Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Signal Injection Attack Against Zero Involvement Pairing and Authentication for the Internet of Things (2403.14018v1)

Published 20 Mar 2024 in cs.CR

Abstract: Zero Involvement Pairing and Authentication (ZIPA) is a promising technique for autoprovisioning large networks of Internet-of-Things (IoT) devices. In this work, we present the first successful signal injection attack on a ZIPA system. Most existing ZIPA systems assume there is a negligible amount of influence from the unsecured outside space on the secured inside space. In reality, environmental signals do leak from adjacent unsecured spaces and influence the environment of the secured space. Our attack takes advantage of this fact to perform a signal injection attack on the popular Schurmann & Sigg algorithm. The keys generated by the adversary with a signal injection attack at 95 dBA is within the standard error of the legitimate device.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (27)
  1. Hw-j355 soundbar with subwoofer. https://www.samsung.com/us/televisions-home-theater/home-theater/sound-bars/hw-j355-soundbar-w-subwoofer-hw-j355-za/. Accessed: 2023-09-8.
  2. Solocast - usb gaming microphone. https://hyperx.com/products/hyperx-solocast-usb-microphone?variant=41031679312029. Accessed: 2022-06-14.
  3. Anomaly detection: A survey. ACM Comput. Surv., 41(3), jul 2009.
  4. Angelo Farina. Simultaneous measurement of impulse response and distortion with a swept-sine technique. In Audio engineering society convention 108. Audio Engineering Society, 2000.
  5. Security analysis of emerging smart home applications. In 2016 IEEE Symposium on Security and Privacy (SP), pages 636–654, 2016.
  6. A large-scale study of web password habits. In Proceedings of the 16th International Conference on World Wide Web, WWW ’07, page 657–666, New York, NY, USA, 2007. Association for Computing Machinery.
  7. Survey and systematization of secure device pairing. IEEE Communications Surveys & Tutorials, 20(1):517–550, 2018.
  8. Sound-proof: Usable two-factor authentication based on ambient sound. In 24th USENIX Security Symposium (USENIX Security 15), pages 483–498, Washington, D.C., August 2015. USENIX Association.
  9. Caveat eptor: A comparative study of secure device pairing methods. In 2009 IEEE International Conference on Pervasive Computing and Communications, pages 1–10, 2009.
  10. Voltkey: Continuous secret key generation based on power line noise for zero-involvement pairing and authentication. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., 3(3), sep 2019.
  11. Ivpair: Context-based fast intra-vehicle device pairing for secure wireless connectivity. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’20, page 25–30, New York, NY, USA, 2020. Association for Computing Machinery.
  12. Aerokey: Using ambient electromagnetic radiation for secure and usable wireless device authentication. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol., 6(1), mar 2022.
  13. H2b: Heartbeat-based secret key generation using piezo vibration sensors. In Proceedings of the International Conference on Information Processing in Sensor Networks, IPSN ’19, pages 265–276, 2019.
  14. Suhas Mathur et al. Proximate: Proximity-based secure pairing using ambient wireless signals. In ACM MobiSys ’11, 2011.
  15. Context-based zero-interaction pairing and key evolution for advanced personal devices. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, page 880–891, New York, NY, USA, 2014. Association for Computing Machinery.
  16. Markus Miettinen et al. Context-based zero-interaction pairing and key evolution for advanced personal devices. In ACM CCS ’14, 2014.
  17. Using ambient audio in secure mobile phone communication. In 2012 IEEE International Conference on Pervasive Computing and Communications Workshops, pages 431–434, 2012.
  18. On the features and challenges of security and privacy in distributed internet of things. Comput. Netw., 57(10):2266–2279, jul 2013.
  19. Heart-to-heart (h2h): authentication for implanted medical devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS ’13, pages 1099–1112, New York, NY, USA, 2013. ACM.
  20. Nitesh Saxena et al. Secure device pairing based on a visual channel (short paper). In IEEE S&P ’06, 2006.
  21. Secure communication based on ambient audio. IEEE Transactions on Mobile Computing, 12(2):358–370, Feb 2013.
  22. The sounds of the phones: Dangers of zero-effort second factor login based on ambient audio. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, page 908–919, New York, NY, USA, 2016. Association for Computing Machinery.
  23. Karim Toubba. Notice of recent security incident. LastPass Blog, 2022.
  24. Recommendation for the entropy sources used for random bit generation. NIST Special Publication, 800(90B):102, 2018.
  25. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, page 176–186, New York, NY, USA, 2010. Association for Computing Machinery.
  26. Discovering and understanding the security hazards in the interactions between IoT devices, mobile apps, and clouds on smart home platforms. In 28th USENIX Security Symposium (USENIX Security 19), pages 1133–1150, Santa Clara, CA, August 2019. USENIX Association.
  27. Do password managers nudge secure (random) passwords? In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), pages 581–597, Boston, MA, August 2022. USENIX Association.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now