Wireless Infrastructure

01:14 PM
Connect Directly
RSS
E-Mail
50%
50%

Can You Hack A Heartbeat?

Nymi biometric wristband promises to let you unlock everything from cars to hotel rooms without a PIN or password. It authenticates you using heart rhythms.

13 Favorite iOS, Android Apps
13 Favorite iOS, Android Apps
(click image for larger view)
Could a digital wristband that uses a person's heartbeat for authentication purposes banish passwords, key cards or even car keys?

That's the pitch behind Nymi, a wearable device now available for preorder, and accompanying smartphone app that together use a person's heartbeat to verify his identity. According to Bionym, which is the Toronto-based biometric technology firm behind the wristband, when users first strap on the device, they'll use a related app to record their cardiac rhythm. This becomes their biometric identifier. Whenever the user puts the wristband on again, it verifies that their live heart rhythm matches the one that's been stored, to validate their identity.

Beyond the ECG capabilities, the wristband includes the usual mobile device bells and whistles: accelerometer and gyroscope, which allow for gesture controls, as well as Bluetooth Low Energy (a.k.a. Bluetooth Smart), which can be used for proximity detection with other devices that also have the technology.

A short promotional video suggests numerous security applications for these capabilities: you can automatically authenticate to a workstation or iPad, pay for a coffee by touching the wristband to a point-of-sale terminal, or unlock a hotel room or car. "The gesture control is essentially an optional input that gives the user a way to indicate what they want to do with their identity," Bionym founder and CEO Karl Martin told GigaOm. "If you want to unlock the car door, you may want to indicate if you want the front door unlocked versus the trunk."

[ How connected will future vehicles be? Read 5 Ways Big Data Can Improve Your Car. ]

According to the Nymi website, by Wednesday afternoon over 1,600 of the devices -- available in black, white or red -- had been preordered for $79. The device is due to be released in early 2014.

The focus on a heartbeat for authentication purposes makes for some unusual operating instructions. A FAQ posted to the Nymi website, for example, fields the question of what happens if a user's heartbeat changes; for example, after -- or while -- he has a cardiac arrest or some other heart-related condition. "To ensure the Nymi's accuracy, we encourage you to update your heartbeat template whenever you experience a heart-altering episode," says the website. The wristband's developers have promised that "we'll have a variety of measures that may include password or reset done through the app."

The million-dollar question for any new authentication device, however, is what's to keep it from being hacked? Nymi has yet to undergo any type of formal information security audit, reported Ars Technica.

One potential security vulnerability is that authentication information relayed by the device might be intercepted, potentially allowing attackers to "replay" a transmitted authentication token at a later date. But Martin told Ars Technica that the device uses elliptical curve cryptography to prevent eavesdropping. In addition, he said, systems interacting with the device -- such as your car -- could be designed to send one-time challenges that the device would have to successfully decrypt and respond to, thus further stymieing would-be eavesdroppers.

In another potential security risk scenario, an attacker might boost the signal being sent to the device, thus extending its range to make the wearer appear to be near to any system an attacker wanted to unlock. However, the proximity detection capabilities built into Nymi might mitigate this vulnerability.

So, if you build a wearable authentication device, will developers come? That's the hope, and Bionym says that it plans to release a related software development kit (SDK) and API to GitHub, launch a developer portal, and distribute devices to developers this fall. "We're looking to developers to build applications that will enhance the Nymi experience, unlocking new potential in everything from Nymi based social interactions to augmented gesture controls," says the Nymi website.

Bionym said that Nymi initially will support iOS, Android, Windows and Mac OS X operating systems, although developers could use the SDK to add support for other OSes.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/4/2013 | 7:52:02 PM
re: Can You Hack A Heartbeat?
It seems they have a steep security audit hurdle to jump. Will be interesting to see what the Black Hat crowd says on this one.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
9/4/2013 | 10:26:12 PM
re: Can You Hack A Heartbeat?
Sounds like they picked the wrong biometric signal, given that heartbeat can change
KMBurnham
50%
50%
KMBurnham,
User Rank: Apprentice
9/5/2013 | 4:02:22 PM
re: Can You Hack A Heartbeat?
The heartbeat seems like such an odd metric to use for verification, especially because -- like @davidfcarr:disqus mentioned -- it can change. Fingerprint or retinal scan? Sure. I can't imagine this will be very successful.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
9/5/2013 | 5:04:28 PM
re: Can You Hack A Heartbeat?
I agree. What about cases of cardio activity in which the wearer is returning from a a run in the park that increases the heart rate? You can update your heartbeat template, but does that mean you have to update it every time you are going to exercise? Or do you simply wait for your heart rate to return to normal before trying to unlock your car?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Strategist
9/5/2013 | 8:53:53 PM
re: Can You Hack A Heartbeat?
The rhythm of a heart beat seems nether consistent enough nor irreproducible enough to truly be secure. The NSA probably already has drummers under contract for just such a case...
Tronist
50%
50%
Tronist,
User Rank: Apprentice
9/6/2013 | 11:27:59 AM
re: Can You Hack A Heartbeat?
Dumb idea. If, for some reason a person's heart goes into arrhythmia, they're screwed.
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Video
Twitter Feed