TechWeb

Can You Hack A Heartbeat?

Sep 04, 2013 (10:09 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240160811


13 Favorite iOS, Android Apps
13 Favorite iOS, Android Apps
(click image for larger view)
Could a digital wristband that uses a person's heartbeat for authentication purposes banish passwords, key cards or even car keys?

That's the pitch behind Nymi, a wearable device now available for preorder, and accompanying smartphone app that together use a person's heartbeat to verify his identity. According to Bionym, which is the Toronto-based biometric technology firm behind the wristband, when users first strap on the device, they'll use a related app to record their cardiac rhythm. This becomes their biometric identifier. Whenever the user puts the wristband on again, it verifies that their live heart rhythm matches the one that's been stored, to validate their identity.

Beyond the ECG capabilities, the wristband includes the usual mobile device bells and whistles: accelerometer and gyroscope, which allow for gesture controls, as well as Bluetooth Low Energy (a.k.a. Bluetooth Smart), which can be used for proximity detection with other devices that also have the technology.

A short promotional video suggests numerous security applications for these capabilities: you can automatically authenticate to a workstation or iPad, pay for a coffee by touching the wristband to a point-of-sale terminal, or unlock a hotel room or car. "The gesture control is essentially an optional input that gives the user a way to indicate what they want to do with their identity," Bionym founder and CEO Karl Martin told GigaOm. "If you want to unlock the car door, you may want to indicate if you want the front door unlocked versus the trunk."

[ How connected will future vehicles be? Read 5 Ways Big Data Can Improve Your Car. ]

According to the Nymi website, by Wednesday afternoon over 1,600 of the devices -- available in black, white or red -- had been preordered for $79. The device is due to be released in early 2014.

The focus on a heartbeat for authentication purposes makes for some unusual operating instructions. A FAQ posted to the Nymi website, for example, fields the question of what happens if a user's heartbeat changes; for example, after -- or while -- he has a cardiac arrest or some other heart-related condition. "To ensure the Nymi's accuracy, we encourage you to update your heartbeat template whenever you experience a heart-altering episode," says the website. The wristband's developers have promised that "we'll have a variety of measures that may include password or reset done through the app."

The million-dollar question for any new authentication device, however, is what's to keep it from being hacked? Nymi has yet to undergo any type of formal information security audit, reported Ars Technica.

One potential security vulnerability is that authentication information relayed by the device might be intercepted, potentially allowing attackers to "replay" a transmitted authentication token at a later date. But Martin told Ars Technica that the device uses elliptical curve cryptography to prevent eavesdropping. In addition, he said, systems interacting with the device -- such as your car -- could be designed to send one-time challenges that the device would have to successfully decrypt and respond to, thus further stymieing would-be eavesdroppers.

In another potential security risk scenario, an attacker might boost the signal being sent to the device, thus extending its range to make the wearer appear to be near to any system an attacker wanted to unlock. However, the proximity detection capabilities built into Nymi might mitigate this vulnerability.

So, if you build a wearable authentication device, will developers come? That's the hope, and Bionym says that it plans to release a related software development kit (SDK) and API to GitHub, launch a developer portal, and distribute devices to developers this fall. "We're looking to developers to build applications that will enhance the Nymi experience, unlocking new potential in everything from Nymi based social interactions to augmented gesture controls," says the Nymi website.

Bionym said that Nymi initially will support iOS, Android, Windows and Mac OS X operating systems, although developers could use the SDK to add support for other OSes.