RatioLogo
Back

The Unseen Rhythm: How Your Heartbeat Can Be Stolen

What if the subtle, rhythmic pulsing of blood under your skin—the very heartbeat used to prove your identity—could be harvested from across a room? For years, cybersecurity experts viewed Photoplethysmography (PPG) as a "gold standard" for biometric security. A new technical vulnerability analysis has now shattered that long-held assumption of privacy.

Shattering the Gold Standard

Photoplethysmography (PPG) was considered uniquely secure because, unlike a fingerprint or a face, your pulse was thought to be unobservable without direct physical contact with a sensor. This new research fundamentally challenges that core premise of biometric privacy.

The Remote Attack Vector

Researchers have demonstrated a method using only high-definition (HD) video to remotely extract heart-rate morphology. This data can then be "restored" into a digital skeleton key capable of bypassing biometric scanners, meaning a camera is now all an attacker needs to impersonate a user’s internal physiology.

The AI Restoration Engine: SigR

The Generative Adversarial Network (GAN)

The research team developed a GAN model, dubbed SigR, to bridge the gap between "remote" PPG (rPPG) signals captured by video and the high-fidelity signals captured by fingertip sensors.

Attack Effectiveness

In testing, the SigR model achieved a False Acceptance Rate (FAR) of 0.61 in resting conditions.

  • This is a staggering leap from the baseline "random attack" FAR of 0.14.
  • This implies a typical three-attempt authentication protocol would likely be compromised by an attacker using this tool.

Overcoming Physiological Noise

The technical spoofing challenge lies in the body's "noise"—signals from video are distorted by talking or stress.

  • The team used a "mean-treatment" on restored signals to stabilize pulse morphology.
  • SigR increased correlation between remote and actual PPG signals by up to 7.7%, achieving near-perfect alignment (coefficients between 0.96 and 1.00).

The Limits of the Threat

While significant, the attack requires high-quality raw material. Its success is highly dependent on environmental factors:

  • Effectiveness plummeted with lower video quality.
  • Lower frame rates (20 FPS) or resolutions (640x480) are not yet viable sources for this biometric theft.
  • Your HD webcam (1024x1024 at 35 FPS) may be a liability, but lower-grade security footage currently is not.

Implications & The Path Forward

Rethinking "Unobservability"

This discovery forces the industry to reconsider the perceived privacy of our internal rhythms. The assumption that a heartbeat is an unobservable biometric trait is no longer valid.

Potential Defenses

The researchers suggest that until defensive countermeasures like skin-pixel obfuscation are "baked into" our devices, PPG-based authentication may carry this inherent, newly discovered risk.

Source: "Video is All You Need: Attacking PPG-based Biometric Authentication" by Li, L., Chen, C., Pan, L., Zhang, J., and Xiang, Y. (2022). arXiv:2203.00928v1.