Attacks on heartbeat-based security using remote photoplethysmography

Robert Mark Seepers, Wenjin Wang, Gerard de Haan, Ioannis Sourdis, Christos Strydis

Research output: Contribution to journalArticleAcademicpeer-review

3 Citations (Scopus)
189 Downloads (Pure)

Abstract

The time interval between consecutive heartbeats (interpulse interval, IPI) has previously been suggested for securing mobile-health solutions. This time interval is known to contain a degree of randomness, permitting the generation of a time- and person-specific identifier. It is commonly assumed that only devices trusted by a person can make physical contact with him/her, and that this physical contact allows each device to generate a similar identifier based on its own cardiac recordings. Under these conditions, the identifiers generated by different trusted devices can facilitate secure authentication. Recently, a wide range of techniques have been proposed for measuring heartbeats remotely, a prominent example of which is remote photoplethysmography (rPPG). These techniques may pose a significant threat to heartbeat-based security, as an adversary may pretend to be a trusted device by generating a similar identifier without physical contact, thus bypassing one of the core security conditions. In this paper, we assess the feasibility of such remote attacks using state-of-the-art rPPG methods. Our evaluation shows that rPPG has similar accuracy as contact PPG and, thus, forms a substantial threat to heartbeat-based-security systems that permit trusted devices to obtain their identifiers from contact PPG recordings. Conversely, rPPG cannot obtain an accurate representation of an identifier generated from electrical cardiac signals, making the latter invulnerable to state-of-the-art remote attacks.

Original languageEnglish
Pages (from-to)714-721
Number of pages8
JournalIEEE Journal of Biomedical and Health Informatics
Volume22
Issue number3
Early online dateApr 2017
DOIs
Publication statusPublished - 1 May 2018

Fingerprint

Photoplethysmography
Equipment and Supplies
Security systems
Authentication
Telemedicine

Keywords

  • Authentication
  • Biometrics (access control)
  • Photoplethysmography
  • Remote monitoring
  • Robert Seepers
  • side-channel attacks
  • with kind regards

Cite this

Seepers, Robert Mark ; Wang, Wenjin ; de Haan, Gerard ; Sourdis, Ioannis ; Strydis, Christos. / Attacks on heartbeat-based security using remote photoplethysmography. In: IEEE Journal of Biomedical and Health Informatics. 2018 ; Vol. 22, No. 3. pp. 714-721.
@article{946f39732327463fb499f3f8b0e67547,
title = "Attacks on heartbeat-based security using remote photoplethysmography",
abstract = "The time interval between consecutive heartbeats (interpulse interval, IPI) has previously been suggested for securing mobile-health solutions. This time interval is known to contain a degree of randomness, permitting the generation of a time- and person-specific identifier. It is commonly assumed that only devices trusted by a person can make physical contact with him/her, and that this physical contact allows each device to generate a similar identifier based on its own cardiac recordings. Under these conditions, the identifiers generated by different trusted devices can facilitate secure authentication. Recently, a wide range of techniques have been proposed for measuring heartbeats remotely, a prominent example of which is remote photoplethysmography (rPPG). These techniques may pose a significant threat to heartbeat-based security, as an adversary may pretend to be a trusted device by generating a similar identifier without physical contact, thus bypassing one of the core security conditions. In this paper, we assess the feasibility of such remote attacks using state-of-the-art rPPG methods. Our evaluation shows that rPPG has similar accuracy as contact PPG and, thus, forms a substantial threat to heartbeat-based-security systems that permit trusted devices to obtain their identifiers from contact PPG recordings. Conversely, rPPG cannot obtain an accurate representation of an identifier generated from electrical cardiac signals, making the latter invulnerable to state-of-the-art remote attacks.",
keywords = "Authentication, Biometrics (access control), Photoplethysmography, Remote monitoring, Robert Seepers, side-channel attacks, with kind regards",
author = "Seepers, {Robert Mark} and Wenjin Wang and {de Haan}, Gerard and Ioannis Sourdis and Christos Strydis",
year = "2018",
month = "5",
day = "1",
doi = "10.1109/JBHI.2017.2691282",
language = "English",
volume = "22",
pages = "714--721",
journal = "IEEE Journal of Biomedical and Health Informatics",
issn = "2168-2194",
publisher = "Institute of Electrical and Electronics Engineers",
number = "3",

}

Attacks on heartbeat-based security using remote photoplethysmography. / Seepers, Robert Mark; Wang, Wenjin; de Haan, Gerard; Sourdis, Ioannis; Strydis, Christos.

In: IEEE Journal of Biomedical and Health Informatics, Vol. 22, No. 3, 01.05.2018, p. 714-721.

Research output: Contribution to journalArticleAcademicpeer-review

TY - JOUR

T1 - Attacks on heartbeat-based security using remote photoplethysmography

AU - Seepers, Robert Mark

AU - Wang, Wenjin

AU - de Haan, Gerard

AU - Sourdis, Ioannis

AU - Strydis, Christos

PY - 2018/5/1

Y1 - 2018/5/1

N2 - The time interval between consecutive heartbeats (interpulse interval, IPI) has previously been suggested for securing mobile-health solutions. This time interval is known to contain a degree of randomness, permitting the generation of a time- and person-specific identifier. It is commonly assumed that only devices trusted by a person can make physical contact with him/her, and that this physical contact allows each device to generate a similar identifier based on its own cardiac recordings. Under these conditions, the identifiers generated by different trusted devices can facilitate secure authentication. Recently, a wide range of techniques have been proposed for measuring heartbeats remotely, a prominent example of which is remote photoplethysmography (rPPG). These techniques may pose a significant threat to heartbeat-based security, as an adversary may pretend to be a trusted device by generating a similar identifier without physical contact, thus bypassing one of the core security conditions. In this paper, we assess the feasibility of such remote attacks using state-of-the-art rPPG methods. Our evaluation shows that rPPG has similar accuracy as contact PPG and, thus, forms a substantial threat to heartbeat-based-security systems that permit trusted devices to obtain their identifiers from contact PPG recordings. Conversely, rPPG cannot obtain an accurate representation of an identifier generated from electrical cardiac signals, making the latter invulnerable to state-of-the-art remote attacks.

AB - The time interval between consecutive heartbeats (interpulse interval, IPI) has previously been suggested for securing mobile-health solutions. This time interval is known to contain a degree of randomness, permitting the generation of a time- and person-specific identifier. It is commonly assumed that only devices trusted by a person can make physical contact with him/her, and that this physical contact allows each device to generate a similar identifier based on its own cardiac recordings. Under these conditions, the identifiers generated by different trusted devices can facilitate secure authentication. Recently, a wide range of techniques have been proposed for measuring heartbeats remotely, a prominent example of which is remote photoplethysmography (rPPG). These techniques may pose a significant threat to heartbeat-based security, as an adversary may pretend to be a trusted device by generating a similar identifier without physical contact, thus bypassing one of the core security conditions. In this paper, we assess the feasibility of such remote attacks using state-of-the-art rPPG methods. Our evaluation shows that rPPG has similar accuracy as contact PPG and, thus, forms a substantial threat to heartbeat-based-security systems that permit trusted devices to obtain their identifiers from contact PPG recordings. Conversely, rPPG cannot obtain an accurate representation of an identifier generated from electrical cardiac signals, making the latter invulnerable to state-of-the-art remote attacks.

KW - Authentication

KW - Biometrics (access control)

KW - Photoplethysmography

KW - Remote monitoring

KW - Robert Seepers

KW - side-channel attacks

KW - with kind regards

UR - http://www.scopus.com/inward/record.url?scp=85045322093&partnerID=8YFLogxK

U2 - 10.1109/JBHI.2017.2691282

DO - 10.1109/JBHI.2017.2691282

M3 - Article

C2 - 28391214

AN - SCOPUS:85045322093

VL - 22

SP - 714

EP - 721

JO - IEEE Journal of Biomedical and Health Informatics

JF - IEEE Journal of Biomedical and Health Informatics

SN - 2168-2194

IS - 3

ER -