Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sensor Uses Body's Electrical Signature To Secure Devices

timothy posted about 2 years ago | from the stop-lying-so-you-can-use-your-computer dept.

Security 64

coondoggie writes with word that a "group of researchers is proposing a sensor that would authenticate mobile and wearable computer systems by using the unique electrical properties of a person's body to recognize their identity. In a paper [presented Monday] at the USENIX Workshop on Health Security and Privacy, researchers from Dartmouth University Institute for Security, Technology, and Society defined this security sensor device, known as Amulet, as a 'piece of jewelry, not unlike a watch, that would contain small electrodes to measure bioimpedance — a measure of how the body's tissues oppose a tiny applied alternating current- and learns how a person's body uniquely responds to alternating current of different frequencies.'"

cancel ×

64 comments

Oh joy (4, Insightful)

Anonymous Coward | about 2 years ago | (#40905089)

Yet more ways to use "infallible" dowsing rods and iris gazers to "do identity". It always comes down to this: By definition biometrics are easier to fake than to replace. This makes them unsuitable for "casual" identification, as opposed to "adversarial" identification, ie working out it was you that stole the cookie from the jar. We're not all criminals, you know. Worse, most identification isn't adversarial, but casual, and on top of that you don't just have but a single identity. Yet that's what all this is invariably targeted at: adversarial, and just the single identity. Just stop it already. I'll take the inconvenience of using a key to unlock the door, or showing a loyalty card with a fake name on it, thanks. At least that key and its lock can be replaced without surgery.

Re:Oh joy (1)

cayenne8 (626475) | about 2 years ago | (#40905313)

I was wondering, wouldn't simple weight loss or gain mess with this 'signature'?

Re:Oh joy (1)

Joce640k (829181) | about 2 years ago | (#40905353)

...or a hot/cold day.

Re:Oh joy (1)

gmuslera (3436) | about 2 years ago | (#40905435)

Would add dry or wet to environment, but what about the internal factors, like when tired, or after doing strong physical activity, or changing food diet, or even maybe hormonal activity, could that give different readings, no matter how well built is that device?

Re:Oh joy (1)

ArsenneLupin (766289) | about 2 years ago | (#40905525)

or even maybe hormonal activity,

O joy, you are too horny, and now you can no longer log in to your favorite porn site...

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40905643)

Or a hangover/electrolyte imbalance...

Re:Oh joy (3, Interesting)

Rei (128717) | about 2 years ago | (#40905491)

I was thinking the same thing. I'd thought of this concept a while back as a "turn almost anything into a key *except* a living organism" approach. That is, if you wanted a really nifty-looking key to your door, it could be some mystic-looking crystal, or some stone sigil, or whatnot. Measure how it interacts with a wide range of AC inputs provided from specific electrodes, and (assuming you have a good mechanism to fit it precisely in place on the same electrodes each time) you've got a unique signature for that object to unlock the door with. I'd think it would be very hard to fake, since trying to tune the shape/composition of a dummy "key" to adjust one frequency will mess with all the others.

Of course more than security, I was mainly thinking of that from a "wouldn't this be awesome and probably not that hard to implement?" approach.

Re:Oh joy (1)

vlm (69642) | about 2 years ago | (#40905623)

I'd think it would be very hard to fake, since trying to tune the shape/composition of a dummy "key" to adjust one frequency will mess with all the others.

Oh boy please talk to some RF EEs before you roll this idea out. Generations of EEs have written books and created careers on this very topic of wide band antenna/matching networks. Its not trivial, but its not really all that hard either. Some of the math is quite icky, but we have computers now.

it could be some mystic-looking crystal

Yeah, made out of silicon or germanium and doped with some exotic materials in a odd pattern ... aka a transistor or IC

Every RF EE since the first wideband transistor circuit has been doing this since the transistor era. If you allow hollow state aka vacuum tubes we have about a century of experience.

Re:Oh joy (1)

Rei (128717) | about 2 years ago | (#40905993)

before you roll this idea out.

"Roll this out"? May I reiterate, "if you wanted a really nifty-looking key to your door" and "I was mainly thinking of that from a "wouldn't this be awesome and probably not that hard to implement?" approach"? You make it sound like trying to revolutionize the world's security. I'm talking about unlocking your front door with a piece of quartz or whatnot.

Yeah, made out of silicon or germanium and doped with some exotic materials in a odd pattern ... aka a transistor or IC

I don't think we're talking about the same thing. I'm talking about "random object picked up in a field or thrift store used as a key". Not making a chip specifically to function as a key.

Oh boy please talk to some RF EEs before you roll this idea out. Generations of EEs have written books and created careers on this very topic of wide band antenna/matching networks. Its not trivial, but its not really all that hard either. Some of the math is quite icky, but we have computers now.

"Quite icky" is an understatement. You're dealing with differential equations here (Kirchoff's Laws); you can't just converge linearly to a solution. The more complex and diverse the inputs, the exponentially harder it gets to reverse-engineer.

Re:Oh joy (1)

jank1887 (815982) | about 2 years ago | (#40907317)

"random object picked up in a field or thrift store used as a key".

doesn't matter. that thing will have a characteristic impedance that can likely be emulated by a not-too-difficult-to-make matching network. you might as well just have a keypad.

Re:Oh joy (1)

Rei (128717) | about 2 years ago | (#40910437)

you might as well just have a keypad.

What part of a "this is from a wouldn't it be awesome to open your door with a rock" perspective, not a "this is the bestest-security-ever-conceived" perspective, is difficult? I mean, a keypad? Really?

. that thing will have a characteristic impedance that can likely be emulated by a not-too-difficult-to-make matching network.

Across a super-wide frequency range from multiple contact points on its surface? I really doubt it.

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40915931)

I can already open your door with a rock. It just needs to be a really big, heavy rock.

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40911999)

It's an interesting idea, but it also amounts to magical thinking (nothing wrong with that, of course, right until you're trying to do security with it; there's a reason the whole security theatre doesn't work). Look at it this way: The field of cryptology works by giving away just about everyting --the algorithms, the analysis-- except the key itself, and then expects not to have given away the information secured with it. ANd then they work really really hard to make sure this is indeed the case, to prove it in fact. Similarly we all know how locks work --there's even an official sporting club for picking locks in Germany-- and yet, a good quality lock will not easily be opened unless you have that convenient secret, the key.

Of course physical, teethed keys are easily copied, which is part of their practical appeal, but the point is that it's actually a really well-understood field, including the need to keep just that little bit called the key a secret and have the whole thing still work, and be reasonably robust. ICs are not that robust, actually, and it gets worse with RFID, which mainly introduces the need to shield things or you're either risking having the thing fried, or leaking information to all who care to ask--the chip, not you. In that sense, RFID is the latest widely deployed magical thinking security fad.

So the point is this: Work out a way to turn your magical crystals or other objects into something with properties much like a key, and you're in the game. Otherwise, you have security snake oil; something that might look like it works, but doesn't actually deliver on the security promise, leaving you worse off: Insecure with a false sense of security.

Re:Oh joy (1)

kanweg (771128) | about 2 years ago | (#40905521)

Excellent! So, you can't get fat from all those candy bars because the vending machine will stop selling them to you.

Bert

Re:Oh joy (1)

Eponymous Hero (2090636) | about 2 years ago | (#40906445)

that might be funny if vending machines were known for protecting against unauthorized purchases.

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40905959)

If this one works, it might be more appealing than current options. Some retina scanners can be faked with a photograph, and having your fingerprints on file can be a nightmare if someone you're friends with (and borrow things from) becomes the subject (or is the victim) in an investigation. This metric seems like it'd be more difficult to work around and would better serve your privacy concerns...

Re:Oh joy (1)

John Holmes (2619159) | about 2 years ago | (#40906551)

What about your cat's name?

Re:Oh joy (1)

jank1887 (815982) | about 2 years ago | (#40906917)

or, put in car analogy terms:

if functional, this could be useful for your car to identify who you most likely are for the purposes of automatically implementing your custom settings for seat position, climate control, radio stations, etc. But NOT for granting access to or starting the car. And definitely not for determining to whom to send the automated red light camera ticket.

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40907253)

Don't worry the Amulet isn't here to replace your key or password. It is a medical device that's supposed to connect medical devices, such as insulin pumps, with a transmitter, such as smartphone, so that the data can be retrieved as need by a doctor.

And the biometric authentication is a secondary method. The primary authentication is a "Passcode Motion".

Despite what everyone on here has to say this is a neat device that could do its job well. And just happens to be entirely different then you assume it is.

Re:Oh joy (1)

redizhot (2692045) | about 2 years ago | (#40907689)

Why is everyone here so sure it would be so easy to fake? What am I missing here?

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40912277)

It's not "so easy to fake" --though that has turned out to be the case and has been repeatedly and devastatingly demonstrated with fingerprints, with iris scanners of various kinds, with DNA even-- but rather a different point:

Faking biometrics is easier than replacing compromised biometrics. By definition.

It's easy to see this: You only have one physical body and there's only so much you can do to change identities, like with surgery. Plus, it's easily damaged and that might change the machine's view of you permanently, leaving you with little or no ways to recover your lost identitiy--because, you know, biometrics are infallible, right? Right? Oh hey, you say, but that's a change of identities then? Yes, but at a cost that's usually only borne involuntarily. Would you have plastic surgery on your fingers just because some identity thief plundered your credit, using fingerprints copied using some cellophane?

So the argument is that the properties that make people tout biometrics as such a good idea, are in fact exactly the wrong ones for the stated purposes. The idea is that because you only have one body, this somehow translates in security. Instead it creates an incentive to fake biometrics, and suddenly the adversary has the advantage: Not bound by the limiting factor of only having one body. Any implement that can fool the biometric-reading apparatus will do. And then we find that people are in fact quite inventive.

All this is again is easy to see once you stop thinking of unicorns and instead play a couple what-if scenarios. That despite that biometrics continue to be touted with such fervour says something about how much people like to think of unicorns, or at least how much they dislike thinking about real-world what-if scenarios.

Re:Oh joy (0)

Anonymous Coward | about 2 years ago | (#40908685)

oooh I can read your aura. Far out!

And we thought all those hippies were faking it.

News of the future (3, Funny)

cvtan (752695) | about 2 years ago | (#40905093)

In cybersecurity news, it was found today that a mannequin made of jello and floating grapes successfully duplicated the unique electrical signature of Mark Zuckerberg's body.

Re:News of the future (3, Funny)

leonardluen (211265) | about 2 years ago | (#40905707)

...and it was found that people thought the mannequin was more likeable than the real Zuckerberg...

Re:News of the future (0)

Anonymous Coward | about 2 years ago | (#40905863)

That reminds me of the sitcom "Two And a Half Men" which for some episodes featured a character called Manny Quinn. That guy had about as much life in him as MZ.

How long does it take? (1)

Anonymous Coward | about 2 years ago | (#40905121)

Device generates the signature, then it exists in a digital form and can be replicated or spoofed.

Re:How long does it take? (1)

Rei (128717) | about 2 years ago | (#40905529)

What good does the fact that a lock knows the digital signature of its key do for you unless you plan to physically compromise the lock using to get the code out?

Re:How long does it take? (1)

DarwinSurvivor (1752106) | about 2 years ago | (#40916479)

You don't have to use the SAME device to get the digital version.

Re:How long does it take? (2)

vlm (69642) | about 2 years ago | (#40905531)

Device generates the signature, then it exists in a digital form and can be replicated or spoofed.

From a hacking perspective thats the best news ever

a measure of how the body's tissues oppose a tiny applied alternating current - and learns how a person's body uniquely responds to alternating current of different frequencies

Decades (centuries?) of RF EE work revolves around RF matching network behavior. Essentially its measuring how you'll behave as an antenna or at least a wildly reactive dummy load (aka rf termination). This has the interesting side effect that given nothing other than the physical coupling design inferred visually and some time with the victim and my network analyzer I can whip up a custom little SMD circuit board made completely out of passives that would be electrically indistinguishable from the victim.

Even better, if the RF freqs are low enough I can make a universal circuit board that would do DSP stuff in real time to feed it what it would like to hear.

It looks pretty easy to electronically spoof. Electrically spoofing retina patterns takes all kinds of weird optics, and electrically spoofing finger geometry takes all kinds of woodwork level work but all you'll need for this is "touch the gadget to your homemade bracelet/necklace instead of to your skin".

I would imagine this doesn't work very well. Decades of RF work by handheld radio RF guys (public safety handhelds, ham radio "HTs") shows that the RF characteristics of a human body vary wildly and seemingly randomly within a fairly narrow range. So its pretty easy to make a hand held radio/antenna combination that always matches better than 3:1 SWR but impossible to make on that regularly matches better than 1.5:1 or whatever. This is partially because the body interacts with any nearby field, but also because most quarterwave antenna designs assume the radio and human are part of the groundplane of the antenna. In practice this means you can predict overall antenna system performance within about 6 dB or so, repeatedly, but forget about predicting more accurately than 3 dB or so. The relevance of hand held radio antenna matching to this story is I do not think you can store much more than 2 or 3 bits of "crypto key" data using this tech. I'll go way out on a limb and give them 7 bits of crypto key equivalent, so I could build 128 circuit boards and be more or less guaranteed that everyone reading this could be spoofed with one of the boards. It would be very much like having all passwords limited to 2 digits.

I give it 6 months before it is faked out. (0)

Anonymous Coward | about 2 years ago | (#40905123)

Like any other biometric measure, it can be faked.

Take a diuretic, become a different person (3, Informative)

hamjudo (64140) | about 2 years ago | (#40905143)

Electrical properties of living creatures are not really known for being stable, particularly among sick people, the intended users for this device. Good thing that the summary has so little to do with the paper, because the summary is pretty silly

Re:Take a diuretic, become a different person (1)

Turken (139591) | about 2 years ago | (#40905259)

That's what I was wondering too. Or what happens when someone has a significant weight loss or gain? Lots of geeks tend to have a good layer of natural insulation. Plenty of ways for the body's electrical signature to change.

I suppose it might be an incentive to get fit and stay fit, though. "Sorry, the fat (errr... electrical) signature of the person attempting to access this computer does not match our records. Go work out some more and try again next week."

Re:Take a diuretic, become a different person (1)

NFN_NLN (633283) | about 2 years ago | (#40905395)

Electrical properties of living creatures are not really known for being stable, particularly among sick people, the intended users for this device. Good thing that the summary has so little to do with the paper, because the summary is pretty silly

Umm.. yeah.. that is a feature of the device. If your signature deviates slightly it can tell you are getting sick and alerts your Doctor.
It's a feature.

Re:Take a diuretic, become a different person (0)

Anonymous Coward | about 2 years ago | (#40905997)

Obviously the researchers in Dartmouth haven't yet have the time to celebrate the acceptance of their paper in a local pub..

A misnomer and a possible mis-fire (1)

ThunderBird89 (1293256) | about 2 years ago | (#40905173)

Calling it Amulet while having the form factor of a watch is somewhat misleading, I was thinking how a necklace could possibly have a secure enough interface to the body to measure the required responses.

But that's the least of my worries. Body impedance can be dependent on quite a lot of things, such as hydration, and skin resistance, which is again dependent on many factors, such as the temperature, stress, etc. Could such a small device carry a sophisticated enough algorithm to reliably and quickly account for all these factors to establish the identity? Or would I need to wear the device for months so it can learn all my electrical characteristics? What if I gain implants later on: a pacemaker or artificial heart would significantly alter my impedance, likely requiring a re-calibration.

If these problems can be worked out,the technology has promise. If not, a coordinating watch for a personal area network still seems like a good idea, some way or another...

Re:A misnomer and a possible mis-fire (1)

gmuslera (3436) | about 2 years ago | (#40905463)

Probably calling it amulet would be pretty fitting, it would be pure luck if it manage to uniquely identify you in all possible situations.

Re:A misnomer and a possible mis-fire (0)

Anonymous Coward | about 2 years ago | (#40907139)

It would be better to wear it as a tiara. The solution then would be fabulous.

Re:A misnomer and a possible mis-fire (1)

TubeSteak (669689) | about 2 years ago | (#40907119)

Calling it Amulet while having the form factor of a watch is somewhat misleading, I was thinking how a necklace could possibly have a secure enough interface to the body to measure the required responses.

Obviously the best solution is to call it a "life clock crystal" and have it embedded in the palm of your right hand.
Unfortunately, the crystal has... side effects, the most onerous being sudden death on your 21st birthday.

we need original comments (2)

jehan60188 (2535020) | about 2 years ago | (#40905183)

Seriously, the first four comments are all about how easy this will be to fake out!
I'm going to make a comment about how awesome science is.
SCIENCE!

Re:we need original comments (2)

Antipater (2053064) | about 2 years ago | (#40905471)

A nuclear fission chain reaction? Using uranium? Ha! Good luck ever getting THAT to work!

Re:we need original comments (0)

Rei (128717) | about 2 years ago | (#40905541)

GRAMMAR!

Re:we need original comments (1)

Rei (128717) | about 2 years ago | (#40906871)

Modded down? Hmm, was it because there was no context?

Re:we need original comments (1)

John Holmes (2619159) | about 2 years ago | (#40906581)

Are your referring to the Higgs Bozo particle?

PKI Implications (1)

CommieLib (468883) | about 2 years ago | (#40905241)

Biometric is great, but it's only useful locally to the biometric hardware. Beyond that, all there is is ones and zeroes, whether they originated from a biometric sig or not. I suppose you could use these biometrics to generate a key pair...but then you have a problem both of non-repudiation (the actual bits of the private key are compromised...what can you do?) and unintentional repudiation (I'm pregnant, now I can't log into my bank account).

Are you gay? (0)

Anonymous Coward | about 2 years ago | (#40905281)

cover your eyes [go.com] , or they will find you...

Re:Are you gay? (1)

John Holmes (2619159) | about 2 years ago | (#40906595)

As in "happy"?

get your hands off me you damn dirty replicant! (1)

Thud457 (234763) | about 2 years ago | (#40909033)

What do gay people have against turtles [imdb.com] ?

might work better than you want it to (1)

slew (2918) | about 2 years ago | (#40905333)

If it's looking for bioelectrical signatures, it likely will have more trouble identifying you when you are dehydrated, drunk, high, out of breath (from running or experiencing a heart-attack), etc...

I'm sorry, but I'm afraid I can't let you do that right now because you are not Dave...

On the other hand, if you loosened the identification threshold so these kind variations didn't matter, there probably wouldn't be much entropy left in that identification scheme. Someone with a simliar height and build would probably be easily mistaken for you.

Fundamental problem with biometrics... (2)

sinij (911942) | about 2 years ago | (#40905389)

Perhaps this is the next amazing biometric authentication technology that can accurately identify users without any false positives... This still don't change the problem that like all other biometric data it cannot be re-issued if ever compromised.

Re:Fundamental problem with biometrics... (1)

vlm (69642) | about 2 years ago | (#40905661)

if ever compromised

when, not if ever.

implications for Quantified Self? (0)

Anonymous Coward | about 2 years ago | (#40905551)

I wonder what are the implications for the Quantified Self movement (life loggers, self trackers, etc.)? Perhaps, this signature could be used as a anonymous biometric ID that could link together data from different tracking devices?

-------
I am trying to quantify and gamify my everyday life. Please follow my experiment at www.measuredme.com

YUO fAIL IT (-1)

Anonymous Coward | about 2 years ago | (#40905781)

Dartmouth College (1)

sam1am (753369) | about 2 years ago | (#40905837)

Just a small nitpick (the error is in the article too).. It's Dartmouth College, not Dartmouth University... ( Those that love Dartmouth will be quick to point this out.. It stems from http://en.wikipedia.org/wiki/Dartmouth_College_v._Woodward [wikipedia.org] )

Why is it (0)

Anonymous Coward | about 2 years ago | (#40906103)

that all cryptographers or other folks who make this sort of thing assume that everyone wants: 1 password, 1 username, 1 identification and the like? I figure that the people making these things are the people who are most keyed into technology, and are therefore incredibly cognisant of the need for multiple/anonymous identities. So, I would assume that folks doing research NOT DIRECTLY RELATED to squashing dissidence would sort of avoid a one ID system, right?

Side note. Cognisant is spelled right, regardless of what the little red squiggly line tells me.

Re:Why is it (1)

Eponymous Hero (2090636) | about 2 years ago | (#40906489)

in amerrrrrica we spell it with a z. excuse me, we spell it with a zed.

Re:Why is it (1)

John Holmes (2619159) | about 2 years ago | (#40906611)

Zed is ded.

Key Details missing. (0)

Anonymous Coward | about 2 years ago | (#40906369)

This device is not Key Card for a Computer. This is a medical Device. I know this is a terriable faux Pas but I read the article and more importantly the associated PDF about the "Amulet" http://www.cs.dartmouth.edu/~sorber/papers/sorber-amulet.pdf

To sum up the Amulet is a medical device that can measure certain medical data on its own but is really there to coordinate several devices and facilitate data transmsion to a medical source. The Amulet has two means to verify it is on the correct person, the first is a active "Motion Password", move the Amulet in a predetermined fashion to unlock, and the second is the passive biometric check - which isn't give much detail. Once the correct user is determined its assumed that the device is remains unlocked till removed.

The Amulet is a replacement for Other mobile medical tracking devices because they can either be lost or in the case of a smart phone, hacked or borrowed to a friend.

So long story short this is a special purpose medical device not a general purpose Biometeric Key that the Summary insinuates.

Life imitating TV (0)

Anonymous Coward | about 2 years ago | (#40906803)

"We are the Borg, and we will assimilate you!"...

Sure (1)

ThatsNotPudding (1045640) | about 2 years ago | (#40907331)

I'm sure it works great - until you rub a balloon on your head! One simple party trick and boom! You're locked out of everything!

Re:Sure (0)

Anonymous Coward | about 2 years ago | (#40907375)

Yes, and get a cold and you can't use your phone to call in sick to work.

or get a blister and get locked out of the data center by the fingerprint scanner.

After a bender (0)

Anonymous Coward | about 2 years ago | (#40907349)

How does my electrical signature change when I'm hung over?

home automation (1)

kharchenko (303729) | about 2 years ago | (#40908661)

I was just thinking about this the other day! This would be great for these modern bathroom scales to id the user - the impedance measure only needs enough accuracy to distinguish between the family members whose weight is close enough. They already measure impedance for body fat anyhow.
But I also wondered how much your signatures would change if you, let's say, drank a bottle of beer, or ate something salty.

District 9 (1)

gznork26 (1195943) | about 2 years ago | (#40908957)

So that's how the alien weaponry in District 9 worked. Alien physiology would be significantly different from human, and the guns could only be used when one of those aliens held it.

chemistry, biology & electro-magnetics (2)

jago25_98 (566531) | about 2 years ago | (#40909293)

The interaction between chemistry, biology & electro-magnetics is fascinating for me.

In the Anglophone world we have books like "The Body Electric". In Chinese and Russian there's much, much more. There's a sense we're building on 100's years of science (I use that term in a definition you may not agree with).

I was able to alter my bioimpedence using my mind in a test at the science museum in London. I'd like to know if it was just me passing harder on the contacts or sweating a bit more...

Where can I read more on this subject?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...