back to article True man-in-the-middle: Transmitting logins through the human body

Computer science researchers at the University of Washington are developing a technology to securely send data through the human body rather than wires or the air. Passwords sent over insecure networks are liable to sniffing. This well-understood problem is most easily mitigated against using VPN technology but now security …

  1. Anonymous Coward
    Anonymous Coward

    You mean

    So that once my unchangable biometrics are stolen, even more stuff will get compromised?

    1. Arthur the cat Silver badge

      Re: You mean

      my unchangable biometrics

      Agreed. Biometrics may be identification you're never without but it's a bugger changing them, unless you're in a Tom Cruise movie.

      1. Blain Hamon

        Re: You mean

        Odd. I read the article to say that, instead of using biometrics, it's using the body as a network cable of sorts, the signal going through the body instead of through air to reduce sniffing. The fingerprint scanner portion is that it just happens to be common enough to touch and act as a transmitter, but this isn't actually using the scanning of fingerprints to communicate.

        In which case, biometrics don't play a part in this, unless that includes 'is currently touching two things at the same time.'

  2. Version 1.0 Silver badge

    Just go slowly

    Build a small device that transmits the key at about 85Hz when the owners fingerprint is detected - the owner holds it in their hand and the LF signal goes through the body attenuated to a few milli-volts at the sensor surface. Easy to pick up at the door sensor, very hard to sniff. Why 85Hz - it avoids AC line interference and doesn't radiate much.

    1. Version 1.0 Silver badge

      Re: Just go slowly

      After some more thought - you could power this by scavenging, it would need much power at all. It could be a simple implant that only transmitted its key when the lock requested it - even more secure.

  3. frank ly

    Is it a good idea?

    "A user would touch the doorknob and the fingerprint sensor on their smartphone at the same time, with their credentials been transmitted through their body rather than over the air."

    "The data transmission rate achieved of just 25 bits per second ..."

    How long would it take to send a reasonably secure 'key' and how many people would drop their phone before it was complete?

    Wouldn't it be easier and more secure to fit a fingerprint sensor on the door instead of relying on possibly corruptable smartphones that need to be managed and maintained?

    1. Cuddles

      Re: Is it a good idea?

      "Wouldn't it be easier and more secure to fit a fingerprint sensor on the door instead of relying on possibly corruptable smartphones that need to be managed and maintained?"

      Easier, sure, as far as the end user is concerned at least. But secure? No, the exact opposite. Biometrics are largely useless for security because they can't be changed; once your password has been compromised once you can never use that finger again for the rest of your life. A smartphone might be hackable, but it's also easy to fix and/or replace if that happens. It's the same as with most things - the more convenient you make it for the user, the less secure it becomes.

      "How long would it take to send a reasonably secure 'key' and how many people would drop their phone before it was complete?"

      That was already addressed in the article. This was simply a proof of concept demonstration using hardware that was never designed for this use. Obviously the first every horribly non-optimal prototype is not the same setup as would be used several years down the line in commercial applications. You might as well complain that the internet is useless because the first ever telegram transmission had a low bitrate. In any case, 25 b/s still gives only 10 seconds to transmit a 256 bit key. Inconveniently long to wait for a door to open, but most people manage to hold their phones for significantly longer periods than that.

      1. bombastic bob Silver badge
        Devil

        Re: Is it a good idea?

        "In any case, 25 b/s still gives only 10 seconds to transmit a 256 bit key."

        if you use ONLY ONE frequency to send with, perhaps [I'm guessing they're not using multiple frequencies already]. If we're going to compare to old modems, let's start by sending 'multiple FSK frequency tones' simultaneously. You know, like touch tone phones and old modems. Later we can apply Heddy Lamar's method (spread spectrum), or graduate to full-blown multi-path Q.A.M. (with error correction so you can increase the data rate) to speed it up even further.

        just don't chip my head/hands, I don't want the 666. ha ha ha ha ha.

  4. Christian Berger

    Actually there is a way to make this OK

    First of all Sun has already done this in the 1990s:

    http://www.javaworld.com/article/2076641/learn-java/an-introduction-to-the-java-ring.html

    What you can do to actually make this moderately secure is to have a public key authentication scheme. Just have a private key on the device near your body and the public key wherever you want to authorize. This works great for ssh and would eliminate passwords in the browser once browser manufacturers would get off their asses and make TLS client authentication usable.

    1. Adrian 4

      Re: Actually there is a way to make this OK

      And Microsoft already patented it :

      https://www.theguardian.com/science/2004/jul/06/sciencenews.microsoft

      1. Uffish
        Facepalm

        Prior Art

        If you push down the telescopic antenna on a portable FM radio you may well find that it goes silent because of insufficient received signal level. Touch the antenna however and the program comes back. That's a full stereo signal at around 100 MHz mind you, not a couple of dozen bits per second.

        I have also noted, with much discomfort, that the human body can conduct signals at 50Hz.

        1. bombastic bob Silver badge
          Joke

          Re: Prior Art

          "I have also noted, with much discomfort, that the human body can conduct signals at 50Hz."

          I've heard it works at 400Hz as well. Definitely works at 60Hz.

          1. Anonymous Coward
            Anonymous Coward

            Re: Prior Art

            You can easily run several kilohertz through the body - AC for non-obvious reasons.

  5. Swarthy
    Trollface

    An even better form of authentication:

    Completely wireless, yet does not radiate any packets, and works in low-power scenarios: Housekeys!

    1. Anonymous Coward
      Thumb Up

      Re: An even better form of authentication:

      Also survives being dropped better than the phone if it slips out of your hand at the door...

    2. Adam 1

      Re: An even better form of authentication:

      I've heard about these mythical "house keys" that allegedly work even if they're flat.

  6. Anonymous Coward
    Anonymous Coward

    There is blocker to prevent this but you might not like where is resides, on the other hand it depends on your bag.

    1. Anonymous Coward
      Joke

      This blocker, does it plug a hole?

      1. M7S

        Intrusion detection should be easy

  7. Dwarf

    Problems ?

    What happens when I'm squeezed like a sardine on the underground ?

    Presumably the person standing next to me with their bag/ipad/whatever will be able to receive and transmit through me in the same manner.

    This is nearly as bad as the advertising that was considered for the walls of trains that vibrated speech into people who were trying to sleep with their heads against the trains shell.

  8. Nolveys
    Alert

    I like to think that this device, when in operation, would make the user look like a Warner Brother's cartoon character being electrocuted.

  9. Herby

    So, I can't greet people...

    With a handshake? What to do? Bow like some cultures do?

    This gives new meaning to "let's shake hands on it". Of course this might be the idea, but at 25 bits/sec (slow by even 1940's data rates of 45.45/sec) it may take a while.

    For the curious 25 bits/sec is about 30WPM in Morse code. Operators in the 30's could do that with lots of practice.

  10. wikkity
    Black Helicopters

    Forget the tin hat ...

    I'm making tin gloves.

  11. Ole Juul

    Modem?

    As referenced at the end of the article, the body is acting as a transmission medium in this case. There's no modulation nor demodulation.

  12. Frumious Bandersnatch

    Old, t'fuck

    http://www.telegraph.co.uk/men/the-filter/10572554/Want-to-exchange-contact-details-Lets-shake-on-it.html

    (and I'm sure I can find earlier references than that, like at least 5+ years)

    Oh, and "wireless"? The human body is the wire.

    FFS

  13. Ru'
    Trollface

    Does this mean I could finally use my dictaphone?

    1. Jedit Silver badge
      IT Angle

      "Does this mean I could finally use my dictaphone?"

      Only to download porn. 25 (naughty) bits per second may be pushing the limits of the technology, though.

      (The IT angle? Well, that depends on how good the porn is.)

      1. allthecoolshortnamesweretaken

        Re: "Does this mean I could finally use my dictaphone?"

        Upvoted for 'naughty bits per second' - this should be an El Reg unit.

  14. Anonymous Coward
    Anonymous Coward

    I saw something known internally as "body net" being demoed in HP labs more than 17 years ago. They had better data rates.

  15. Jin

    Look at body features to scan before looking at the body flesh for data transmission.

    Biometrics are easy to fake, impossible to reset, intrusive and costly on top of contributing to poorer security as outlined in

    "Biometrics in Cyber Space - "below-one" factor authentication"

    https://youtu.be/wuhB5vxKYlg

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon