How to Send a Password Through Your Body

A group of engineers found a way to use everyday devices to transfer small amounts of data through skin.

A man with one hand in his pocket approaches a locked door and places his other hand on the doorknob. A second later, the deadbolt clicks open, as if by magic, and he lets himself in. A would-be burglar casing the house watches this sequence of events unfold. The next day, after the man has left for work, the burglar approaches the door and places his hand on it, expecting it to pop open. Instead, it stays stubbornly locked. It’s not outfitted with a typical “smart lock,” which uses Wi-Fi or Bluetooth to open when a paired phone or watch is nearby. It’s not reading his fingerprint, either. So what’s going on?

A similar scenario recently unfolded in the University of Washington’s Networks and Mobile Systems Lab, where researches are experimenting with a new technology that sends passcodes through the human body. The technology uses touchpads and fingerprint readers to create signals that travel through skin—and, unlike wireless broadcasts, the “on-body” transmissions can’t be intercepted over the air.

Using their method, a person just needs to be touching a transmitter—the fingerprint reader on an iPhone, for example—when he or she comes in contact with a receiver. In the doorknob example, the metal handle is hooked up to a reader that listens for electromagnetic pulses. A code sent from the iPhone’s fingerprint reader travels across a layer of particularly conductive tissue right beneath the outer layer of human skin. It quickly propagates to every part of the body, so that your entire epidermis glows, invisibly, with data. (The researchers were able to detect signals sent from one arm to the opposite leg, and could accurately read them whether the person was standing, sitting, or lying down.) When the signal arrives at the doorknob, the reader makes sure it’s the right passcode and, if it is, it opens.

This same approach could also be used to securely pair wearable devices—everything from calorie counters to insulin pumps—with their owners and each other. The technique takes advantage of the fact that most devices give off faint electromagnetic signals when they’re used normally. Some gadgets, like fingerprint readers and trackpads, produce particularly reliable signals, said Vikram Iyer, one of the two lead authors on the paper that presented the findings.

Iyer and his colleagues jury-rigged those electronic devices into transmitters. For the fingerprint scanners, they rapidly activated and deactivated them to send a signal pattern through the skin; for the touchpads, they created patterns simply by power cycling them—that is, quickly turning them off and on over and over again.

The improvised transmitters get the job done, but not terribly efficiently. The maximum transfer rate the researchers were able to attain was 50 bits per second. At that speed, it would take nearly two days to download a three-megabyte photo—but it’s enough bandwidth to send a four-digit code in well under a second.

(The trackpad on an IBM Thinkpad had the fastest transfer rate, said Mehrdad Hessar, the paper’s other co-author, but the fingerprint reader on an iPhone 6S sent the most powerful signal.)

If the researchers used custom hardware, they could’ve gotten speeds that were orders of magnitude faster. So why didn’t they?

“Our focus here was trying to find a way we could reuse an existing device,” said Iyer. “One of the main problems with adopting this kind of technology into a commercial applications is that there’s already so much included in a phone. Any device manufacturer wouldn’t add another radio, because that would take up power, or space that they could use to make the battery a little bigger.”

Better to find a way to use a technology that’s already found its way into most phones—the fingerprint reader—rather than reinvent the wheel. But if device manufacturers like Apple gave developers more access to the fingerprint readers, beyond the capability to activate and deactivate them, it would make using them as transmitters much easier.

Avoiding a custom setup also means that on-body transmission doesn’t pose any health hazard beyond simply using a phone or a computer, Hessar said. It’s just using the electromagnetic noise that’s already being produced by everyday devices in a clever way.

While security is one the main benefits of on-body transmission—there’s no airborne signal for a hacker to intercept—there is one way to hijack a signal as it’s traveling across someone’s skin: Just come in contact with it. Multiple devices touching a body that’s conducting a charge can all read the signal, raising the possibility that malware on  a smartwatch could be used to eavesdrop on a passcode as it moves from limb to limb. But absent a compromised smartwatch or fitness band, coming touching an object during transmission would be “fairly conspicuous,” Iyer said, so it’s not much of a worry.