The main goal of performing the experiments is to analyze if the body itself leaks information during the electro-quasistatic human body communication (EQS-HBC). As discussed earlier, capacitive EQS-HBC shows lower channel loss than the galvanic HBC over long distances in the body, and hence our experiments are with capacitive EQS-HBC. The EQS-HBC transmit device (Fig. 1) is built using off-the-shelf components, and consists of a communication module, processing module, memory, power source, and an interface with the human body. The details of the set-up and the EQS-HBC transmit device are discussed in the Methods section. An interfacing band consisting of copper electrode couples the transmitted signals into the body. The received EQS-HBC signal and the QS leakage (QSL) is then measured from other parts of the body using voltage probes or antenna as appropriate, and the probing positions are specified for individual experiments. It should be noted that in a few experiments, QS leakage is reported with direct probe contact (d = 0), which is to demonstrate the amount of leakage at the source of the leakage signal.

Time-domain correlational analysis of QS Leakage Signature

In this experiment, the goal is to examine if any QS leakage can be detected during EQS-HBC data transmission.

As shown in Fig. 2, the EQS-HBC transmit electrode is coupled to the human forearm (device arm). The transmitter (microcontroller) is excited with a pseudorandom binary sequence (PRBS) at 1 MHz, and using an oscilloscope and a telescopic antenna, the auto-correlation (\(\rho \)) between the known PRBS data sequence and the QSL signal is measured with varying distances (d) away from the body and two angles (\(\theta =0^\circ \): parallel to the antenna, \(\,\theta =90^\circ \): perpendicular to the antenna) between the device hand and the antenna, as shown in Fig. 2(a). Next, the QS leakage from the free hand is measured with varying distances between the free hand and the antenna connected to the oscilloscope (Fig. 2(b)).

Figure 2 (a–d) Time-domain Measurements of capacitive EQS-HBC Quasi-static Leakage (QSL) using Oscilloscope with the transmitter wearable device on the device arm. (a,b) Simplified experimental set-ups to measure the QS leakage from the device and free hands respectively. (c,d) Voltage Correlational analysis of the measured QS leakage for the device and free hands respectively, with varying angles (θ) and distances (d) between the antenna and the hands. The measured QS leakage from the device hand is dominated by the leakage due to the EQS-HBC transmitter, while the free hand leakage corresponds to QS leakage due to the human body (HB) alone. Full size image

Correlational analyses for the QS signals leaked during EQS-HBC from the device hand and the free hand respectively, are shown in Fig. 2(c,d). From Fig. 2(c), it can be seen that while the QS leakage from the hand with unshielded EQS-HBC device is detectable up to ~0.5 m, EQS-HBC signals contained in the free hand does not leak beyond ~0.01 m, although both the hands contain the same amount of EQS-HBC signal (Fig. 3 – green curve).

Figure 3 (a–c) EQS-HBC Signal Transmission (V EQS-HBC ) and Quasi-static Leakage (V QSL ) Signal Measurement with distance in time-domain using an oscilloscope, voltage probe, and an antenna. The transmission signal amplitude is 3.3 V. (a) EQS-HBC Received signal at different on-body locations is ~30 mV (green curve) showing a channel loss of ~40 dB which is almost independent of the distance between the transmitter and receiver. Off-body signal corresponding to each of the human body receiver locations is measured in air with very close proximity from the body (d off–body ~ 0.01 m) (black curve). This shows that the EQS-HBC occurs through the on-body signal transmission, and not through the air. (b) The EQS-HBC signal received at different locations of the body is ~30 mV (green curve). Quasi-static Leakage around the body is measured in air medium from both device hand (red curve) and free hand (blue curve) respectively. The QS leakage (QSL) measurement set-up is shown in Fig. 10. Note that for the EQS-HBC received signal measurement, distance refers to the on-body distance between the transmit device and the receiving electrode. In the case of leakage measurements here, it is the distance between the antenna and the corresponding hand for which the leakage is measured. The free hand, although contains almost the same amount of signal, leaks considerably lesser than the device hand, proving that human body alone does not leak. However, the human body aids the transmit device to leak (device hand leakage) by providing a low impedance closed path with the earth ground, which will be discussed in the next experiments. Full size image

The above observations prove that the human body itself does not leak, but the EQS-HBC transmitter is the source of the QS leakage. However, this experiment does not provide conclusive proof if the transmitter itself leaks the signals.

Time-domain Measurements of EQS-HBC Received Signal and the QS Leakage Signature

In this experiment, the goal is to check whether both the device hand and the free hand contains the same amount of signal, and also that the EQS-HBC signals are transmitted through the human body and not through the air.

The received EQS-HBC signal in different locations (varying distances) on the body is measured, as shown in Fig. 3(a) (green curve). Corresponding to each on-body location, the off-body quasi-static (QS) leakage is also measured in very close proximity (d off–body ~ 0.01 m) to that location. Figure 3(a) shows the amount of received signal for EQS-HBC is almost independent of the distance between the transmitter and the receiver, which is expected in capacitive human body communication37. The off-body signal measured in air at very close proximity corresponding to each of the receiving locations is very small compared to the on-body received signal. This clearly shows that the EQS-HBC communication is established through the body and not through the air.

This experiment (Fig. 3(b)) shows that the QS leakage from the device hand (red curve) is considerably higher than the free hand (blue curve), which is consistent with the correlational analysis from the previous experiment (Fig. 2). This is a very fascinating observation since both the hands contain almost the same amount of EQS-HBC signal (Fig. 3(a) - green curve).

Another important point to note from Fig. 3(b) is that at very small distances, although the leakage measured is high, the on-body signal measured remains same. This is because of the weak capacitive return path in case of EQS-HBC communication.

Shielded Standalone Transmitter QS Leakage

From the previous experiments, it is evident that the EQS-HBC transmitter leaks. This goal of this experiment is to investigate whether the standalone transmitter leaks by itself, that is, without the human body connected to it.

To perform this measurement, the effect of the connected wires needs to be eliminated. Hence, the transmitter is shielded using a copper-coated box forming a Faraday cage, with the shield (Sh) (refer to the circuit modeling sub-section) connected to a fixed potential. The shield thus hides the ground plane (N) of the EQS-HBC transmitter from coupling directly to the Earth ground (low coupling capacitance C gn ), thereby ensuring that the effect of QS fields emanating from the transmit device and the connected wires are eliminated. However, since the shield needs to be connected to a fixed potential, the transmitter ground (N) is connected to the shield, which now forms a capacitive path (C gsh ) with the earth ground. Without any contact with the human body, the standalone transmitter device is powered on with a 1 MHz PRBS signal, and the leakage from the device is measured using a spectrum analyzer (SA) and an antenna connected through a wideband amplifier. It should be noted that SA provides a low impedance termination (50 Ω) and hence both the EQS-HBC received power and the quasi-static (QS) leakage power measured is less. However, it provides a fair comparison for different measurement modalities and to root-cause the source of the QS leakage during EQS-HBC. We can expect that if the shielded transmitter without EQS-HBC shows high QS leakage, it can be concluded that the standalone transmitter itself leaks.

As seen from the table in Fig. 4, the unshielded standalone transmitter leaks significantly (−\(40\,dBm\)), when in close proximity to the antenna (\(d={0}^{+}\)), whereas the shielded transmitter shows negligible signal leakage (below noise floor: <−\(90\,dBm\) at \({d}_{3}={0}^{+}\)).

Figure 4 Spectrum Analyzer Measurement shows that the shielded standalone transmitter does not radiate. However, the transmitter when worn on the human body for EQS-HBC shows significant leakage (−48 dBm). Note that for the capacitive EQS-HBC, although both the device and free hands contain similar amount of signal (−54 dBm, −60 dBm respectively), the free hand shows negligible QS leakage (<−90 dBm). Full size image

The above observations confirm that the shielded standalone transmitter does not leak any QS signal.

Shielded Transmitter Leakage during EQS-HBC

The goal of this experiment is to examine whether the shielded transmitter in contact with the human body causes the quasi-static leakage during EQS-HBC data transmission.

The shielded transmitter is worn on the forearm (device arm) for EQS-HBC. Using the same set-up as in experiment 3 (Fig. 4), with the SA and the antenna, the signal level for the case of direct contact with the device hand (d 1 = 0) and the free hand (d 3 = 0) is measured respectively. It can be seen from Fig. 4 that the signal power contained as measured in the SA is −\(54\,dBm\) in the device hand and −\(60\,dBm\) in the free hand. As expected, the path loss is lower for capacitive mode, and both the hands contain similar amount of the EQS-HBC signals. As the EQS-HBC transmitter on the device hand is brought in close proximity to the antenna (d 2 = 0+), the QS leakage is significant (−\(40\,dBm\)), as seen from Fig. 4. Another fascinating observation is the fact that the signal contained in the free hand (−\(60\,dBm\)) immediately dies down (below noise floor of the SA) within a few mm, as the leakage signal power measured from the free hand at close proximity of the antenna (d 3 = 0+) is negligible (below noise floor: <−\(90\,dBm\)).

The above observations from this experiment confirm that even after shielding, the transmit device when connected to the human body causes the QS leakage.

From the above experiments, it is clear that neither the human body alone, nor the transmitter itself leaks the signals. However, the EQS-HBC transmitter (even after shielding) in contact with the human body shows leakage.

EQS-HBC Quasi-Static Leakage Field Distribution

The goal of the field distribution analysis (Fig. 5) is to explain the basis behind the observations in previous experiments for different configurations of the transmit device.

Figure 5 (a–d) QS Field distributions for different configurations of the transmitter device. (a) In mode 1, voltage drop across the signal plate of the Standalone shielded transmitter and earth ground is maximum (V S ~ V DD ) as there is no direct path from the signal plate to the earth ground. (b) In mode 2, as an attacker approaches with a probe towards the shielded transmitter, it receives negligible voltage as no current flows due to the high impedance path from signal to ground. Hence, standalone shielded transmitter does not leak. (c) In mode 3, Human body coupled to the transmitter device for EQS-HBC provides a low resistance closed path to ground; hence higher voltage received by the attacker (V QSL ) (d) Summary of the 3 modes – In absence of the human body, all the voltage drop (V S ) occurs across the signal terminal and ground and the attacker does not pick any signal (mode 2). In presence of the human body, a close-by attacker (touching the shield) can obtain a high signal. Hence, in spite of shielding, the EQS-HBC transmitter device leaks. Full size image

Figure 5(a,b) shows the electric field distributions due to the standalone transmitter device without any body contact. For mode 1, in absence of the measuring probe (no nearby attacker) and without the human body, the closed path from the small ‘Signal’ plate of the transmitter to the Earth ground is formed by a very weak coupling capacitance (C gs ). Hence the fields formed between the signal terminal and the Earth ground are very weak, and significant portion of the transmitted signal voltage drop occurs across the Signal plate and the Earth ground (\({V}_{S}\simeq {V}_{DD}\), Supply Voltage). As an attacker approaches to intercept the data being transmitted, the probe forms a low impedance path between the shield (connected to the ground terminal of the transmitter) and the Earth ground. However, the signal plate to the Earth ground still presents a high impedance path, and most of the signal still drops across C gs , i.e. \({V}_{S}\le {V}_{DD}\). Hence the attacker can only receive negligible amount of signal \(\,{V}_{QSL}\simeq 0\).

Figure 5(c) analyzes the field distributions due to the transmitter device during EQS-HBC data transmission in presence of the probe (emulating an attacker). In mode 3, the human body forms a low resistance path between the small Signal plate to the Earth ground which now allows current to flow. In this case, the attacker obtains the maximum amount of the transmitted signal \({V}_{QSL} \sim 3V\), using voltage probes and an oscilloscope with high termination impedance (\(10\,M\Omega \)).

The above analyses infer that the human body alone does not leak, and the shielded standalone transmitter device does not radiate. However interestingly, even the shielded transmitter leaks during EQS-HBC, when in contact with the human body, which is explained through the QS field theoretic viewpoint (Fig. 5(c)). This observation conclusively suggests that the human body is aiding the transmitter to leak information.

Theoretic Circuit Modelling of the EQS-HBC Leakage and Experimental Validation

The goal now is to develop a circuit model for EQS-HBC (Fig. 6(b)) to further analyze the cause of the QS leakage and to implement countermeasures for reducing the “side-channel” leakage information.

Figure 6 (a) EQS-HBC Measurement set-up with the shielded transmitter in the wrist (device arm) and (b) its corresponding circuit model. The impedances for the skin and tissue layers26 are modelled, along with the signal sources, copper electrode coupler (band) and the measurement probes, to form the complete circuit model for EQS-HBC. Note that the probe is directly connected (d = 0) to the human body to measure the signal level from the source of the leakage. The EQS-HBC received voltage is measured from the fingers of the device hand. Full size image

In the case of EQS-HBC, the signal transmission is dominantly electro-quasistatic and hence the lumped circuit approximation holds (since wavelength \(\lambda \sim \frac{3\,\ast \,{10}^{8}\,m/s}{\sqrt{8}\,\ast \,1\,MHz} \sim 105\,m\) of the transmitted signal is much greater than the length (l ~ 2 m) of the transmission channel, that is, human body). The different elements of the circuit model (Fig. 6(b)) include the signal generator source resistance (R s ), the band to skin capacitance (C band ), skin layer resistance (R skin ), skin layer capacitance (C skin ), body resistance (R body ), body to feet resistance (R feet ), feet to ground capacitance (C feet ), body to ground capacitance (C Tx-gnd , C Rx-gnd ), shield (connected to transmitter ground) to earth return path capacitance (C gsh ) and the load impedance due to the probes (Z P , Z L ) for measuring the leakage and the EQS-HBC received voltage respectively. The source impedance of the signal generator \({R}_{s}=50\,\Omega \). The band capacitance is formed due to the small air gap (d) between the transmitter electrode and the skin, which is in ~200 pF considering the electrode size of ~0.0004 m2 and \(d=0.01\,mm\). The skin layer resistance \({R}_{skin}\sim 10\,K\Omega \) and typically varies in the range of \(1\,K\Omega \,-\,100\,K\Omega \)25,26, depending on the skin moisture and other factors. The skin layer thickness is in the range of 0.1–4 mm, and considering skin area of ~0.0004 m2 near the EQS-HBC transmit device, the skin layer capacitance (C skin ) can be computed to be in the range of ~100 pF-1 nF38. The body resistance (R body )) is in the range of 100–400 \(\Omega \)25,27. The resistance of the tissue could depend on the on-body transmission distance. However, it does not affect the EQS-HBC channel loss or the measured QS leakage. The feet to ground capacitance C feet ~ 10 - 20 pF, considering a feet area of ~0.01 m2 and a feet to ground separation of 0.01 m38. The measurement probes are modelled as the load (Z P , Z L respectively) for both the QS leakage and EQS-HBC received voltage signal. In this set of experiments, the shield (Sh) is connected to the ground (N) of the transmitter device.

The QS leakage and the received EQS-HBC voltage signal are measured using an oscilloscope by putting a voltage probe on the shield (direct contact) and the device hand respectively (Fig. 6(a)). Although the shielding significantly reduces the return path capacitance between the transmitter ground and the earth ground (C g ), the shield capacitively couples to the earth’s ground through C gsh . Hence, shielding the EQS-HBC transmitter does not eliminate the unnecessary QS leakage, which has been demonstrated in previous experiments.

Figure 7(a–d) shows the oscilloscope captured waveforms with the shielded transmitter prototype, for 4 different load combinations (2 probes each having 2 impedances: \(10\,M\Omega \) and \(50\,\Omega \)), for both the QS leakage and the EQS-HBC received voltage. Note that both probes are connected for measuring the QS leakage and the received HBC voltage simultaneously. In Fig. 7(a), \({R}_{P}={R}_{L}=10\,M\Omega \), and, \({Z}_{body} < {Z}_{L}\); hence the current and voltage received by the probe is higher than the EQS-HBC current \({I}_{QSL} > {I}_{EQS-HBC}\), and \(\,{V}_{QSL} > {V}_{EQS-HBC}\). When the probe impedance (\({R}_{P}=50\,\Omega \)) is significantly lower than the load impedance for EQS-HBC (\({R}_{L}=10\,M\Omega \)), \({Z}_{P}\ll {Z}_{L}\), hence \(\,{V}_{QSL}\ll {V}_{EQS-HBC}\) (Fig. 7(b)). Similarly, when the receiver EQS-HBC load impedance (\({R}_{L}=50\,\Omega \)) is much lower than the probe impedance (\({R}_{P}=10\,M\Omega \)), \({Z}_{P}\gg {Z}_{L}\), and hence \(\,{V}_{QSL}\gg {V}_{EQS-HBC}\) (Fig. 7(c)). Finally, as seen from (Fig. 7(d)), when both \({Z}_{P}\) and \({Z}_{L}\) are low (\({Z}_{P}\gg {Z}_{L}=50\,\Omega \)), \({R}_{body}\gg {Z}_{L}\) and \({Z}_{skin}\gg {Z}_{L}\), and hence the maximum drop occurs across the skin and body impedances. So, both \({V}_{EM}\) and \({V}_{EQS-HBC}\) are very small, although \(\,{V}_{QSL}\gtrsim {V}_{EQS-HBC}\), since \({I}_{QSL} \sim {I}_{EQS-HBC}+{I}_{body}\).

Figure 7 (a–d) Measured oscilloscope signals with the EQS-HBC set-up shown in Fig. 6(a), for different termination for both the QS leakage and the EQS-HBC received voltage. (e–h) Proposed Circuit Model (Fig. 6(b)) simulation waveforms for the same set of loading constraints. The simulation results complement the actual measurements for all different conditions, proving that the model is accurate. Note that the QS signature is inverted to the actual transmitted signal. Full size image

The simulation results of our proposed EQS-HBC circuit model (Fig. 7(e–h)) closely matches the actual measurement results in terms of the voltage swing for both the received EQS-HBC signal and the EQS-HBC QS leakage with varying load conditions. This not only shows that the proposed EQS-HBC circuit model is accurate, but also confirms that the QS leakage signature is inverted. The inversion of QS leakage signature is due to the fact that the probe directly couples with the ground terminal (N) of the transmitter device, which is picked up by an attacker.

Countermeasure against the EQS-HBC transmitter QS Leakage & Experimental Validation

The goal is to develop a countermeasure against the EQS-HBC transmitter leakage. From the experiments and the developed circuit theoretic models, it is confirmed that the EQS-HBC transmitter leaks only when aided by the human body. Now, we demonstrate a technique to reduce this QS leakage.

As shown in Fig. 8(a), a high resistance (\({R}_{SN}\)) is inserted in series to de-couple the shield (Sh) from the ground terminal (N) of the transmitter. As most of the voltage signal is dropped across \(\,{R}_{SN}\), \({V}_{QSL}\) reduces significantly, as seen from Fig. 8(b). However, the EQS-HBC received voltage (\({V}_{EQS-HBC}\)) also reduces as the current in the return path gets reduced.

Figure 8 (a,b) Countermeasure against EQS-HBC leakage. (a) A high resistance (R SN ) de-couples the transmitter ground plane and the shield. (b) EM (V QSL ) and EQS-HBC voltage (V EQS–HBC ) levels are measured against different values of R SN . As R SN is increased, both V QSL and V EQS–HBC reduces. Beyond a certain value of R SN , the EQS-HBC received signal gets reduced and can no longer be decoded. Hence, there exists an optimum between the area of the shield connected with transmitter ground through R SN , and the remaining area that connects to the transmitter ground directly, so as to minimize the EM leakage while maintaining reliable EQS-HBC. Full size image

When the resistance \({R}_{SN}=0\) (without the countermeasure - Fig. 6(a)), with both QS and EQS-HBC probes connected at the shield and the fingers of the device hand respectively, the received EQS-HBC voltage (\({V}_{EQS-HBC}\)) is \(300\,mV\), while the signal from the source of the QS leakage (probe directly connected to the transmitter shield: \(\,d\,=\,0\)) is \({V}_{QSL} \sim 3\,V\) (Fig. 8(b)). With the probe disconnected, the EQS-HBC received signal level is ~\(30\,mV\), which can be reliably decoded in the EQS-HBC receiver device. When the probe is not in direct contact to the transmitter shield but is in close proximity (\(d\,=\,{0}^{+}\)), the amount of QS leakage signal received is ~\(170\,mV\). As the series resistance (\({R}_{SN}\)) is inserted and increased, both \({V}_{QSL}\) and \({V}_{EQS-HBC}\) gets reduced, and beyond \({R}_{SN}=3\,M\Omega \), \({V}_{EQS-HBC}\) goes below 10 mV, and the accurate detection becomes significantly harder for the EQS-HBC receiver.

Hence, connecting the entire shield with a high resistance to ground is not a judicious solution as it can impede EQS-HBC. Also, having the shield fully connected to the ground potential of the transmitter leaks QS signals, which may be intercepted by an almost-touching adversary.

The above observations infer that there exists an optimization between the size of the shield plane that can be directly connected to the transmitter ground, and rest of the shield plane connected to the ground plane through the high resistance R SN . Depending on the application and device form factor, the optimum shield sizes, pattern and ground plane size can be customized based on the fundamental understanding and models developed in this work.

Privacy Space Comparison: EQS-HBC vs. WBAN

To substantiate the security benefits of EQS-HBC over the traditional WBAN, a private-space comparison is necessary. In a WBAN, signals are radiated wirelessly through free space, and even considering a very low transmission power of −\(40\,dBm\) and the free space path loss (FSPL) varying with the cube of the transmit distance (\({d}^{3}\)), a known data sequence can be detected using auto-correlation based techniques over a distance of 8 m, as shown in Fig. 9(a). In the case of EQS-HBC, the QS leakage for a known data sequence can be detected up to a distance of 0.25 m, which is practically very close to physical contact with the person. Although auto-correlation serves for a fair comparison, it is an exaggerated attack model, since it only holds good for a known bit sequence.

Figure 9 Private Space Comparison for EQS-HBC vs. WBAN. Correlational and BER analysis of the leaked “side-channel” EM signals to determine the range till which an attacker can intercept the transmitted data. EQS-HBC provides >30× improvement in private space over traditional WBANs. The distance is defined from the device hand. Note that the EQS-HBC transmit device signal amplitude is 3.3 V, while the WBAN signal transmission power is −40 dBm. For WBAN, a 2.4 GHz carrier frequency with 1 MHz data rate, and a 6 dB noise figure for the wireless receiver was considered for the analysis. Note that increase in transmit power (>−40 dBm) in the case of WBAN or considering more idealistic loss exponent (d2) will only increase the range (>5 m) for WBAN signals in which it can be snooped by an attacker, making an even stronger case for EQS-HBC advantage over WBAN in terms of physical security/privacy. Full size image

Bit Error Rate (BER) analysis (Fig. 9(b)) is a more practical approach that works for any pseudo-random bit sequence (PRBS). For a BER of <0.2 (at most 1 out of 5 bits are incorrect for a long sequence), WBAN signals can be detected up to 5 m in space, whereas EQS-HBC signals can be detected only up to 0.15 m, enabling >30× improvement in private space compared to WBAN. Hence, EQS-HBC provides inherent data privacy and can enable steganographic covert communication.