Using the human body as a wire-like communication channel.
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Shreyas Sen: And we already have this common conductive medium that is the body itself, so why we cannot use the body as a way so that we get the orders of magnitude more efficiency and physical security for devices communicating around the body.
Dave Bittner: That's Dr. Shreyas Sen. He's an Associate Professor at Purdue University. The research we're discussing today is titled, "Enabling New Interaction Modalities by Communicating Strictly Through Touch Using Electro-Quasistatic Human Body Communication."
Shreyas Sen: Think about, you know, you have two devices on the body, let's say maybe your smartwatch and another device, let's take your AirPod. Today, what happens is when we want to communicate digital information from one device to another, we take the digital information, put it on an electromagnetic carrier, and radiate it. That radiated signal goes all around us – for example, in Bluetooth, up to thirty feet distance – and can be picked up by anybody in the physical proximity. And only a very small fraction of this signal gets picked up in the other device. So we are kind of wasting energy, sending signals to all the places where it should have only stayed around my body. And also we are creating a security risk, because anybody within, you know, a Starbucks coffee shop can now try to snoop into my signal because they have the physical signals themselves.
Shreyas Sen: So, what we started thinking is, because body is conductive, why not couple the signal in a different frequency range called "electro-quasistatic frequency?" That's where the name EQS-HBC – EQS standing for "electro-quasistatic" and HBC standing for "human body communication" – comes from.
Shreyas Sen: We published this last year in Nature Scientific Reports, as well as this month, there is a feature article on IEEE Spectrum where these concepts are explained. But long story short, what it does is it couples tiny amounts of electrical signals from this watch, let's say, to your body. And that signal stays – is accessible anywhere around your body, but not off of your body.
Dave Bittner: Hmm. So, are we essentially using our body as an antenna? A short-range – an extremely short-range antenna? (Laughs)
Shreyas Sen: Somewhat, but not antenna, a wire. Think of the, like, a copper wire that through which we communicate signals – we are turning our body into a wire.
Dave Bittner: And so, what are some of the practical applications that you all have thought of here to use this?
Shreyas Sen: Yeah, so, there are many, many applications, and I will come to the touch application in a minute. So, out of the many applications, it can be in a future body area network. You're watch is talking to your AirPod, augmented reality, virtual reality, medical devices around the body, connected medical devices – anything that is on or in or around your body that uses Bluetooth today could be using this body as a wire technology, making things much more secure because the signals are not getting radiated, and energy efficient.
Shreyas Sen: Now, one of the key applications that you are pointing out here is, now that was the science of the technology, how to turn the body into a wire? Now, what we did in the recent news release and the paper that got published in the Transition of Computer Human Interaction – TOCHI – conference, it is going to be presented next year, which is the leading conference in human computer interaction. We are going to show that once you couple the signal onto your body, we are confining it within less than a centimeter of your fingertips.
Shreyas Sen: Which means, imagine you have a digital signal on your body and your fingertip is empowered with the digital signal. If you can touch something, that will get the digital signal, but nothing else will get it. So I can open a computer by touching the touchpad. I can open a door just by touching it. And this can create a second-factor authentication. From, you know, today, we are increasingly using multifactor authentication, and we have to open our phone to the second factor. It will be possible to just touch and send this digital second factor through the touch in a seamless gesture. You don't have to get your phone out of your pocket.
Dave Bittner: And to be clear, I mean, this is different from, say, something like Touch ID, which is scanning your fingerprint, but it could work alongside something like that?
Shreyas Sen: Exactly. And that can become the second and third factor. When you touch, you have the fingerprint. Of course, that's a good biometric thing. But also, thereby your fingerprint is one time throughout your life. So if that gets compromised, then, you know, it's done. We cannot change it. So, pairing it with some changing passwords is something people anyway want to do. So what we're talking about in the same seamless gesture where you are touching some electrode, you give the biometric fingerprint simultaneously overlaying a digital password communication through that. It can be with the biometric or even without. But these are two technologies that can be seamlessly combined in one gesture.
Dave Bittner: And so far, what kind of data rates have you been able to achieve? How much information can you send?
Shreyas Sen: So, we have two different sets of prototypes. One is using – we are developing our own integrated circuits also. So, I'll tell you, with off-the-shelf modified devices, we are achieving ten kilobits-per-second kind of data rates, which are good enough for these kind of security applications, as well as biomedical signal communication. And then we are also pioneering our own application-specific integrated circuit, through which we have shown more than ten megabits per second kind of communication as well.
Dave Bittner: Now, is there any bidirectionality here? In other words, can you can you send information back through your finger to, say, a smartwatch, something like that?
Shreyas Sen: Yeah, definitely. The easiest way of thinking of this is like your body is a wire now. So, like you can send things back through a wire, same you can now use the body to send it back from the computer to your smartwatch.
Dave Bittner: And speaking of efficiency, which is one of the, I think the benefits that you're discussing here – in the example of, say, sending information through your fingertips to log into something, would that information just be constantly broadcast in a repeating kind of signal, or would there be some way to sense when you're actually touching something?
Shreyas Sen: Yeah, it should not be broadcasted all the time. There are a few different ways one can implement the full system, and we have considered some of this. So I'll give you two examples. One is, yes, when you are touching something, you have some sensor that you did so touch and then activates the system. That's one possibility. A second possibility is the computer that sends a request for this ID , like what you would do in a RFID kind of system, and then the smartwatch sends that ID back. So, there are many different ways the system can be implemented so that it only sends when needed and not broadcast all the time.
Dave Bittner: And what about the possibility of sending information person-to-person? You know, could I transfer my contact information through a handshake?
Shreyas Sen: Yes, that was the motivation when I started this...
Dave Bittner: (Laughs)
Shreyas Sen: ...If you read my paper back in February 2016, I have a nice picture showing, you know, a man and the lady handshaking and they're sending a business card, so that we don't have to give them business cards anymore. Yes, we can do that, and we now, after four years of effort, have a prototype that is able to do that.
Dave Bittner: So, what are some of the things that you have in your imagination here, in applications for this looking forward?
Shreyas Sen: So, one of the things we have been exploring is – so I will explain this from two aspects. One, that communication strictly through touch – this one. And then I'll explain the broader body as a way of concept. So, the communication through touch – we think, you know, opening computers, this multifactor authentication is increasing significantly, and people are carrying these key fobs with them. There's a company called Yubico and people are using this YubiKey and similar other devices.
Dave Bittner: Right.
Shreyas Sen: So, you don't have to carry that extra device. Your smartwatch or any other device that you wear becomes that second device with this technology. If you were trying to do it, for example, from your smartphone, then the smartphone had to send it using a Bluetooth, which then increases vulnerability because then the signals, again, somebody in physical proximity can sense it. So if you think of the key fob from where the key comes, it basically gets plugged into a USB-C. So the communication happens through that USB-C, and hence it's secure. What we are doing is we are now able to take that – you don't have to plug it in the USB-C anymore. It can be anywhere on your body and the body is your secure channel sending that unique key to do logins.
Shreyas Sen: So, we believe that using the body as a wire has a significant possibility of growth in the multifactor authentication space, as well as – today, if you imagine when you touch this place, we are just giving out information of which location we are touching. That's all the display understands. But now, with this technology, if in future it is integrated with the displays, you are not only sending where I am touching, I'm also sending who is touching, or what heart rate they have right now, and many other overlaid information. So that's what I said in the Purdue news release, that you can login into your profile on somebody else's phone just by touching that. Think about that for a minute, right?
Dave Bittner: Yeah.
Shreyas Sen: Today, we have to login prior and keep that information and then when they touch, it says open this app, and it uses the prior login information. But in future, what can happen is when I'm touching, it simultaneously sends the login information so anybody can open that. For example, think of an Uber terminals, touch-based Uber terminals in an airport. You don't have to log things in and can just touch and you will automatically login.
Dave Bittner: So essentially, you're carrying your ID on, for example, your smartwatch and you're able to verify who you are by just touching things that would be sensitive to this sort of communication.
Shreyas Sen: That's correct.
Dave Bittner: Now, to be clear here, we're using the human body, you know, the bag of meat that is you or me...
Shreyas Sen: Right.
Dave Bittner: ...As the conduit for the signal and there's nothing specific about you versus me. The system isn't measuring anything particular about you or me. It's not using your specific biometrics or my specific biometrics to roll into any of the security. It's really using the specifics of our flesh to keep it from, as you say, to use as a wire rather than being broadcast at any distance.
Shreyas Sen: Yes, that is correct. That's what the body-as-wire technology or electro-quasistatic HBC does. But of course, the prototypes we're developing also in certain applications tries to couple it with the biometric. For example, from the smartwatch, you can imagine collecting your heart rate, which can act as a unique biometric, then digitizing it, sending it through your body, and then when you touch with the fingertip, you can simultaneously get your fingerprint and also the digital signal, which contains your heart rate. You can do many-factor authentication in one single touch gesture.
Dave Bittner: I'm thinking of applications, also, you know, there's been concern lately about, you know, for example, if I want to get into a bar and prove that I'm of age, you know, to be able to go in there and have a drink with my friends, if I hand over my ID, that has a lot of information on it beyond just the fact that I'm, in this case, over 21. It has my home address, it has, you know, a picture of me. And I may not want to share all of that information. It seems to me like a technology such as yours, you'd be able to limit that, you know, have something at the door that I can touch. And it'll just ask that specific question. Can you verify that, that you are of age, the systems exchange information and say, yep, this person's good, let them in?
Shreyas Sen: Yes, absolutely. That's a great example, that that is only one aspect of it. But body area networks – we need medical devices connected, medical devices monitored in a secure and extremely energy-efficient way in the low-speed application of body-as-a-wire. For high-speed applications, there is a huge boom in augmented reality, virtual reality, which can be using this body-as-a-wire technology. So, in summary, basically anything for which you think Bluetooth is used today around the body, this can replace it and make it better. It's like hundred lower than Bluetooth and physically secure.
Shreyas Sen: So, we see huge application space and multiple different large companies as well as startups have shown interest, including the touch-based-ID kind of technology, and we are working with them to develop some of this technology and try to bring it to market.
Dave Bittner: Well, it's very exciting. I wish you all well. It's interesting to see progress in this space and it seems as though you all are really on to something. This is exciting research.
Shreyas Sen: Thank you. It's great discussing with you.
Dave Bittner: Our thanks to Dr. Shreyas Sen from Purdue University for joining us. The research is titled, "Enabling New Interaction Modalities by Communicating Strictly During Touch Using Electro-Quasistatic Human Body Communication. We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.