Data Sniffing is Threatening Your Personal IoT. Here’s a Workaround

By William J. Tomlinson, Ph.D., Senior Member of the Technical Staff at Draper

The human body is becoming a node in the Internet of Things, and that may be creating more of a security threat than most people imagine. The problem goes beyond hackable passwords. Scientists say wearable technologies that rely on over-the-air data sharing could be giving away more personal data than previously suspected.

In the security field, we call it malicious eavesdropping, and it’s a potential problem for more people as they adopt wearable devices. From body-worn sensors to actively controlling smartphones via touch inputs, humans continuously communicate large amounts of personal data with the outside world.

The technology already exists for such eavesdropping. An attacker can simply make use of readily available methods, like an open source data sniffer, to steal unauthorized data by detecting the signals broadcasted wirelessly from commercial and wearable medical devices.

The capture of personal data isn’t new. Recent news reports describe a breach that occurred when a fitness tracker worn by soldiers in training revealed location patterns of security forces working out at military bases in remote locations. Wearables ranging from smartwatches to Google Glass have been data sniffed as well.

To address this challenge, engineers from several organizations, including Draper, developed a new kind of secure transmission channel that uses the human body as a waveguide. The system leverages an intra-body communication (IBC) technique called galvanic coupling (GC), which is the coupling of low-level electric currents inside the human body, enabling wireless signal transmission through any region of the body to a receiver (via contact), such as a smartphone.

Our method of IBC can propagate information on and below the skin surface, into inner tissue layers with higher levels of conductivity. In our prototype, galvanic coupling offers moderate transmission distances and lower data rate compared to other methods but can safely operate with relatively high limits within the human body. Its true advantages are low attenuation and full confinement of signals inside the human body, offering more security and interference-free communication.

Most importantly, we found that our prototype drastically reduced over-the-air leakage and adversarial detection of signals, making the transmission of biometric data impervious to sniffing attacks while still maintaining transmit power levels deemed safe for human operation. Ultimately, GC-signals are confined within the body and cannot be intercepted unless the user is in direct contact with the medium.

A key attribute of the system is its capability to secure data transmission for biological signals that have potential use for biometric authentication systems. Specifically, our prototype consists of a microcontroller unit (MCU) with supporting analog front-end hardware for signal modulation and detection. The transmitter MCU is configured to transmit with a biometric signature unique to the individual (in our scenario, the electrocardiogram signal). Other signatures might include but are not limited to, electromyogram signals (EMAG), bio-impedance and galvanic skin response (electrodermal activity).

The adoption of biophysical signals, to either supplement or act as a stand-alone solution, as opposed to current antiquated authentication systems, lies at the cutting edge of biometric research for medical and commercial applications.

In the commercial space, there are wearable authenticators designed to work with other devices (desktop computers, doors, et al.) and perform authentication based on proximity to the locked device. Think of a fitness device or other wearable band that employs a biological signal as a biometric. Once a user is authenticated, the system will use wireless channels, such as Bluetooth Low Energy and NFC, to pair with devices running the supported application.

Wearables are also being developed that use a person’s behavior for authentication. Whether it’s something like a fingerprint scanner, a heartbeat sensor or an accelerometer measuring your gait, biometrics attempts to measure aspects of what you are, and those can be used for authentication. Devices in the fitness category can do this sort of measurement and are already gaining popularity. Combining biometrics with existing authentication factors can result in a very secure system that is nearly impossible to fool.

Recently, the use of alternative IBC solutions has been employed to perform similar operations. However, as we have demonstrated within our work, those signals are still susceptible to outside and environmental influence.

We describe our new biometric authentication system in a paper titled “Secure On-skin Biometric Signal Transmission using Galvanic Coupling.” Our team, which includes engineers from Draper, Federal University of Parana and Northeastern University, presented our system at IEEE INFOCOM 2019 in Paris, France.

Funding for development of this technology was provided by a U.S. National Science Foundation under Grant No. CNS-1740907.

About the Author

Data Sniffing is Threatening Your Personal IoT. Here’s a WorkaroundWilliam J. Tomlinson, Ph.D., is a Senior Member of the Technical Staff at Draper. He works in the radio frequency and communications systems group at Draper, and his primary interests are centered around developing hardware and software systems for wireless communication, spanning into applications such as Intra-Body Communication/Networks, Software Defined Radios, Wireless Energy Harvesting, Structural Health Monitoring and the Internet of Things. William Tomlinson can be reached online at https://www.linkedin.com/in/wjtomlin/ and at our company website http://www.draper.com/

May 14, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

X