Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sensor Uses Body's Electrical Signature To Secure Devices

Posted by timothy on from the stop-lying-so-you-can-use-your-computer dept.

coondoggie writes with word that a "group of researchers is proposing a sensor that would authenticate mobile and wearable computer systems by using the unique electrical properties of a person's body to recognize their identity. In a paper [presented Monday] at the USENIX Workshop on Health Security and Privacy, researchers from Dartmouth University Institute for Security, Technology, and Society defined this security sensor device, known as Amulet, as a 'piece of jewelry, not unlike a watch, that would contain small electrodes to measure bioimpedance — a measure of how the body's tissues oppose a tiny applied alternating current- and learns how a person's body uniquely responds to alternating current of different frequencies.'"

64 comments

  1. Oh joy by Anonymous Coward · · Score: 4, Insightful

    Yet more ways to use "infallible" dowsing rods and iris gazers to "do identity". It always comes down to this: By definition biometrics are easier to fake than to replace. This makes them unsuitable for "casual" identification, as opposed to "adversarial" identification, ie working out it was you that stole the cookie from the jar. We're not all criminals, you know. Worse, most identification isn't adversarial, but casual, and on top of that you don't just have but a single identity. Yet that's what all this is invariably targeted at: adversarial, and just the single identity. Just stop it already. I'll take the inconvenience of using a key to unlock the door, or showing a loyalty card with a fake name on it, thanks. At least that key and its lock can be replaced without surgery.

    1. Re:Oh joy by cayenne8 · · Score: 1

      I was wondering, wouldn't simple weight loss or gain mess with this 'signature'?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    2. Re:Oh joy by Joce640k · · Score: 1

      ...or a hot/cold day.

      --
      No sig today...
    3. Re:Oh joy by gmuslera · · Score: 1

      Would add dry or wet to environment, but what about the internal factors, like when tired, or after doing strong physical activity, or changing food diet, or even maybe hormonal activity, could that give different readings, no matter how well built is that device?

    4. Re:Oh joy by Rei · · Score: 3, Interesting

      I was thinking the same thing. I'd thought of this concept a while back as a "turn almost anything into a key *except* a living organism" approach. That is, if you wanted a really nifty-looking key to your door, it could be some mystic-looking crystal, or some stone sigil, or whatnot. Measure how it interacts with a wide range of AC inputs provided from specific electrodes, and (assuming you have a good mechanism to fit it precisely in place on the same electrodes each time) you've got a unique signature for that object to unlock the door with. I'd think it would be very hard to fake, since trying to tune the shape/composition of a dummy "key" to adjust one frequency will mess with all the others.

      Of course more than security, I was mainly thinking of that from a "wouldn't this be awesome and probably not that hard to implement?" approach.

      --
      Sometimes I doubt your commitment to Sparkle Motion.
    5. Re:Oh joy by kanweg · · Score: 1

      Excellent! So, you can't get fat from all those candy bars because the vending machine will stop selling them to you.

      Bert

    6. Re:Oh joy by ArsenneLupin · · Score: 1

      or even maybe hormonal activity,

      O joy, you are too horny, and now you can no longer log in to your favorite porn site...

    7. Re:Oh joy by vlm · · Score: 1

      I'd think it would be very hard to fake, since trying to tune the shape/composition of a dummy "key" to adjust one frequency will mess with all the others.

      Oh boy please talk to some RF EEs before you roll this idea out. Generations of EEs have written books and created careers on this very topic of wide band antenna/matching networks. Its not trivial, but its not really all that hard either. Some of the math is quite icky, but we have computers now.

      it could be some mystic-looking crystal

      Yeah, made out of silicon or germanium and doped with some exotic materials in a odd pattern ... aka a transistor or IC

      Every RF EE since the first wideband transistor circuit has been doing this since the transistor era. If you allow hollow state aka vacuum tubes we have about a century of experience.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    8. Re:Oh joy by Anonymous Coward · · Score: 0

      Or a hangover/electrolyte imbalance...

    9. Re:Oh joy by Anonymous Coward · · Score: 0

      If this one works, it might be more appealing than current options. Some retina scanners can be faked with a photograph, and having your fingerprints on file can be a nightmare if someone you're friends with (and borrow things from) becomes the subject (or is the victim) in an investigation. This metric seems like it'd be more difficult to work around and would better serve your privacy concerns...

    10. Re:Oh joy by Rei · · Score: 1

      before you roll this idea out.

      "Roll this out"? May I reiterate, "if you wanted a really nifty-looking key to your door" and "I was mainly thinking of that from a "wouldn't this be awesome and probably not that hard to implement?" approach"? You make it sound like trying to revolutionize the world's security. I'm talking about unlocking your front door with a piece of quartz or whatnot.

      Yeah, made out of silicon or germanium and doped with some exotic materials in a odd pattern ... aka a transistor or IC

      I don't think we're talking about the same thing. I'm talking about "random object picked up in a field or thrift store used as a key". Not making a chip specifically to function as a key.

      Oh boy please talk to some RF EEs before you roll this idea out. Generations of EEs have written books and created careers on this very topic of wide band antenna/matching networks. Its not trivial, but its not really all that hard either. Some of the math is quite icky, but we have computers now.

      "Quite icky" is an understatement. You're dealing with differential equations here (Kirchoff's Laws); you can't just converge linearly to a solution. The more complex and diverse the inputs, the exponentially harder it gets to reverse-engineer.

      --
      Sometimes I doubt your commitment to Sparkle Motion.
    11. Re:Oh joy by Eponymous+Hero · · Score: 1

      that might be funny if vending machines were known for protecting against unauthorized purchases.

      --
      insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
    12. Re:Oh joy by John+Holmes · · Score: 1

      What about your cat's name?

    13. Re:Oh joy by jank1887 · · Score: 1

      or, put in car analogy terms:

      if functional, this could be useful for your car to identify who you most likely are for the purposes of automatically implementing your custom settings for seat position, climate control, radio stations, etc. But NOT for granting access to or starting the car. And definitely not for determining to whom to send the automated red light camera ticket.

    14. Re:Oh joy by Anonymous Coward · · Score: 0

      Don't worry the Amulet isn't here to replace your key or password. It is a medical device that's supposed to connect medical devices, such as insulin pumps, with a transmitter, such as smartphone, so that the data can be retrieved as need by a doctor.

      And the biometric authentication is a secondary method. The primary authentication is a "Passcode Motion".

      Despite what everyone on here has to say this is a neat device that could do its job well. And just happens to be entirely different then you assume it is.

    15. Re:Oh joy by jank1887 · · Score: 1

      "random object picked up in a field or thrift store used as a key".

      doesn't matter. that thing will have a characteristic impedance that can likely be emulated by a not-too-difficult-to-make matching network. you might as well just have a keypad.

    16. Re:Oh joy by redizhot · · Score: 1

      Why is everyone here so sure it would be so easy to fake? What am I missing here?

    17. Re:Oh joy by Anonymous Coward · · Score: 0

      oooh I can read your aura. Far out!

      And we thought all those hippies were faking it.

    18. Re:Oh joy by Rei · · Score: 1

      you might as well just have a keypad.

      What part of a "this is from a wouldn't it be awesome to open your door with a rock" perspective, not a "this is the bestest-security-ever-conceived" perspective, is difficult? I mean, a keypad? Really?

      . that thing will have a characteristic impedance that can likely be emulated by a not-too-difficult-to-make matching network.

      Across a super-wide frequency range from multiple contact points on its surface? I really doubt it.

      --
      Sometimes I doubt your commitment to Sparkle Motion.
    19. Re:Oh joy by Anonymous Coward · · Score: 0

      It's an interesting idea, but it also amounts to magical thinking (nothing wrong with that, of course, right until you're trying to do security with it; there's a reason the whole security theatre doesn't work). Look at it this way: The field of cryptology works by giving away just about everyting --the algorithms, the analysis-- except the key itself, and then expects not to have given away the information secured with it. ANd then they work really really hard to make sure this is indeed the case, to prove it in fact. Similarly we all know how locks work --there's even an official sporting club for picking locks in Germany-- and yet, a good quality lock will not easily be opened unless you have that convenient secret, the key.

      Of course physical, teethed keys are easily copied, which is part of their practical appeal, but the point is that it's actually a really well-understood field, including the need to keep just that little bit called the key a secret and have the whole thing still work, and be reasonably robust. ICs are not that robust, actually, and it gets worse with RFID, which mainly introduces the need to shield things or you're either risking having the thing fried, or leaking information to all who care to ask--the chip, not you. In that sense, RFID is the latest widely deployed magical thinking security fad.

      So the point is this: Work out a way to turn your magical crystals or other objects into something with properties much like a key, and you're in the game. Otherwise, you have security snake oil; something that might look like it works, but doesn't actually deliver on the security promise, leaving you worse off: Insecure with a false sense of security.

    20. Re:Oh joy by Anonymous Coward · · Score: 0

      It's not "so easy to fake" --though that has turned out to be the case and has been repeatedly and devastatingly demonstrated with fingerprints, with iris scanners of various kinds, with DNA even-- but rather a different point:

      Faking biometrics is easier than replacing compromised biometrics. By definition.

      It's easy to see this: You only have one physical body and there's only so much you can do to change identities, like with surgery. Plus, it's easily damaged and that might change the machine's view of you permanently, leaving you with little or no ways to recover your lost identitiy--because, you know, biometrics are infallible, right? Right? Oh hey, you say, but that's a change of identities then? Yes, but at a cost that's usually only borne involuntarily. Would you have plastic surgery on your fingers just because some identity thief plundered your credit, using fingerprints copied using some cellophane?

      So the argument is that the properties that make people tout biometrics as such a good idea, are in fact exactly the wrong ones for the stated purposes. The idea is that because you only have one body, this somehow translates in security. Instead it creates an incentive to fake biometrics, and suddenly the adversary has the advantage: Not bound by the limiting factor of only having one body. Any implement that can fool the biometric-reading apparatus will do. And then we find that people are in fact quite inventive.

      All this is again is easy to see once you stop thinking of unicorns and instead play a couple what-if scenarios. That despite that biometrics continue to be touted with such fervour says something about how much people like to think of unicorns, or at least how much they dislike thinking about real-world what-if scenarios.

    21. Re:Oh joy by Anonymous Coward · · Score: 0

      I can already open your door with a rock. It just needs to be a really big, heavy rock.

  2. News of the future by cvtan · · Score: 3, Funny

    In cybersecurity news, it was found today that a mannequin made of jello and floating grapes successfully duplicated the unique electrical signature of Mark Zuckerberg's body.

    --
    Sorry, but gray text on gray background is making my eyes bleed.
    1. Re:News of the future by leonardluen · · Score: 3, Funny

      ...and it was found that people thought the mannequin was more likeable than the real Zuckerberg...

    2. Re:News of the future by Anonymous Coward · · Score: 0

      That reminds me of the sitcom "Two And a Half Men" which for some episodes featured a character called Manny Quinn. That guy had about as much life in him as MZ.

  3. How long does it take? by Anonymous Coward · · Score: 1

    Device generates the signature, then it exists in a digital form and can be replicated or spoofed.

    1. Re:How long does it take? by Rei · · Score: 1

      What good does the fact that a lock knows the digital signature of its key do for you unless you plan to physically compromise the lock using to get the code out?

      --
      Sometimes I doubt your commitment to Sparkle Motion.
    2. Re:How long does it take? by vlm · · Score: 2

      Device generates the signature, then it exists in a digital form and can be replicated or spoofed.

      From a hacking perspective thats the best news ever

      a measure of how the body's tissues oppose a tiny applied alternating current - and learns how a person's body uniquely responds to alternating current of different frequencies

      Decades (centuries?) of RF EE work revolves around RF matching network behavior. Essentially its measuring how you'll behave as an antenna or at least a wildly reactive dummy load (aka rf termination). This has the interesting side effect that given nothing other than the physical coupling design inferred visually and some time with the victim and my network analyzer I can whip up a custom little SMD circuit board made completely out of passives that would be electrically indistinguishable from the victim.

      Even better, if the RF freqs are low enough I can make a universal circuit board that would do DSP stuff in real time to feed it what it would like to hear.

      It looks pretty easy to electronically spoof. Electrically spoofing retina patterns takes all kinds of weird optics, and electrically spoofing finger geometry takes all kinds of woodwork level work but all you'll need for this is "touch the gadget to your homemade bracelet/necklace instead of to your skin".

      I would imagine this doesn't work very well. Decades of RF work by handheld radio RF guys (public safety handhelds, ham radio "HTs") shows that the RF characteristics of a human body vary wildly and seemingly randomly within a fairly narrow range. So its pretty easy to make a hand held radio/antenna combination that always matches better than 3:1 SWR but impossible to make on that regularly matches better than 1.5:1 or whatever. This is partially because the body interacts with any nearby field, but also because most quarterwave antenna designs assume the radio and human are part of the groundplane of the antenna. In practice this means you can predict overall antenna system performance within about 6 dB or so, repeatedly, but forget about predicting more accurately than 3 dB or so. The relevance of hand held radio antenna matching to this story is I do not think you can store much more than 2 or 3 bits of "crypto key" data using this tech. I'll go way out on a limb and give them 7 bits of crypto key equivalent, so I could build 128 circuit boards and be more or less guaranteed that everyone reading this could be spoofed with one of the boards. It would be very much like having all passwords limited to 2 digits.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:How long does it take? by DarwinSurvivor · · Score: 1

      You don't have to use the SAME device to get the digital version.

  4. I give it 6 months before it is faked out. by Anonymous Coward · · Score: 0

    Like any other biometric measure, it can be faked.

  5. Take a diuretic, become a different person by hamjudo · · Score: 3, Informative

    Electrical properties of living creatures are not really known for being stable, particularly among sick people, the intended users for this device. Good thing that the summary has so little to do with the paper, because the summary is pretty silly

    1. Re:Take a diuretic, become a different person by Turken · · Score: 1

      That's what I was wondering too. Or what happens when someone has a significant weight loss or gain? Lots of geeks tend to have a good layer of natural insulation. Plenty of ways for the body's electrical signature to change.

      I suppose it might be an incentive to get fit and stay fit, though. "Sorry, the fat (errr... electrical) signature of the person attempting to access this computer does not match our records. Go work out some more and try again next week."

    2. Re:Take a diuretic, become a different person by NFN_NLN · · Score: 1

      Electrical properties of living creatures are not really known for being stable, particularly among sick people, the intended users for this device. Good thing that the summary has so little to do with the paper, because the summary is pretty silly

      Umm.. yeah.. that is a feature of the device. If your signature deviates slightly it can tell you are getting sick and alerts your Doctor.
      It's a feature.

    3. Re:Take a diuretic, become a different person by Anonymous Coward · · Score: 0

      Obviously the researchers in Dartmouth haven't yet have the time to celebrate the acceptance of their paper in a local pub..

  6. A misnomer and a possible mis-fire by ThunderBird89 · · Score: 1

    Calling it Amulet while having the form factor of a watch is somewhat misleading, I was thinking how a necklace could possibly have a secure enough interface to the body to measure the required responses.

    But that's the least of my worries. Body impedance can be dependent on quite a lot of things, such as hydration, and skin resistance, which is again dependent on many factors, such as the temperature, stress, etc. Could such a small device carry a sophisticated enough algorithm to reliably and quickly account for all these factors to establish the identity? Or would I need to wear the device for months so it can learn all my electrical characteristics? What if I gain implants later on: a pacemaker or artificial heart would significantly alter my impedance, likely requiring a re-calibration.

    If these problems can be worked out,the technology has promise. If not, a coordinating watch for a personal area network still seems like a good idea, some way or another...

    --
    Hyperbole: I use it liberally!
    1. Re:A misnomer and a possible mis-fire by gmuslera · · Score: 1

      Probably calling it amulet would be pretty fitting, it would be pure luck if it manage to uniquely identify you in all possible situations.

    2. Re:A misnomer and a possible mis-fire by TubeSteak · · Score: 1

      Calling it Amulet while having the form factor of a watch is somewhat misleading, I was thinking how a necklace could possibly have a secure enough interface to the body to measure the required responses.

      Obviously the best solution is to call it a "life clock crystal" and have it embedded in the palm of your right hand.
      Unfortunately, the crystal has... side effects, the most onerous being sudden death on your 21st birthday.

      --
      [Fuck Beta]
      o0t!
    3. Re:A misnomer and a possible mis-fire by Anonymous Coward · · Score: 0

      It would be better to wear it as a tiara. The solution then would be fabulous.

  7. we need original comments by jehan60188 · · Score: 2

    Seriously, the first four comments are all about how easy this will be to fake out!
    I'm going to make a comment about how awesome science is.
    SCIENCE!

    1. Re:we need original comments by Antipater · · Score: 2

      A nuclear fission chain reaction? Using uranium? Ha! Good luck ever getting THAT to work!

      --
      Everything is better with chainsaws.
    2. Re:we need original comments by Rei · · Score: 0

      GRAMMAR!

      --
      Sometimes I doubt your commitment to Sparkle Motion.
    3. Re:we need original comments by John+Holmes · · Score: 1

      Are your referring to the Higgs Bozo particle?

    4. Re:we need original comments by Rei · · Score: 1

      Modded down? Hmm, was it because there was no context?

      --
      Sometimes I doubt your commitment to Sparkle Motion.
  8. PKI Implications by CommieLib · · Score: 1

    Biometric is great, but it's only useful locally to the biometric hardware. Beyond that, all there is is ones and zeroes, whether they originated from a biometric sig or not. I suppose you could use these biometrics to generate a key pair...but then you have a problem both of non-repudiation (the actual bits of the private key are compromised...what can you do?) and unintentional repudiation (I'm pregnant, now I can't log into my bank account).

    --
    If your bitterest enemies are people who hack the heads off civilians, then I would say you're doing something right.
  9. Are you gay? by Anonymous Coward · · Score: 0

    cover your eyes, or they will find you...

    1. Re:Are you gay? by John+Holmes · · Score: 1

      As in "happy"?

  10. might work better than you want it to by slew · · Score: 1

    If it's looking for bioelectrical signatures, it likely will have more trouble identifying you when you are dehydrated, drunk, high, out of breath (from running or experiencing a heart-attack), etc...

    I'm sorry, but I'm afraid I can't let you do that right now because you are not Dave...

    On the other hand, if you loosened the identification threshold so these kind variations didn't matter, there probably wouldn't be much entropy left in that identification scheme. Someone with a simliar height and build would probably be easily mistaken for you.

  11. Fundamental problem with biometrics... by sinij · · Score: 2

    Perhaps this is the next amazing biometric authentication technology that can accurately identify users without any false positives... This still don't change the problem that like all other biometric data it cannot be re-issued if ever compromised.

    1. Re:Fundamental problem with biometrics... by vlm · · Score: 1

      if ever compromised

      when, not if ever.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  12. implications for Quantified Self? by Anonymous Coward · · Score: 0

    I wonder what are the implications for the Quantified Self movement (life loggers, self trackers, etc.)? Perhaps, this signature could be used as a anonymous biometric ID that could link together data from different tracking devices?

    -------
    I am trying to quantify and gamify my everyday life. Please follow my experiment at www.measuredme.com

  13. Dartmouth College by sam1am · · Score: 1

    Just a small nitpick (the error is in the article too).. It's Dartmouth College, not Dartmouth University... ( Those that love Dartmouth will be quick to point this out.. It stems from http://en.wikipedia.org/wiki/Dartmouth_College_v._Woodward )

  14. Why is it by Anonymous Coward · · Score: 0

    that all cryptographers or other folks who make this sort of thing assume that everyone wants: 1 password, 1 username, 1 identification and the like? I figure that the people making these things are the people who are most keyed into technology, and are therefore incredibly cognisant of the need for multiple/anonymous identities. So, I would assume that folks doing research NOT DIRECTLY RELATED to squashing dissidence would sort of avoid a one ID system, right?

    Side note. Cognisant is spelled right, regardless of what the little red squiggly line tells me.

    1. Re:Why is it by Eponymous+Hero · · Score: 1

      in amerrrrrica we spell it with a z. excuse me, we spell it with a zed.

      --
      insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
    2. Re:Why is it by John+Holmes · · Score: 1

      Zed is ded.

  15. Key Details missing. by Anonymous Coward · · Score: 0

    This device is not Key Card for a Computer. This is a medical Device. I know this is a terriable faux Pas but I read the article and more importantly the associated PDF about the "Amulet" http://www.cs.dartmouth.edu/~sorber/papers/sorber-amulet.pdf

    To sum up the Amulet is a medical device that can measure certain medical data on its own but is really there to coordinate several devices and facilitate data transmsion to a medical source. The Amulet has two means to verify it is on the correct person, the first is a active "Motion Password", move the Amulet in a predetermined fashion to unlock, and the second is the passive biometric check - which isn't give much detail. Once the correct user is determined its assumed that the device is remains unlocked till removed.

    The Amulet is a replacement for Other mobile medical tracking devices because they can either be lost or in the case of a smart phone, hacked or borrowed to a friend.

    So long story short this is a special purpose medical device not a general purpose Biometeric Key that the Summary insinuates.

  16. Life imitating TV by Anonymous Coward · · Score: 0

    "We are the Borg, and we will assimilate you!"...

  17. Sure by ThatsNotPudding · · Score: 1

    I'm sure it works great - until you rub a balloon on your head! One simple party trick and boom! You're locked out of everything!

    1. Re:Sure by Anonymous Coward · · Score: 0

      Yes, and get a cold and you can't use your phone to call in sick to work.

      or get a blister and get locked out of the data center by the fingerprint scanner.

  18. After a bender by Anonymous Coward · · Score: 0

    How does my electrical signature change when I'm hung over?

  19. home automation by kharchenko · · Score: 1

    I was just thinking about this the other day! This would be great for these modern bathroom scales to id the user - the impedance measure only needs enough accuracy to distinguish between the family members whose weight is close enough. They already measure impedance for body fat anyhow.
    But I also wondered how much your signatures would change if you, let's say, drank a bottle of beer, or ate something salty.

  20. District 9 by gznork26 · · Score: 1

    So that's how the alien weaponry in District 9 worked. Alien physiology would be significantly different from human, and the guns could only be used when one of those aliens held it.

  21. get your hands off me you damn dirty replicant! by Thud457 · · Score: 1

    What do gay people have against turtles?

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  22. chemistry, biology & electro-magnetics by jago25_98 · · Score: 2

    The interaction between chemistry, biology & electro-magnetics is fascinating for me.

    In the Anglophone world we have books like "The Body Electric". In Chinese and Russian there's much, much more. There's a sense we're building on 100's years of science (I use that term in a definition you may not agree with).

    I was able to alter my bioimpedence using my mind in a test at the science museum in London. I'd like to know if it was just me passing harder on the contacts or sweating a bit more...

    Where can I read more on this subject?

    --
    A blog I run for the wealth