An Evaluation of ECG use in Cryptography for Implantable Medical Devices and Body Area Networks

The interpulse interval (IPI), or the time between heartbeats, is a prominent feature of Electrocardiograph (ECG) signals that can be reliably measured anywhere on the body. As such, IPI is a physiological value that has frequently been suggested for use in implantable medical device (IMD) and body area network (BAN) authentication protocols, such as the H2H protocol by Rostami et al. These protocols rely on extracting randomness from IPIs and the assumption that these values cannot be measured without physical contact. In this presentation, we prompt a discussion regarding the security assumptions of these protocols and what can go wrong when these assumptions are not met in practice. In particular, we argue that it is not clear whether the suggested extraction methods, or the way we obtain random bits from ECG signals, reliably produce uniform random bits in real-world settings. In addition, as part of a security analysis of the H2H protocol, we discuss preliminary experimentation to remotely observe ECG signals using known video processing techniques that track involuntary movements of the head and subtle color changes of skin over time.