Heartwave Biometric

Here's a new biometric I know nothing about:

The wristband relies on authenticating identity by matching the overall shape of the user's heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods -- like fingerprint scanning and iris-/facial-recognition tech -- the system doesn't require the user to authenticate every time they want to unlock something. Because it's a wearable device, the system sustains authentication so long as the wearer keeps the wristband on.

EDITED TO ADD (12/13): A more technical explanation.

Posted on December 5, 2013 at 1:16 PM • 29 Comments

Comments

WolfgangDecember 5, 2013 2:20 PM

Interesting. But wouldn't it be possible to record the heart wave, and then play the recorded wave in an endless loop? How would this system detect/prevent such a replay-attack?

bcsDecember 5, 2013 2:22 PM

Don't use this to secure your cell phone or you will never be able to call 911 during a heart attack.

Bill StewartDecember 5, 2013 3:02 PM

Biometric sensor handcuffed to your wrist? That might count, I suppose.

Biometric sensor that's easily removed from your wrist, like one of those Fitbit things? Don't shake hands with Penn Jillette, and by the way that guy Rudy who asked you where Penn was was actually Teller in disguise, and you're now wearing an extra wrist band, or a different one, or you've now got a set of Bluetooth Low Energy cufflinks.

It's possible that they've done some adequate cryptography here, and that you could use it for security applications, but I suspect it's too easy to spoof some part of the system; I'm actually more interested in the concept of a wristband that's got all that sensor capability to use for health monitoring.

Nick PDecember 5, 2013 4:29 PM

I remember Clancy's Rainbow Six had the heartbeat sensors for spec ops. I figured the book would inspire research leading to all sorts of similar tech. Not seeing much as I expected but a few interesting things popped up.

kashmarekDecember 5, 2013 5:39 PM

F.U.D.

Bruce usually quickly recognizes bad cryptography, so did he miss on this thing? Nah, he's just testing us. Oh, wait, its not cryptography, but it is bad.

Ian MasonDecember 5, 2013 6:05 PM

I'm surprised not to already read a long list of what's wrong with this.

Basically there is a whole host of things that will alter aspects of your heart wave. The list includes diseases (trivial and serious), a whole slew of drugs (many anti-histamines for instance), components in everyday foods and beverages and everyday physiological phenomena (altitude is an immediately obvious one). If the algorithmn is flexible enough to exclude these variations from giving a false negative then it's too permissive to be capable of being selective enough to be a useful biometric.

ChristopherDecember 5, 2013 6:10 PM

If it retains state for a day why couldn't you just steal it? How is it different from a simple token generator?

Dirk PraetDecember 5, 2013 7:24 PM

@ Ian Mason

I suppose this is also going to be a bit of a problem for internet pr0n addicts, especially when enjoying some lines of Columbian marching powder during their favorite activity.

WaelDecember 5, 2013 7:39 PM

The wristband relies on authenticating identity by matching the overall shape of the user's heartwave (captured via an electrocardiogram sensor)
Sounds secure, until someone is able to remotley collect the biometrics from the sensors. May need to have this device "shielded" and "air-gapped", and in the extreme case also "vacuum-gapped", just in case it has "bad-Firmware"... I think this is a useless form of authentication, besides, it may reveal too much about your health. Can you imagine logging in to a health insurance site that immediately denies you insurance just because you "logged-in" ??? Then again, you can login, and get an EKG in one shot. Or you could log in, and instead of the system telling you access denied, it would tell you to take an aspirin. Oh! almost forgot, the warranty on the device is void if you have a heart attack, and you get zapped in the chest with one of them AEDs (Automated External Defibrillators)...

@Enrico

If I recall correctly after you have a heart attack your heartwave changes
Yea... If you make it! Still changes if you don't make it, but you wouldn't be able to login anyway.

@Brian

What do you do if your heart rhythm is unstable and somewhat random?
Then you're doubly screwed ;)

FigureitoutDecember 5, 2013 10:01 PM

It doesn’t just depend on just the Bluetooth standard which has some weaknesses.
--Bluetooth! (shakes fist) That's all I had to see...Plus, where is the crypto chip being fabbed where they can definitely say it's not already subverted.

when.sly.callsDecember 5, 2013 11:08 PM

@Figureitout "Plus, where is the crypto chip being fabbed where they can definitely say it's not already subverted."

That's a good point about special-purpose crypto chips.

Perhaps there is less exposure for general-purpose chips such as FPGA's, where being able to subvert the chip would depend to some extent on knowing the intended application.

Which brings up a low-tech attack possibility. Secure document disposal services may be a front for NSA surveillance.

Clive RobinsonDecember 6, 2013 3:16 AM

@ Nick P,

    I remember Clancy's Rainbow Six had the heartbeat sensors for spec ops. I figured the book would inspire research leading to all sorts of similar tech Not seeing much as I expected but a few interesting things popped up.

I remember it well because Tom Clancy's novel came out when a friend was in the middle of their PhD researching into almost exactly that sort of technology, and they were well peaved...

It was not the first time Tom Clancy's books upset people there was his ideas on C13 which was sited as "prior art" which killed the patent of a fairly major US defence related corp. They even tried to claim they had "stolen" the idea from them because of Tom's well known contact with defence industry techs/specialists when doing his book research.

The reason "heartwave" tech never realy took off was it was a very expensive, specialised and limited technology looking to find a broad market that would support the initial market launch costs... The problem was all the applicable broad markets had cheaper and more effective tech available already. For example the detection of illegal immigrants and fugitives etc hidding in shipping containers and other enclosed shipping spaces in lorries and vehicals is done much more effectivly and cheaply by a simple and pocket portable Gas Analyser that pickes up the biproducts of resperation, sweating and other biological processes. Such analysers are all costs considered a lot cheaper to use than even dogs.

Appart from very niche areas radiant Heartwave tech is only going to go anywhere if it's "Government Mandated" we have already seen this with the likes of millimetric and reflective body scanners where governmet funding has provided sufficient money to make R&D to Production costs viable.

BPDecember 6, 2013 8:32 AM

I don't see a great paradigm shift here, except in how it's implemented and for what. Back in the 70s when I was a distance runner, there were already heart monitors to measure heartbeat. This just takes that kind of data a little further with the power of silicon.

vas pupDecember 6, 2013 9:10 AM

@Karl Martin link provided:
"Privacy by Design standards
developed by the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian.
Privacy by Design is the intentional planning of a product in such a way that privacy controls
become integral to the design of the technology19. The Nymi has been engineered to ensure
that it’s both secure and privacy-protected from end-to-end, without requiring any action on
behalf of its owner."

Bruce,
Are there any similar Privacy by Design standards in US either developed and enforced by government (e.g. NIST) or by self-regulation (tech business)?

Karl,
Did you ever think to apply your algorithm to EEG, i.e. identification of the person by template generated out of brain activity unique core pattern?

Nick PDecember 6, 2013 9:59 AM

@ Karl Martin

Interesting paper. My main concern is this:

"An AAD is a smartphone, tablet, or computer, which has the official Nymi companion app
installed. Current compatible AAD’s include Android and iOS devices, as well as Mac and
Windows computers. The AAD allows the user to both enroll and to authenticate."

"As with enrollment, authentication is performed by capturing the user’s
ECG on their Nymi and transmitting it to their AAD. The live ECG sample is matched in real-time
against the biometric template. If a confident match is achieved within the maximum allowed
wait period, then the user is authenticated and the Nymi becomes activated. "

So, the security of the device seems to come down to the security of the AAD. Compromise the smartphone, compromise the biometric. Smartphones are being hacked plenty these days. Solutions that don't depend on a smartphone for security are already safer before the biometric is even considered.

Re patent

The patent was 2010. The work nymi is based on has papers going back to at least 2006 focusing on ECG's and biometrics. I think the prior art argument would be easy to make.

FirefoxDecember 6, 2013 10:00 AM

What’s special about “the overall shape of the user’s heartwave”?  Given the potential variations already mentioned above, is one person’s “heartwave” significantly disinguishable from another’s?  Is there any evidence for the uniqueness of the “unique patterns” claimed by Bionym?

AspieDecember 6, 2013 10:08 AM

All this stems from the percieved inconvenience of having to enter passwords.

If a password entry point has two valids - one real and one duress, both enable access but the second triggers a silent notification to the accessed system - I see no reason to switch to other methods of authentication except that they offer more path weaknesses.

I remember in the '90s working in the financial sector there was buzz about RSA's SecurID system. Just like this, that proved to be a lot of hype that fooled the majority and offered even less security in exchange for the illusion of more.

@Figureitout - put your fist away mate (though I agree) - bluetooth was compromised early on and it's never got any better AFAIK.

AspieDecember 6, 2013 10:14 AM

I should have added: some online banks requiring password entry ask for specific keys in certain positions in the password.

Thus if you have someone eavesdropping they won't learn the entire password in a single session and will have to wait for all the keys to be entered before they can allow access - presumably over many sessions.

Given that this actually *shortens* the password but does not give continued access, what level of security improvement does this provide?

Discuss.

AdamDecember 7, 2013 4:54 PM

My initial concern was with the use of bluetooth, looks like I was at least somewhat correct in that others had the same concerns.

What was the C13 issue with Clancy's books. I did know that he blew the cover of the company Qual-A-Tec when he name-dropped the company CEO Mickey Finn in The Cardinal of The Kremlin. That was always something that bothered by about Clancy books is that he included enough details like that for people to think they were truly realistic when they really aren't.

Clive RobinsonDecember 7, 2013 5:43 PM

@ Adam,

C13 has a significant detremental effect on heat transfer in optical grade diamonds. Make a diamond with only C12 and you have a rather usefull device when it comes to the likes of high power lasers etc.

Tom Clancy got one of his books checked for technical accuracy by a scientific maveric who suggest to Tom he make changes in his manuscript to reflect his ideas on C13 issue. Tom did, and when GE anounced it had made such a diamond it did not give credit to the maveric. A journalist however bought up the Clancy book and GE's dirty little secret came out, and Tom Clancy kind of likened a GE director to a person who molests their children... such statments make things stick in your mind for over 20years

Needless to say it all got messy, you can read more at,

http://articles.chicagotribune.com/1991-07-09/...

I cann't remember the final outcome and it's to late to ask atleast one of the protagonists.

Dimitris AndrakakisDecember 9, 2013 2:11 AM

@Scared yes, and with an impressive 90% success rate !

Of course, the other 10% also got a mortgage :-)

AxslingerDecember 9, 2013 3:14 AM

Not a big fan of biometrics but surprised how many people have read "shape of heart wave" as "rate of heart beat".

To me, the shape of the heart wave would suggest not the frequency of the heart beat but a rough "signature" of how the user's heart rhythm was articulated. I'm no physician but I would think that would "scale", if you will, along with lower and higher rates of beating.

I'd also be curious to know how it would handle someone suffering from arrhythmia, however.

Additionally, I'd be curious how long such a device would be useful. Over time, I would imagine various changes to cardiovascular efficiency would change the wearers heart wave shape. E.g. partial or complete arterial blockage or conversely, heavy athletic training. Makes me wonder if the device would stop authenticating you at some point as your cardio condition greatly deteriorated or improved.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..