Skip to content

QIF-T0084

high

Remote photoplethysmography (camera-based pulse and blood oxygen extraction)

Tier 3 — Demonstrated (Lab-proven)

Legacy status: DEMONSTRATED

Standard RGB webcams and phone cameras can detect the subtle skin color changes caused by blood volume pulses beneath the skin surface. Each heartbeat modulates hemoglobin concentration in facial capillaries, creating sub-pixel intensity variations in the green channel (540nm peak absorption of hemoglobin). Modern deep learning models (DeepPhys, EfficientPhys) extract heart rate, heart rate variability, breathing rate, and blood oxygen saturation from webcam video with near-clinical accuracy — even through video compression artifacts on Zoom/Teams calls. Attack scenario: any app with camera access (video call, face filter, AR app) silently extracts physiological data. The user consents to video, not to vital sign monitoring. This technique has been demonstrated at distances up to 3m with consumer cameras and works under variable ambient lighting conditions.

Technique Details

Tactic
QIF-S.HV
Status
DEMONSTRATED
Bands
S1, S2, S3

Therapeutic Application

RGB camera captures sub-pixel skin color variations from cardiac blood volume pulses; deep learning extracts heart rate, HRV, respiratory rate, and SpO2 from video

Clinical Analog

Contactless vital sign monitoring for telemedicine and patient screening

Treats

  • remote patient monitoring (telemedicine vitals)
  • neonatal heart rate monitoring (non-contact)
  • mental health stress screening (HRV analysis)
  • pain assessment (autonomic response detection)

Neural Impact

3 of 7 neural bands affected

S1 S2 S3

Drag to rotate. Click a region to learn more.

Click or hover over a glowing region to see the attack techniques targeting it and their severity.

Scoring

NISS v1.1 NISS:1.1/BI:N/CR:N/CD:N/CV:E/RV:F/NP:N
CVSS v4.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
1.4Low
BICRCDCVRVNP
 

Governance

Neurorights at Risk

This technique threatens 2 of the 4 proposed neurorights (Ienca & Andorno, 2017).

MP Mental Privacy DI DI
Consent Complexity
0.48 / 4.0

FDORA §3305 Compliance

Cyber Device
Regulatory Coverage
0.5 / 1.0
524B Requirements
TM VA SA PM
Regulatory Gaps
  • ! CVSS partially captures risk; neural dimensions missing
  • ! No FDA pathway for consumer sensor exploitation

Population Vulnerability

CRB vulnerability adjustment (γ=0.30) accounts for age, diagnosis severity, consent capacity, and device dependency.

Population NISS Base Adjusted Severity Delta
Adult (Default) 1.4 1.4 Low -
Child (10yr) + ADHD 1.4 1.6 Low +0.25
Adult with ALS 1.4 1.6 Low +0.23

Validation Status

Theoretical / Not yet validated. This technique has not been independently tested. See the validation dashboard for what has been tested.

Qinnovate Neural Security Atlas Edit this on GitHub