You can be biometrically impersonated using your Fitbit
European researchers say they have succeeded in writing software that can impersonate a human’s unique daily motion patterns, biometric data collected by Fitbits and similar activity trackers.
Like facial and gait biometric recognition data, this information, called actigraphy, can be used to identify individuals. The scientists say they impersonated people’s actigraphy profiles 94.5 percent of the time.
The trio of researchers used an attack based on a genetic algorithm, targeting machine learning classifiers. In experiments, the team was able to access the health-related data collected by activity trackers.
The impersonated profiles had “a close resemblance to the ground truth profiles,” according to the researchers’ paper. Indeed, the data was so good that it could expose sensitive private data including when a person wakes up and goes to sleep.
Trackers are used to record sleep patterns, help train athletes, monitor mental health and such. Paired with machine learning, according to the scientists, they can predict depressive episodes.
But they also can be used to provide continuous biometric authentication, or identify people based on hand gestures, finger-snapping and other actions.
The profiles were modeled as impersonator examples that were created by repeatedly querying the target machine learning classifier. The examples then were used to impersonate a specific person in their 55-person database of actigraphy profiles, known as Depresjon.
The attacks succeeded in a black-box scenario, where the type of classifier is not known to the attacker. The examples are “highly transferable to other types of classifiers, exposing potential vulnerabilities in the system.”
The three-person research team works at Sintef Digital, a Norwegian independent research firm; the public Barcelona Supercomputer Center in Spain; and the nonprofit Simula Metropolitan Center for Digital Engineering in Norway.