Brain-Prompt Injection: A Route-Safety Audit for BCI-LLM Agents
Researchers identify critical security vulnerabilities in brain-computer interface (BCI) systems connected to large language model agents, demonstrating that neural signal perturbations can manipulate tool-use authorization while evading standard safety monitors. The study establishes a formal audit framework to detect and mitigate 'brain-prompt injection' attacks, revealing that current decoder accuracy metrics fail to guarantee route safety in BCI-LLM pipelines.
This research addresses an emerging security frontier at the intersection of neurotechnology and AI systems. As BCI-LLM pipelines evolve from research prototypes toward deployment, they introduce a novel attack surface where adversaries can manipulate decoded neural signals to authorize unintended tool usage. The vulnerability stems from a fundamental architectural problem: traditional safety monitors operating on either EEG or text channels cannot observe perturbations occurring at the signal-integration layer, creating what researchers term 'brain-prompt injection'.
The work builds on growing concerns about adversarial attacks in AI systems, but extends them into the neurological domain where attack vectors remain understudied. The authors develop a formal Route-Safety Audit Contract with specific logging schemas and dependency decomposition frameworks, moving beyond informal safety assumptions. Their empirical validation using 5,400 EEG events demonstrates that provenance-based monitoring can reduce false-accept rates to zero under isolated conditions, though adversary-controlled confirmation channels degrade protections substantially.
The findings matter for BCI technology adoption, particularly in high-stakes applications like medical device control or financial authorization. Current industry focus emphasizes decoder accuracy and signal-text agreement, but this research proves those metrics are insufficient security indicators. The work establishes measurable benchmarks (FAR thresholds, utility-safety tradeoffs) that developers must meet before deployment. However, the authors explicitly note that their mediation techniques provide risk reduction rather than intent certification, suggesting fundamental architectural limitations require resolution before BCIs can safely authorize critical actions.
- βBCI-LLM systems face new 'brain-prompt injection' attacks where signal perturbations can manipulate authorized tool-use while evading standard safety monitors
- βTraditional decoder accuracy and agreement metrics fail to guarantee route safety, requiring formal audit frameworks and provenance-based monitoring
- βConformal calibration on confirmation channels achieved zero false-accept rates at clean utility 0.15 for strict alpha thresholds, degrading under attacker-controlled conditions
- βCross-subject validation across 60 subjects and multiple neural architectures confirms vulnerability patterns remain consistent regardless of network design
- βCurrent BCI safety mechanisms provide risk reduction rather than intent certification, indicating fundamental architectural changes may be needed before deployment in critical applications