True man-in-the-middle: Transmitting logins through the human body

Computer science researchers at the University of Washington are developing a technology to securely send data through the human body rather than wires or the air.

Passwords sent over insecure networks are liable to sniffing. This well-understood problem is most easily mitigated against using VPN technology but now security academics have taken a left-field approach to the same problem which also guards against the risk of vulnerabilities in custom radio protocols for wearables and implantables.

The technology would work in conjunction with fingerprint sensors in the latest generation of smartphones.

One use cited is opening a door fitted with an electronic smart lock. A user would touch the doorknob and the fingerprint sensor on their smartphone at the same time, with their credentials been transmitted through their body rather than over the air.

The technology is not restricted by body type or posture, as a research paper by the researchers (abstract below) explains:

We show for the first time that commodity devices can be used to generate wireless data transmissions that are confined to the human body. Specifically, we show that commodity input devices such as fingerprint sensors and touchpads can be used to transmit information to only wireless receivers that are in contact with the body.

We characterize the propagation of the resulting transmissions across the whole body and run experiments with ten subjects to demonstrate that our approach generalizes across different body types and postures. We also evaluate our communication system in the presence of interference from other wearable devices such as smartwatches and nearby metallic surfaces. Finally, by modulating the operations of these input devices, we demonstrate bit rates of up to 50 bits per second over the human body.

The approach works because fingerprint sensors “produce characteristic electromagnetic signals at frequencies below 10 MHz” that propagate well through the human body.

The researchers ran tests using iPhone 5s and iPhone 6s fingerprint sensors, the Verifi P5100 USB fingerprint scanner, and both Lenovo T440s and Adafruit touch pads. Interference from wearable or metallic objects a users might have about them (such as watches) wasn’t a problem. The data transmission rate achieved of just 25 bits per second, or “less than a quarter the speed of a 1950s modem”, as security blogger Bill Camarda notes, might well be a limitation though.

“It’s a long way from a university research lab to your body, but if this proves out, multiple applications are possible,” Camarda adds in a post on the Sophos Naked Security blog.

“Instead of manually typing in a secret serial number or password for wirelessly pairing medical devices such as glucose or blood pressure monitors with smartphones, a smartphone could directly transmit arbitrary secret keys through the human body.

Of course, having your body as the transmission medium brings a whole new set of security concerns about man-in-the-middle attacks,” he concludes. ®