Researchers have discovered a way to send secure passwords through the human body using fingerprint sensors and touchpads on smartphones and laptops.
The computer scientists and electrical engineers from the University of Washington call this an “on-body” transmission, which is authenticated when the device touches the user’s body. Transferring information like a password over Wi-Fi or Bluetooth is the most common and convenient method but it is at risk of interception.
This new technique uses signals that are already being generated by touchpads and phone sensors. The researchers envision the method being used in things like secure doors or accessing medical devices, rather than using a password that’s transmitted over the air or entered into the device itself. It could be particularly helpful in securing medical devices like insulin pumps that transmit data on the patient, according to the researchers.
“Let’s say I want to open a door using an electronic smart lock,” explained one of the study’s authors Merhdad Hessar. “I can touch the doorknob and touch the fingerprint sensor on my phone and transmit my secret credentials through my body to open the door, without leaking that personal information over the air.”
These sensors typically receive signals from your fingers. The researchers said they were able to flip this from an input signal to an output signal related to your password or access code data, and pass the information to a receiver on the device.
“What is cool is that we’ve shown for the first time that fingerprint sensors can be re-purposed to send out information that is confined to the body,” said Shyam Gollakota, co-author.
The researchers are presenting their findings at the UbiComp 2016 conference in Germany. They carried out tests on 10 people using an iPhone, Lenovo laptop, Adafruit touchpad, and a number of other fingerprint sensors. The 10 test subjects were of different height, weight, and body type but were all able to generate a transmission between themselves and the device, even while moving.
The transmissions needed to be below 30 megahertz — usually between two and ten megahertz in these tests — and travel through the body, and never over the air, according to the authors. “The receivers can be anywhere — on your leg, chest, hands — and still work,” said Virkam Iyer, another co-author.
The tests transferred between 25 and 50 bits per second, just enough to send a password through the body to a receiver. The method is still in need of further researcher, admitted the University of Washington team, and that will require device manufacturers to provide researchers with greater access to their software for testing.