skip to main content

Explore Research Products in the NSF-PAR

Title: Do You Feel What I Hear? Enabling Autonomous IoT Device Pairing Using Different Sensor Types
Context-based pairing solutions increase the usability of IoT device pairing by eliminating any human involvement in the pairing process. This is possible by utilizing on-board sensors (with same sensing modalities) to capture a common physical context (e.g., ambient sound via each device’s microphone). However, in a smart home scenario, it is impractical to assume that all devices will share a common sensing modality. For example, a motion detector is only equipped with an infrared sensor while Amazon Echo only has microphones. In this paper, we develop a new context-based pairing mechanism called Perceptio that uses time as the common factor across differing sensor types. By focusing on the event timing, rather than the specific event sensor data, Perceptio creates event fingerprints that can be matched across a variety of IoT devices. We propose Perceptio based on the idea that devices co-located within a physically secure boundary (e.g., single family house) can observe more events in common over time, as opposed to devices outside. Devices make use of the observed contextual information to provide entropy for Perceptio’s pairing protocol. We design and implement Perceptio, and evaluate its effectiveness as an autonomous secure pairing solution. Our implementation demonstrates the ability to sufficiently distinguish between legitimate devices (placed within the boundary) and attacker devices (placed outside) by imposing a threshold on fingerprint similarity. Perceptio demonstrates an average fingerprint similarity of 94.9% between legitimate devices while even a hypothetical impossibly well-performing attacker yields only 68.9% between itself and a valid device.  more » « less
Award ID(s):
1645759
NSF-PAR ID:
10082721
Author(s) / Creator(s):
; ; ; ; ; ; ;
Date Published:
Journal Name:
39th IEEE Symposium on Security and Privacy (Oakland 2018)
Page Range / eLocation ID:
836 - 852
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ( , Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2022)
    With the advent of the in-vehicle infotainment (IVI) systems (e.g., Android Automotive) and other portable devices (e.g., smartphones) that may be brought into a vehicle, it becomes crucial to establish a secure channel between the vehicle and an in-vehicle device or between two in-vehicle devices. Traditional pairing schemes are tedious, as they require user interaction (e.g., manually typing in a passcode or bringing the two devices close to each other). Modern vehicles, together with smartphones and many emerging Internet-of-things (IoT) devices (e.g., dashcam) are often equipped with built-in Global Positioning System (GPS) receivers. In this paper, we propose a GPS-based Key estab- lishment technique, called GPSKey, by leveraging the inherent randomness of vehicle movement. Specifically, vehicle movement changes with road ground conditions, traffic situations, and pedal operations. It thus may have rich randomness. Meanwhile, two in- vehicle GPS receivers can observe the same vehicle movement and exploit it for key establishment without requiring user interaction. We implement a prototype of GPSKey on top of off-the-shelf devices. Experimental results show that legitimate devices in the same vehicle require 1.18-minute of driving on average to establish a 128-bit key. Meanwhile, the attacker who follows or leads the victim’s vehicle is unable to infer the key. 
    more » « less
  2. ; ; ; ; ; ; ( , 19th Intl Workshop on Mobile Computing Systems and Applications (HotMobile))
    Easily establishing pairing between Internet-of-Things (IoT) devices is important for fast deployment in many smart home scenarios. Traditional pairing methods, including passkey, QR code, and RFID, often require specific user interfaces, surface’s shape/material, or additional tags/readers. The growing number of low-resource IoT devices without an interface may not meet these requirements, which makes their pairing a challenge. On the other hand, these devices often already have sensors embedded for sensing tasks, such as inertial sensors. These sensors can be used for limited user interaction with the devices, but are not suitable for pairing on their own. In this paper, we present UniverSense, an alternative pairing method between low-resource IoT devices with an inertial sensor and a more powerful networked device equipped with a camera. To establish pairing between them, the user moves the low-resource IoT device in front of the camera. Both the camera and the on-device sensors capture the physical motion of the low-resource device. UniverSense converts these signals into a common state-space to generate fingerprints for pairing. We conduct real-world experiments to evaluate UniverSense and it achieves an F1 score of 99.9% in experiments carried out by five participants. 
    more » « less
  3. ; ; ( , International Conference on Network of the Future (NoF))
    The security of Internet-of-Things (IoT) devices in the residential environment is important due to their widespread presence in homes and their sensing and actuation capabilities. However, securing IoT devices is challenging due to their varied designs, deployment longevity, multiple manufacturers, and potentially limited availability of long-term firmware updates. Attackers have exploited this complexity by specifically targeting IoT devices, with some recent high-profile cases affecting millions of devices. In this work, we explore access control mechanisms that tightly constrain access to devices at the residential router, with the goal of precluding access that is inconsistent with legitimate users' goals. Since many residential IoT devices are controlled via applications on smartphones, we combine application sensors on phones with sensors at residential routers to analyze workflows. We construct stateful filters at residential routers that can require user actions within a registered smartphone to enable network access to an IoT device. In doing so, we constrain network packets only to those that are consistent with the user's actions. In our experiments, we successfully identified 100% of malicious traffic while correctly allowing more than 98% of legitimate network traffic. The approach works across device types and manufacturers with straightforward API and state machine construction for each new device workflow. 
    more » « less
  4. ; ; ( , IEEE Conference on Communications and Network Security (CNS))
    Low-cost and easily obtained Global Navigation Satellite System (e.g., GPS) receivers are broadly embedded into various devices for providing location information. In this work, we develop a secret key establishment by utilizing the driving data obtained from GPS. Those data may exhibit randomness as the driver may alternatively step on the accelerator and brake pedals from time to time with varying force in order to adapt to the road traffic during driving. A driving vehicle provides a physically secure boundary as the devices co-located within the vehicle can observe common GPS data, as opposed to devices that do not experience the trip. We implement this key establishment in a real-world environment on top of off-the-shelf GPS-equipped devices as well as widely deployed GPS modules each connected with Raspberry Pi. Extensive experimental results show that when a user drives around 1.36 km for 1.32 minutes on average under moderate traffic conditions, two legitimate GPS-equipped devices in the vehicle can successfully establish a 128-bit secret key. Meanwhile, an attacker following the target vehicle is unable to establish a secret key with the legitimate devices. 
    more » « less
  5. ; ; ( , Proc. 16th ACM/IEEE Int'l Conference on Information Processing in Sensor Networks (IPSN'17))
    Despite the advent of numerous Internet-of-Things (IoT) applications, recent research demonstrates potential side-channel vulnerabilities exploiting sensors which are used for event and environment monitoring. In this paper, we propose a new side-channel attack, where a network of distributed non-acoustic sensors can be exploited by an attacker to launch an eavesdropping attack by reconstructing intelligible speech signals. Specifically, we present PitchIn to demonstrate the feasibility of speech reconstruction from non-acoustic sensor data collected offline across networked devices. Unlike speech reconstruction which requires a high sampling frequency (e.g., > 5 KHz), typical applications using non-acoustic sensors do not rely on richly sampled data, presenting a challenge to the speech reconstruction attack. Hence, PitchIn leverages a distributed form of Time Interleaved Analog-Digital-Conversion (TIADC) to approximate a high sampling frequency, while maintaining low per-node sampling frequency. We demonstrate how distributed TI-ADC can be used to achieve intelligibility by processing an interleaved signal composed of different sensors across networked devices. We implement PitchIn and evaluate reconstructed speech signal intelligibility via user studies. PitchIn has word recognition accuracy as high as 79%. Though some additional work is required to improve accuracy, our results suggest that eavesdropping using a fusion of non-acoustic sensors is a real and practical threat. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email