HOW WILL I KNOW IT’S YOU?

http://www.popsci.com/technology/article/2012-08/wristwatch-device-could-help-turn-human-body-secure-bluetooth

You are unique. This is one of the more obscure ways you’re unique: An alternating current of different frequencies running through you causes a reaction that’s noticeably different from anyone else’s. Researchers from Dartmouth University are trying to put this difference to use by creating wearable electronics that respond to–and only to–their intended user.

The design they’re discussing is called “Amulet,” a device “not unlike a watch” that could take a measurement like this, confirming the identity of a person. The device would use small electrodes to measure how the body’s tissue react to the alternating current, which changes from person to person. It’s a lock that’s keyed into your biology; when it’s set up with the device, it only unlocks it for you.

After that, it gets even better: once that connection has been established, researchers say, that device can coordinate with others. Those devices would join the party through physical contact–maybe as easily as being slipped into a pocket, and staying securely rooted in your unique biology. A system like that could be used to better monitor a person’s health; a single device attached directly to the body could monitor that person from anywhere, without causing wireless security concerns. But researchers are conceding that a better way of reliably interpreting the data coming from the sensor will still take time, and reliability is more than a little important for something like this.

BIOIMPEDANCE
http://www.networkworld.com/community/blog/sensor-uses-body%E2%80%99s-electrical-signature-secure-devices
Sensor uses body’s electrical signature to secure devices
Dartmouth researchers “Amulet” could protect wearable computer systems
by Layer 8  /  08/06/12

A group of researchers is proposing a sensor that would authenticate mobile and wearable computer systems by using their unique electrical properties of a person’s body to recognize their identity. In a paper being presented today at the USENIX Workshop on Health Security and Privacy, researchers from Dartmouth University Institute for Security, Technology, and Society defined this security sensor device, known as Amulet, as a “piece of jewelry, not unlike a watch, that would contain small electrodes to measure bioimpedance — a measure of how the body’s tissues oppose a tiny applied alternating current- and learns how a person’s body uniquely responds to alternating current of different frequencies.”  The device uses a recognition algorithm to determine whether the person matches the measured bioimpedance.

Once identity has been established a person would be able to simply attach other devices to their body – whether clipped on, strapped on, stuck on, slipped into a pocket, or even implanted or ingested – and have the devices just work. That is, without any other action on the part of the user, the devices discover each other’s presence, recognize that they are on the same body, develop shared secrets from which to derive encryption keys, and establish reliable and secure communications, the researchers stated. “We have proposed the concept of a wearable device, in a wristwatch form factor, that would coordinate a person’s body-area network of sensors, providing a root of trust. Such a device also provides a perfect platform for implementing a biometric recognition mechanism. We expect that the necessary electronics and skin-contact sensors for bioimpedance could easily be integrated into an Amulet-like device.”

The idea is to ensure the security of the increasing amounts of mobile and wearable systems used for  monitoring health conditions and lifestyle-related conditions at what the researchers called an unprecedented level of detail, researchers stated. “Wireless connectivity allows interaction with other devices nearby (like entertainment systems, climate control systems, or medical devices). Sensor data may be automatically shared with a social-networking service, or uploaded to an Electronic Medical Record system for review by a healthcare provider, the researchers stated.  “However, in spite of recent advances, significant challenges remain. Reliably interpreting data from a body-worn sensor often requires information about who is wearing the sensor as well as the current person’s environment, location, current activity, and social context. Existing recognition schemes for such mobile applications and pervasive devices are not particularly usable – they require active engagement with the person (such as the input of passwords), or they are too easy to fool.”

{The Dartmouth research is supported by the National Science Foundation and by the US Department of Health and Human Services.}

 

A “bench-top system” used by the researchers. The bracelet is attached to a resistor array used for calibration.

 

LESS HACKABLE
http://arstechnica.com/security/2012/08/medical-device-hack-attacks/
Wearable devices can use heart rate to prevent tampering by malicious hackers
by Dan Goodin – Aug 7 2012

Computer scientists have proposed a wearable healthcare device that uses unique physiological signatures in a patient’s heart rate or other physiological response to prevent tampering by malicious hackers. A research paper presented on Monday at the 3rd Usenix Workshop of Health Security and Privacy describes a health sensor that measures the unique electrical properties of a patient’s body to recognize their identity. A separate paper recently penned by many of the same scientists envisions a similar device that uses heart rates, galvanic skin response, or other physiological data as a shared secret that can be used to securely share encryption keys among sensor nodes attached to the same body.

Over the past decade, there’s been an explosion of tiny networked devices that manage a variety of health maladies, from regulating the beating of the human heart to controlling serious diabetic conditions. Allowing the devices to connect wirelessly to computers or other devices saves money and can eliminate the number of invasive surgeries needed to keep them in working order. But it also comes with a catch: researchers have devised proof-of-concept hacks that can disable or sabotage electronic pacemakers or deliver fatal insulin dosages over the air. In the case of wearable devices, it’s crucial that they also authenticate the identity of the person who’s using it. “Reliably interpreting data from a body-worn sensor often requires information about who is wearing the sensor as well as the current person’s environment, location, current activity, and social context,” the authors of the Usenix paper wrote. “Techniques exist for collecting some of this information, but today’s body-worn sensors lack the ability to reliably determine who is wearing the device.”

They proposed a device that’s worn on the wrist like a watch or piece of jewelry. It could automatically and securely connect to peripheral devices that are placed in a pocket, ingested, or implanted. “That is, without any other action on the part of the users, the devices discover each other’s presence, recognize that they are on the same body (and transitively learn from the wrist device whose body), develop shared secrets from which to derive encryption keys, and establish reliable and secure communications.” The wearable device passively recognizes the patient using something called bioimpedance, which is a measure of how the body’s tissues respond to a small electrical shock applied to the skin. In theory, each person’s reaction is unique, although experiments conducted by the researchers were effective at accurately recognizing people in a household only 90 percent of the time. The devices are designed to provide strong authentication without requiring users to enter long passwords into a tiny interface or carry out other onerous tasks.

In addition to preventing serious hack attacks, the passive authentication system is intended to address other problematic scenarios—two people in the same household accidentally using the wrong device, for example, or a smoker who places his “smoking sensor” on a non-smoking friend to receive incentives for quitting. The researchers who wrote the Usenix paper include Cory Cornelius, Jacob Sorber, Ronald Peterson, Joe Skinner, Ryan Halter, and David Kotz. All six are in Dartmouth College’s Department of Computer Science, Thayer School of Engineering, or Geisel School of Medicine. The act of connecting millions of patients to networked devices that are susceptible to remote hack attacks may sound like science fiction, but it’s already here. It’s good to know that scientists are researching ways to prevent tampering with them, but it’s important to remember that the biometric authentication they’re considering comes with its own vulnerabilities.

The ease of cloning fingerprints and recently unveiled research into tricking eye scanners using reverse engineered irises should serve as cautionary reminders that the techniques described in the most recent papers are almost certainly not foolproof. Networked devices that are worn by or implanted in patients solve a lot of pressing problems, but unless engineers are careful, they may raise a batch of new threats that are the stuff of a Dystopia too bleak to contemplate.

Leave a Reply