 proposed neurorights (Ienca & Andorno, 2017).

MP Mental Privacy MI Mental Integrity DI DI

Consent Complexity

0.90 / 4.0

FDORA §3305 Compliance

Cyber Device

Regulatory Coverage

0.3 / 1.0

524B Requirements

TM VA SBOM SA PM

Regulatory Gaps

! CVSS cannot express neural-specific impacts
! No FDA pathway for consumer sensor exploitation

Population Vulnerability

CRB vulnerability adjustment (γ=0.30) accounts for age, diagnosis severity, consent capacity, and device dependency.

Population	NISS Base	Adjusted	Severity	Delta
Adult (Default)	2.7	2.7	Low	-
Child (10yr) + ADHD	2.7	3.2	Low	+0.48
Adult with ALS	2.7	3.1	Low	+0.44

Validation Status

Theoretical / Not yet validated. This technique has not been independently tested. See the validation dashboard for what has been tested.

Qinnovate Neural Security Atlas Edit this on GitHub