THaW: Trustworthy Health and Wellness (2013-2020)

Related website: []

Related projects: [Amanuensis], [Amulet], [Auracle], [SIMBA], [TISH]

Related keywords: [authentication], [education], [iot], [mhealth], [patent], [privacy], [security], [sensors], [survey], [wearable], [wifi]


In the Trustworthy Health and Wellness (THaW) project, which was a broad project involving multiple universities, my group was focused mostly wearable and portable devices for use in health monitoring and management, with an emphasis on the security and privacy issues that arise with these devices and their apps. We considered wearable, mobile, or home-based technologies being used by patients or clinical staff, and addressed issues of data integrity and authenticity, person identification and authentication, and usability.

What follows is a summary of THaW research by David Kotz and his students and postdocs. For more information about the THaW project, and a broader description of its contributions and publications (not just those including David Kotz and his students), see the THaW website and the annotated bibliography of all THaW work (through 2020) at [landwehr:thaw-tr].

Many of these ideas have patents that are available for license from Dartmouth [pierson:wanda-patent, pierson:wanda-patent2, pierson:snap-patent, pierson:closetalker-patent, pierson:closetalker-patent2, liang:lighttouch-patent] or from EMC [molina-markham:patent9961547].

Secure introductions: Wanda, SNAP, CloseTalker

Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. Tim Pierson's PhD thesis focused on simple and secure means for a person to introduce two Wi-Fi devices, and to securely transfer information between them, resulting in systems called Wanda, SNAP, and CloseTalker. [pierson:thesis]. Each is described below.

Wanda is a 'magic wand' that accomplishes all three of the above goals; we developed and evaluated a prototype implementation [pierson:wanda-demo, pierson:wanda, pierson:wanda-tr]. pierson:wanda-patent, pierson:wanda-patent2, pierson:thesis].

SNAP -- SiNgle Antenna Proximity -- allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our technique leverages the repeating nature Wi-Fi's preamble and the behavior of a signal in a transmitting antenna's near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm. [pierson:snap, pierson:snap-poster, pierson:snap-patent, pierson:s3, pierson:thesis].

CloseTalker allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key [pierson:closetalker, pierson:closetalker-patent, pierson:closetalker-patent2, pierson:thesis].

Secure introductions: VibeRing

In another approach for secure introductions, VibeRing automatically and transparently shares a secret between a user and a handheld smart device. VibeRing uses an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9% messages successfully [sen:vibering-poster, sen:vibering, sen:vibering-j].

Secure introductions: LightTouch

In another approach for secure introductions, LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting multiple displays in various ambient light conditions (98% success connection ratio), and secure against impersonation attacks [liang:lighttouch-patent, liang:jlighttouch, liang:lighttouch, liang:healthtech14.


BASTION-SGX presents work towards realizing architectural support for Bluetooth Trusted I/O on SGX-enabled platforms, with the goal of providing I/O data protection that does not rely on system software security. The paper describes our proof-of-concept work that extends existing over-the-air Bluetooth security all the way to an SGX enclave by securing user data between the Bluetooth Controller and an SGX enclave [peters:bastionsgx, peters:thesis].

VIA presents a method for detecting anomalous behavior in Bluetooth traffic, as observed by the central host -- with the goal of detecting malicious behavior by peripheral devices, or perhaps imposter peripherals that are spoofing legitimate peripherals; see Chapter 4 in Travis Peters' thesis [peters:thesis] and a WiSec'21 paper derived from that chapter [peters:via].

Authentication: CSAW

Seamless Authentication using Wristbands (SAW) is an authentication method for desktop computers that addresses the lack of 'intentionality' in prior proximity-based methods. In SAW, a user wears a wristband that acts as the user's identity token; to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user's proximity and correlating the received keyboard or mouse inputs with the user's wrist movement, as measured by the wristband [mare:saw, mare:thesis]. These ideas are patented and are available for license from Dartmouth [mare:saw-patent].

We then extended SAW to CSAW: Continuous Smartphone Authentication using Wristbands. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband's motion with the phone's motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). CSAW was able to conduct initial authentication with over 99% accuracy and continuous authentication with over 96.5% accuracy [mare:csaw19, molina-markham:patent9961547, mare:thesis].

We also explored a ring-based alternative to SAW. In AuthoRing an eligible desktop-computer user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer's AuthoRing system correlates hand-motion data received from the ring with the input data from the computer's window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user [liang:wearsys17].

Finally, related to CSAW, we also explored methods for continuous smartphone authentication based on the user's patterns of use of that smartphone [wang:auth].

Authentication: Vocal Resonance

For many wearable devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. We proposed the use of vocal resonance, that is, the sound of the person's voice as it travels through the person's body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. Our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification [liu:vocalresonance, liu:mobisys17, liu:wearsys17].

Close encounters and contact tracing: SPICE, ENACT

We developed SPICE, a crowdsourcing system that extends the capabilities of location-based applications and allows users to connect and exchange information with users in spatial and temporal proximity. We define this incident of spatio-temporal proximity as a close encounter. Typically, location-based application users store their information on a server, and trust the server to provide access only to authorized users, not misuse the data or disclose their location history. Our system, called SPICE, addresses these privacy issues by leveraging Wi-Fi access points to connect users and encrypt their information before it is exchanged, so only users in close encounters have access to the information. We present the design of the system and describe the challenges in implementing the protocol in a real-world application [prasad:spice, prasad:thesis].

In ENACT we explore the concept of close encounters in the context of privacy-preserving contact tracing, in which a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We addressed three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users [prasad:enact, prasad:thesis].

Privacy-preserving data sharing

Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. This dissertation presents our findings about factors that affect people's sharing behavior, describes scenarios in which people may wish to collect and share their personal health-related information with others, and proposes frameworks to provide the desired privacy controls. It also expands on SPICE and ENACT (described above). Finally, it includes an evaluation of how Bluetooth beacons and Wi-Fi access points could be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus. [prasad:thesis, prasad:mobisys-poster].

In related work in the Amulet project, we explored the use of attribute-based access control and hash-chaining techniques to allow privacy-preserving data sharing... allowing the mHealth data subject to decide with whom, and when, their mHealth data will be shared [greene:sharehealth, greene:thesis]. This cloud-based data-sharing platform was meant to receive data securely from mHealth devices, and we developed an efficient crypographic protocol for mHealth devices to communicate through a smartphone and into the cloud [harmon:thesis].

In related work in the Amanuensis project, we expanded on that idea to support end-to-end data provenance, allowing data from mHealth devices to be secured at the source (the mHealth device), into cloud storage, through data-processing steps that may aggregate or transform the data, and limit access to authorized parties... wherein those data 'consumers' can validate the provenance of the resulting information through blockchain and trusted-hardware mechanisms [hardin:thesis].

Agenda/challenge papers

As part of our THaW research we took four opportunities to convey a broader sense of the state of the art, and the challenges ahead, in security and privacy for mobile health, healthcare information systems, cloud technology, and the emerging Internet of Things [kotz:agenda, kotz:frontiers, reza:nocloud, kotz:safethings].


In a THaW team effort we developed an educational module in which high-school students were introduced to mHealth, security, privacy, and computing careers, through a short hands-on experience with FitBit exercise trackers. [carrigan:fitbit].


The following people were co-authors on one or more of the papers cited here: José Camacho, Joseph Carrigan, Cory Cornelius, Kevin Fu, Carl Gunter, David Kotz, Santosh Kumar, Reshma Lal, Carl Landwehr, Xiaohui Liang, Rui Liu, Shrirang Mare, Varun Mishra, Andrés Molina-Markham, Pradeep Pappachan, Travis Peters, Ron Peterson, Timothy Pierson, Aarathi Prasad, Reza Rawassizadeh, Avi Rubin, Sougata Sen, Srikanth Varadarajan, Bingyue Wang, Jonathan Weiner, and Tianlong Yun.

Funding and acknowledgements

NSF Secure and Trustworthy Computing (SaTC) award 1329686. Some sub-projects had additional sources of funding, noted in the respective papers.

The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).

Papers (tagged 'thaw')

This list includes only those including David Kotz as co-author or thesis advisor. For a complete list of THaW papers, see the THaW website.

[The list below is also available in BibTeX]

Papers are listed in reverse-chronological order. Follow updates with RSS.


[Kotz research]