Attacks on Heartbeat-Based Security Using Remote Photoplethysmography

The time interval between consecutive heartbeats (interpulse interval, IPI) has previously been suggested for securing mobile-health solutions. This time interval is known to contain a degree of randomness, permitting the generation of a time- and person-specific identifier. It is commonly assumed that only devices trusted by a person can make physical contact with him/her, and that this physical contact allows each device to generate a similar identifier based on its own cardiac recordings. Under these conditions, the identifiers generated by different trusted devices can facilitate secure authentication. Recently, a wide range of techniques have been proposed for measuring heartbeats remotely, a prominent example of which is remote photoplethysmography (rPPG). These techniques may pose a significant threat to heartbeat-based security, as an adversary may pretend to be a trusted device by generating a similar identifier without physical contact, thus bypassing one of the core security conditions. In this paper, we assess the feasibility of such remote attacks using state-of-the-art rPPG methods. Our evaluation shows that rPPG has similar accuracy as contact PPG and, thus, forms a substantial threat to heartbeat-based-security systems that permit trusted devices to obtain their identifiers from contact PPG recordings. Conversely, rPPG cannot obtain an accurate representation of an identifier generated from electrical cardiac signals, making the latter invulnerable to state-of-the-art remote attacks.

[1]  Sander Stuijk,et al.  Algorithmic Principles of Remote PPG , 2017, IEEE Transactions on Biomedical Engineering.

[2]  Shu-Di Bao A matching performance study on IPI-based entity identifiers for body sensor network security , 2012, 2012 5th International Conference on BioMedical Engineering and Informatics.

[3]  Gerard de Haan,et al.  Robust Pulse Rate From Chrominance-Based rPPG , 2013, IEEE Transactions on Biomedical Engineering.

[4]  Janko Drnovsek,et al.  Non-contact heart rate and heart rate variability measurements: A review , 2014, Biomed. Signal Process. Control..

[5]  U. Rajendra Acharya,et al.  Heart rate variability: a review , 2006, Medical and Biological Engineering and Computing.

[6]  G. Haan,et al.  Improved motion robustness of remote-PPG by using the blood volume pulse signature , 2014, Physiological measurement.

[7]  Carmen C. Y. Poon,et al.  A novel biometrics method to secure wireless body area sensor networks for telemedicine and m-health , 2006, IEEE Communications Magazine.

[8]  Fengyuan Xu,et al.  IMDGuard: Securing implantable medical devices with the external wearable guardian , 2011, 2011 Proceedings IEEE INFOCOM.

[9]  B. Appelhans,et al.  Heart Rate Variability as an Index of Regulated Emotional Responding , 2006 .

[10]  Aly A. Farag,et al.  Multiresolution Approach for Noncontact Measurements of Arterial Pulse Using Thermal Imaging , 2009 .

[11]  Gengfa Fang,et al.  Encryption for Implantable Medical Devices Using Modified One-Time Pads , 2015, IEEE Access.

[12]  Juan E. Tapiador,et al.  Electrical Heart Signals can be Monitored from the Moon: Security Implications for IPI-Based Protocols , 2015, WISTP.

[13]  I. Antelmi,et al.  Influence of age, gender, body mass index, and functional capacity on heart rate variability in a cohort of subjects without heart disease. , 2004, The American journal of cardiology.

[14]  Farinaz Koushanfar,et al.  Heart-to-heart (H2H): authentication for implanted medical devices , 2013, CCS.

[15]  Christos Strydis,et al.  On Using a Von Neumann Extractor in Heart-Beat-Based Security , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[16]  Carmen C. Y. Poon,et al.  Analysis of Using Interpulse Intervals to Generate 128-Bit Biometric Random Binary Sequences for Securing Wireless Body Sensor Networks , 2012, IEEE Transactions on Information Technology in Biomedicine.

[17]  Lorenzo Faggion,et al.  Non-contact biopotential sensor for remote human detection , 2011 .

[18]  Joseph A. O'Sullivan,et al.  ECG Biometric Recognition: A Comparative Analysis , 2012, IEEE Transactions on Information Forensics and Security.

[19]  Vijay Kumar,et al.  Towards continuous monitoring of pulse rate in neonatal intensive care unit with a webcam , 2014, 2014 36th Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[20]  Christos Strydis,et al.  Enhancing Heart-Beat-Based Security for mHealth Applications , 2017, IEEE Journal of Biomedical and Health Informatics.

[21]  Christos Strydis,et al.  Peak misdetection in heart-beat-based security: Characterization and tolerance , 2014, 2014 36th Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[22]  Farinaz Koushanfar,et al.  Balancing security and utility in Medical Devices? , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[23]  P Jafari Moghadam Fard,et al.  A novel approach in R peak detection using Hybrid Complex Wavelet (HCW). , 2008, International journal of cardiology.

[24]  Gerard de Haan,et al.  Quality metric for camera-based pulse rate monitoring in fitness exercise , 2016, 2016 IEEE International Conference on Image Processing (ICIP).

[25]  Sander Stuijk,et al.  A Novel Algorithm for Remote Photoplethysmography: Spatial Subspace Rotation , 2016, IEEE Transactions on Biomedical Engineering.

[26]  P. C. Cortez,et al.  An innovative approach of QRS segmentation based on first-derivative, Hilbert and Wavelet Transforms. , 2012, Medical engineering & physics.

[27]  Ali Ghaffari,et al.  A new mathematical based QRS detector using continuous wavelet transform , 2008, Comput. Electr. Eng..

[28]  T. Fitzpatrick The validity and practicality of sun-reactive skin types I through VI. , 1988, Archives of dermatology.

[29]  Christos Strydis,et al.  Secure key-exchange protocol for implants using heartbeats , 2016, Conf. Computing Frontiers.

[30]  Bart Preneel,et al.  On the (in)security of the latest generation implantable cardiac defibrillators and how to secure them , 2016, ACSAC.

[31]  Anas Quteishat,et al.  Heart Rate Extraction from Vowel Speech Signals , 2012, Journal of Computer Science and Technology.

[32]  L. O. Svaasand,et al.  Remote plethysmographic imaging using ambient light. , 2008, Optics express.

[33]  Branka Jokanovic,et al.  Doppler Radar Architectures and Signal Processing for Heart Rate Extraction , 2009 .

[34]  Carmen C. Y. Poon,et al.  Using the Timing Information of Heartbeats as an Entity Identifier to Secure Body Sensor Network , 2008, IEEE Transactions on Information Technology in Biomedicine.

[35]  M. Grigioni,et al.  Optical Vibrocardiography: A Novel Tool for the Optical Monitoring of Cardiac Activity , 2006, Annals of Biomedical Engineering.

[36]  Frédo Durand,et al.  Detecting Pulse from Head Motions in Video , 2013, 2013 IEEE Conference on Computer Vision and Pattern Recognition.