Security Analysis of ECG-Based Authentication in Wearable Devices

In the past decade, rapid advancement of microprocessors and sensor technologies has made it possible to monitor user health through wearable devices. Although these devices offer significant convenience in daily life, they also store a large amount of sensitive user information, making their security a critical concern. An essential aspect of securing portable devices is the implementation of robust authentication systems to prevent unauthorised access. This study focusses on improving the security and privacy of wearable devices by exploring ECG based authentication methods. In clinical settings, ECG signals are commonly used by physicians to diagnose cardiac conditions. These signals are collected by recording voltage fluctuations on the surface of the body generated by heartbeats. Due to the influence of genetic and non-genetic factors, ECG signals vary significantly from person to person, making them suitable for biometric authentication. Compared to traditional biometric methods, ECG offers several advantages, including ease of collection, support for continuous authentication, and resistance to external observation and replication. These features make ECG a more secure alternative for authentication in wearable systems. Although ECG based authentication offers numerous advantages, its security against various types of attacks has not been thoroughly investigated. This thesis begins by introducing existing authentication schemes that are applicable to wearable devices. Then it summarises and discusses the strengths and limitations of these approaches and finally outlines potential directions for future research. After identifying limitations in current evaluation metrics for ECG based authentication schemes, we introduced a novel assessment framework tailored for ECG based identity verification on wearable devices. To facilitate rigorous testing, we also constructed a standardised dataset. The existing ECG authentication algorithms were comprehensively evaluated in four key dimensions: scalability, adaptability, efficiency, and cancellability. Using a standardised dataset constructed for this purpose, we benchmark several state-of-the-art ECG authentication algorithms. The results show significant performance degradation in cross-session scenarios, with the average true acceptance rates dropping by more than 60% when session variance is introduced. To build trust and enable the practical deployment of ECG authentication algorithms, it is important to understand their security properties, especially their resistance to traditional biometric attacks. We propose a new dictionary attack against ECG based authentication systems. Unlike traditional targeted attacks, this method uses random pairing to attack a large number of users without requiring specific biometric data from victims. This approach first uses clustering to divide the population into different groups according to the similarity of their ECG signals. Then, adversarial optimisation is performed on each cluster to generate a signal that has a high similarity to all other signals within the cluster and is used as the attack input. Our experiments show that even under the strictest authentication thresholds, this method can break into about 20% of users’ systems in a single attack attempt. When allowed five attempts, it can bypass up to 62% of the user's ECG authentication systems. This study exposes critical weaknesses in the current implementation of ECG based biometric technologies. Finally, our goal is to test one of the core assumptions behind the authentication security of ECGs: that an attacker cannot obtain a victim’s ECG signal without direct contact. Since many physiological signals in the human body are related to cardiac activity, we aim to use signals that are easier to collect to reconstruct ECG signals. In this study, we designed a cross-signal attack method targeting ECG authentication systems. This method uses a diffusion model to generate ECG signals from the victim’s PPG signals or video recordings, and then uses these generated signals to attack the authentication model. Our experimental results show that, for all algorithms tested, the attack achieved an average success rate of 45% within five attempts. This demonstrates the security threat posed by synthetic signals to ECG authentication systems. This part of the study shows that attackers can obtain and exploit victim ECG information without direct contact, challenging a fundamental security assumption of ECG based authentication.<p></p>