Whenever you send a password using a broadcast medium such as Wi-Fi or Bluetooth, someone might be listening. Even if it’s encrypted, you might be giving hackers at least a shot at breaking it.
Researchers have expressed particular concerns about the risk of vulnerabilities in custom radio protocols for wearables and implantables. But what if you could securely send that data through your body, not the air?
And what if you could do it using a fingerprint sensor or touchpad like the one already built into your smartphone or laptop?
That’s the claim of new research from computer scientists and electrical engineers at the University of Washington. As UW assistant professor of computer science and engineering Shyam Gollakota puts it:
Fingerprint sensors have so far been used as an input device. What is cool is that we’ve shown for the first time that fingerprint sensors can be re-purposed to send out information that is confined to the body.
That’s right: even though fingerprint sensors aren’t designed to be active radio transmitters, “during normal operation they produce characteristic electromagnetic signals, which are consistent and at frequencies below 10 MHz” – frequencies that apparently propagate well through the human body.
According to the University of Washington’s description of the research:
These ‘on-body’ transmissions offer a more secure way to transmit authenticating information between devices that touch parts of your body – such as a smart door lock or wearable medical device – and a phone or device that confirms your identity by asking you to type in a password.
Co-lead author Mehrdad Hessar walks through a typical use case:
Let’s say I want to open a door using an electronic smart lock. I can touch the doorknob and touch the fingerprint sensor on my phone and transmit my secret credentials through my body to open the door.
The authors’ paper documents transmission tests across the whole body, demonstrating that their technique works across different body types, and whether the subject is standing, sitting, or lying down. They tested iPhone 5s and iPhone 6s fingerprint sensors, the Verifi P5100 USB fingerprint scanner, and both Lenovo T440s and Adafruit touchpads.
Their technique also held up well against interference from other wearables. (A claimed side benefit of this finding: it might “be difficult for an attacker to transmit an external signal on the air to either jam transmissions or send false information.”)
Don’t expect to watch any HD movies transmitted directly through your fingerprint sensor just yet: Hessar et al achieved transmission rates of just 25 bits per second. That’s less than a quarter the speed of a 1950s modem.
It’s a long way from a university research lab to your body, but if this proves out, multiple applications are possible. For example:
Instead of manually typing in a secret serial number or password for wirelessly pairing medical devices such as glucose or blood pressure monitors with smartphones, a smartphone could directly transmit arbitrary secret keys through the human body.
Of course, having your body as the transmission medium brings a whole new set of security concerns about man-in-the-middle attacks.
BMP
Just have to address the “can be forced from you because its something you are NOT something you know” ruling of the SCOUS…
Due Process
Exactly. This feature is mainly a convenience for the police.
No, not every suspect is innocent, but due process of the law should be extended to all.
Adam
A new dimension of man-in-the-middle attacks, indeed! :D
Mahhn
I think the industry is more looking for a new product to sell. User name, password, and sometimes a token are good. But new revenue is what is really wanted.
Browser
Any games out there familiar with Shadowrun? This sounds a lot like a “Skinlink”. Chalk another one up for science fiction becoming real/possible.
David Pottage
I think this technology could benefit real world security of workplace computer terminals, especially if they are shared between many workers.
For example, consider a shared computer at a nurse’s station in a hospital ward. Each nurse or doctor is supposed to login under her own username to record which drugs have been given to which patent, and to download new test results and medical orders from the other staff.
The rules of the hospital might say that logins can never be shared, and every nurse must login to use the terminal and logout when she leaves the terminal, but if that takes more than a few seconds then in practice the nurses will share their logins simply to save time and get their work done.
With technology like this, it would be possible for each nurse to wear an authentication generating device on her body that constantly generates a stream of key material to identify and authenticate her. That way as soon as she touches the computer keyboard or mouse it will login instantly, and will logout again a few seconds after she stops using the computer.