Should we soon expect to be sending passwords through our bodies, not the air?


Whenever you send a password using a broadcast medium such as Wi-Fi or Bluetooth, someone might be listening. Even if it’s encrypted, you might be giving hackers at least a shot at breaking it.

Researchers have expressed particular concerns about the risk of vulnerabilities in custom radio protocols for wearables and implantables. But what if you could securely send that data through your body, not the air?

And what if you could do it using a fingerprint sensor or touchpad like the one already built into your smartphone or laptop?

That’s the claim of new research from computer scientists and electrical engineers at the University of Washington. As UW assistant professor of computer science and engineering Shyam Gollakota puts it:

Fingerprint sensors have so far been used as an input device. What is cool is that we’ve shown for the first time that fingerprint sensors can be re-purposed to send out information that is confined to the body.

That’s right: even though fingerprint sensors aren’t designed to be active radio transmitters, “during normal operation they produce characteristic electromagnetic signals, which are consistent and at frequencies below 10 MHz” – frequencies that apparently propagate well through the human body.

According to the University of Washington’s description of the research:

These ‘on-body’ transmissions offer a more secure way to transmit authenticating information between devices that touch parts of your body – such as a smart door lock or wearable medical device – and a phone or device that confirms your identity by asking you to type in a password.

Co-lead author Mehrdad Hessar walks through a typical use case:

Let’s say I want to open a door using an electronic smart lock. I can touch the doorknob and touch the fingerprint sensor on my phone and transmit my secret credentials through my body to open the door.

The authors’ paper documents transmission tests across the whole body, demonstrating that their technique works across different body types, and whether the subject is standing, sitting, or lying down. They tested iPhone 5s and iPhone 6s fingerprint sensors, the Verifi P5100 USB fingerprint scanner, and both Lenovo T440s and Adafruit touchpads.

Their technique also held up well against interference from other wearables. (A claimed side benefit of this finding: it might “be difficult for an attacker to transmit an external signal on the air to either jam transmissions or send false information.”)

Don’t expect to watch any HD movies transmitted directly through your fingerprint sensor just yet: Hessar et al achieved transmission rates of just 25 bits per second. That’s less than a quarter the speed of a 1950s modem.

It’s a long way from a university research lab to your body, but if this proves out, multiple applications are possible. For example:

Instead of manually typing in a secret serial number or password for wirelessly pairing medical devices such as glucose or blood pressure monitors with smartphones, a smartphone could directly transmit arbitrary secret keys through the human body.

Of course, having your body as the transmission medium brings a whole new set of security concerns about man-in-the-middle attacks.