Broken Hearted:

How to Attack ECG Biometrics

Simon Eberz¶‚ Nicola Paoletti¶‚ Marc Roeschlin¶ ‚ Andrea Patane§,

Marta Kwiatkowska ¶, Ivan Martinovic¶

¶Department of Computer Science

University of Oxford, UK§University of Catania, Italy

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 2/19

Background - ECG

Recording of the heart’s electrical activity

Electric potential differences measured on a person’s skin

Most common use: Medical diagnosis

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 3/19

Background – ECG Biometrics

Generic waveform common to healthy individuals

Individual differences in amplitude, duration and distance

Significant body of academic work

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 4/19

Background – Nymi Band

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 5/19

Background – Nymi Band (2)

Communication with all Bluetooth/NFC devices (NEAs)

Trialled for contactless payments and online banking

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 6/19

Threat Model

To break the Nymi Band, the attacker needs to

Obtain access to the band itself

Obtain access to the NCA (e.g., user’s smartphone)

Circumvent ECG-based authentication Focus of this work

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 7/19

A Presentation Attack Against ECG

Goal: Impersonation of the legitimate user

ECG is available through a number of sources

Different measurement locations and device properties!

Cross-Device attacks

Printed ECG Signal E-health Fitness Devices

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 8/19

Collecting Data for the Attack

41 Participants

3 different devices

5 measurement modes

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 9/19

Signal Injection Methods

Hardware arbitrary waveform generator

Laptop soundcard with SW-based waveform generator

Playback of .wav-encoded ECG signal

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 10/19

“There is currently no known means of falsifying an

ECG waveform and presenting it to a biometric

recognition system. ”

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 11/19ap. 11

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 12/19

Initial Results

Cross-Device Attacks

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 13/19

Different signal morphology across devices!

The Challenge of Cross-Device Attacks

Nymi Band Waveform

ECG Monitor Waveform

Different waveform morphology between devices!

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 14/19

Training a Cross-Device Mapping

ECG DETECTION AND FEATURES EXTRACTION

SOURCE ECGs

TARGET ECGs

SOURCE FEATURES DISTRIBUTIONS cccc

TARGET FEATURES DISTRIBUTIONS cccc

OPTIMISATIONMAPPING

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 15/19

Training a Cross-Device Mapping - Results

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 16/19

Final Results

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 17/19

Countermeasures – Liveness Detection

Goal: Distinguish between real and artificial signals

Popular for fingerprint scanners

Similar approach conceivable for ECG, but…

…ultimately an arms race with doubtful outcome

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 18/19

Countermeasures - Secrecy

Goal: Prevent the attacker from obtaining useful data

Challenge: ubiquitous biometric data in the wild

Added bonus challenge: Time stability of biometric features!

Simon Eberz – How to Attack ECG Biometrics, NDSS 2017 19/19

Conclusion – Questions?

Successful presentation attack against ECG biometric

Wide variety of data sources suitable for attacks

Remarkably low technological barriers

Future Work

Further improve cross-device mapping

Can very old data be used for the attack?

Thank you for your attention. Questions?

simon.eberz@cs.ox.ac.uk