Abstract.
In this work we present a systematic presentation attack against ECG biometrics. We demonstrate the attackās effectiveness using the Nymi Band, a wrist band that uses electrocardiography (ECG) as a biometric to authenticate the wearer. We instantiate the attack using a hardware-based Arbitrary Waveform Generator (AWG), an AWG software using a computer sound card, and the playback of ECG signals encoded as .wav files using an off-the-shelf audio player. In two sets of experiments we collect data from a total of 41 participants using a variety of ECG monitors, including a medical monitor, a smartphone-based mobile monitor and the Nymi Band itself.
We use the first dataset to understand the statistical differences in biometric features that arise from using different measurement
devices and modes. Such differences are addressed through the automated derivation of so-called mapping functions, whose
purpose is to transform ECG signals from any device in order to resemble the morphology of the signals recorded with the Nymi
Band.
As part of our second dataset, we enroll users into the Nymi Band
and test whether data from any of our sources can be used for a
signal injection attack. Using data collected directly on the Nymi
Band we achieve a success rate of 81%. When only using data
gathered on other devices, this rate decreases to 43% when using
raw data, and 62% after applying the mapping function. While
we demonstrate the attack on the Nymi Band, we expect other
ECG-based authentication systems to most likely suffer from the
same, fundamental weaknesses.
|