Biometrics and Hardware in the IoT Era

The Internet of Things (IoT) is an emerging concept envisioned to dramatically increase convenience in our daily lives. However, if we are not careful, it could also introduce catastrophic economic and safety threats and issues. In IoT, small electronic devices will be connected to one another through the Internet. It has been predicted by many sources that IoT could consist of more than 50 million endpoints by 2020. While IoT devices are planned as low cost devices, their security must be handled with great care, especially when considering the applications envisioned for IoT (smart homes, transportation, banking, retail, telemedicine, etc.). Security must start with access to the hardware itself. 

With the billions of IoT endpoints projected to exist in the near future, traditional forms of access control like passwords are outmoded. Strong passwords are already difficult to remember, let alone with so many devices. Passwords are also vulnerable to guessing. Although dongles, smart cards, etc. are becoming more popular, their theft and misuse are threats. Biometrics are a more appropriate option and have several major benefits. First, they are more convenient than passwords, thereby preserving the spirit of IoT. Second, if appropriately selected, they could have low probability of circumvention. Third, besides access control, they could be used to enhance many IoT applications. Furthermore, the recent advancements in low cost sensor technologies makes the use of biometrics more feasible than ever.

While these applications in IoT are promising, incorporation of biometrics is challenging. Noise introduced by the sensors capturing the biometric and other sources of variability reduce the accuracy of identification and key generation. If passwords or dongles are hacked or stolen, it is possible to replace them. Biometrics, on the other hand, are permanent and more difficult to revoke if compromised. Many of the most popular biometric modalities are vulnerable to presentation attacks. A presentation attack (also called a spoofing attack) allows an attacker to masquerade as an authentic user to get illegitimate access. Biometrics in the above applications could be used maliciously to invade user privacy. A careful balance needs to be met between use of biometrics and privacy through both policies and technological solutions. 

In our current work, we are investigating:

  1. Key Generation from Cardiovascular Sources: Bioelectrical signals, such as electrocardiogram (ECG) and photoplethysmograph (PPG), have shown promise as biometrics, but their continuous nature and drastic acquisition variations make it difficult to deploy them for biometric-based key generation. Errors in key generation occur due to sources of noise and variability in ECG – power line interface, motion artifact (MA), baseline wander (BW), electromyography (EMG), and heart rate variability (HRV). First, we developed interval optimized mapping bit allocation (IOMBA), which exploits population and noise statistics in order to optimally quantize each ECG feature into one or more bits. Using IOMBA’s tunable parameters, high entropy keys from normal ECGs achieved 99.9% reliability and were 217 bits long on average. Second, IOMBA was extended to noise aware IOMBA (NA-IOMBA) by incorporating sensitivity of ECG features to different noise sources. Results showed an increase in average key length of 20% while improving reliability by 15% for worst case noise (1dB SNR). Third, we have also investigated PPG-based human authentication and recognition using non-fiducial features. In contrast to fiducial methods that extract features (i.e., landmarks) in the time domain from a signal, non-fiducial approaches take a more holistic approach where features are extracted statistically based on the overall signal morphology. Our simulations have shown significant improvements for both supervised and unsupervised machine learning classification.
  2. Presentation Attacks Against Electrocardiogram (ECG): The resistance of ECG to presentation attacks is often highlighted as one of its major benefits for biometric authentication, but has recently been challenged. It was shown that ECG signals can be successfully replayed into the Nymi Band (a popular wearable device for multi-factor user authentication that employs ECG) using three different types of devices to generate an ECG waveform: arbitrary waveform generators (AWGs), computer sound cards, and off-the-shelf audio players. In our group, we have built upon this initial work to develop the first full-fledged ECG presentation attack. The attack only requires a template of the victim’s ECG signal. The attacker’s ECG is recorded by an ECG sensor and compared to the victim’s record at run-time. A linear transform is computed ‘on-the-fly’ and used to map the attacker’s ECG into one that more closely resembles the victim’s. Finally, the transformed signal is played by the audio player to the biometric system’s ECG sensor in order to gain unauthorized access to the system. In over 2,500 simulations, the proposed method succeeded 96.7% and 91.78% of the time, respectively, for fiducial and non-fiducial feature extraction methods with only one heartbeat of the victim.
  3. Human-to-Device (H2D) Authentication Paradigm: H2D is a concept we have developed whereby a key generated from a biometric is used to unlock a hardware obfuscated system. Combining hardware obfuscation with biometrics overcomes several limitations present in both. Through obfuscation, the electronic system is protected by physical locking, thereby making it robust against software-based circumvention, fault injection, and reverse engineering. Unlike traditional software approaches, H2D does not require that any biometric template/key be stored permanently on the device, thus significantly reducing the risk of its compromise. By employing biometrics which are innate to a user, it can also be assured that only authorized user/operators can unlock the hardware. This is obviously very useful in military settings where top secret equipment must be protected even if captured by a resourceful attacker.
  4. Paradigms that Balance Biometric Reliability and Hardware Costs: Most IoT devices are simple, low-cost devices with little power. Algorithms that extract unique and reliable features from biometrics for identification, key generation, etc. and can be deployed in resource constrained systems are needed. The traditional methods for biometric authentication aim to find a universal process for all users in a population, but this is ineffective and inefficient. The aforementioned IOMBA and NA-IOMBA approaches adapt to the population itself (to preserve entropy) while also being adaptable to individual users (to improve reliability). Our approaches have been demonstrated on ECG, iris, and face data from publicly available databases and produced strong results. We are currently developing noise analysis methods and extending the above paradigm to achieve improved trade-offs between pre-processing and post-processing hardware on a user-to-user basis through reconfigurable hardware. We are also developing EDA tools that include hardware security metrics, thereby permitting co-optimization of security and available resources.

Current and Past Project Sponsors

We are thankful for the support provided by the following government agencies and companies:



Our Conference and Journal Papers

NOTE: This directory contains pdf/ps files of articles that may be covered by copyright. You may browse the articles at your convenience, in the same spirit as you may read a journal or a proceedings article in a public library. Retrieving, copying, or distributing these files may violate copyright protection laws.

  • S. Shomaji, Z. Guo, F. Ganji, N. Karimian, DL Woodard, D. Forte, “”BLOcKeR: A Biometric Locking Paradigm for IoT and the Connected Person”, to appear Journal of Hardware and Systems Security (HaSS), 2021. []
  • N. Karimian, D. Woodard, D. Forte, “ECG Biometric: Spoofing and Countermeasures”, IEEE Transactions on Biometrics, Behavior, and Identity Science (T-BIOM), Vol. 2, No. 3, July 2020. [link]
  • S. Shomaji, F. Ganji, D. Woodard, D. Forte, “Hierarchical Bloom Filter Framework for Security, Space-efficiency, and Rapid Query Handling in Biometric Systems”, IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS), September 2019. [pdf]
  • N. Karimain, M. Tehranipoor, D. Woodard, D. Forte, “Unlock Your Heart: Next Generation Biometric in Resource-Constrained Healthcare Systems and IoT”, IEEE Access, Vol. 7, No. 1, December 2019. [link]
  • S. Shomaji, P. Dehghanzadeh, A. Roman, D. Forte, S. Bhunia, S. Mandal, “Early Detection of Cardiovascular Diseases Using Wearable Ultrasound Device”, IEEE Consumer Electronics Magazine, Vol. 8, No. 6, November 2019. [link]
  • F. Ganji, N. Karimian, D. Woodard, D. Forte, “Leave Adversaries in the Dark- BLOcKeR: Secure and Reliable Biometric Access Control”, The Journal of the Homeland Defense and Security Information Analysis Center (HDIAC), Vol. 6, No. 1, Spring 2019. [link]
  • N. Karimian, D. Woodard, D. Forte, “On the Vulnerability of ECG Verification to Online Presentation Attacks”, International Joint Conference on Biometrics (IJCB), Oct. 2017. [pdf] [IJCB 2017 Best Student Paper Award]
  • N. Karimian, Z. Guo, M. Tehranipoor, D. Forte, “Highly Reliable Key Generation from Electrocardiogram (ECG)” IEEE Transactions on Biomedical Engineering, Vol. 64, No. 6, June 2017. [link]
  • N. Karimian, F. Tehranipoor, Z. Guo, M. Tehranipoor, D. Forte, “Noise Assessment Framework for Optimizing ECG Key Generation”, IEEE International Conference on Technologies for Homeland Security (HST), April 2017. [pdf]
  • N. Karimian, Z. Guo, M. Tehranipoor, D. Forte, “Human Recognition from Photoplethysmography (PPG) Based on Non-fiducial Features”, IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), March 2017. [pdf]
  • N. Karimian, M. Tehranipoor, D. Forte, “Non-Fiducial PPG-based Authentication for Healthcare Application”, International Conference on Biomedical and Health Informatics (BHI), February 2017. [pdf]
  • N. Karimian, M. Tehranipoor, D. Woodard, D. Forte, “Biometrics for Authentication in Resource-Constrained Systems,” International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC), August 2016. [link]
  • Z. Guo, N. Karimian, M. Tehranipoor, D. Forte, “Hardware Security Meets Biometrics for the Age of IoT”, IEEE International Symposium on Circuits and Systems (ISCAS) 2016, May 2016. [pdf]
  • Z. Guo, N. Karimian, M. Tehranipoor, D. Forte, “Biometric Based Human-to-Device (H2D) Authentication”, in GOMACTech, March 2016.