-
FastZIP: Faster and More Secure Zero-Interaction Pairing
Authors:
Mikhail Fomichev,
Julia Hesse,
Lars Almon,
Timm Lippert,
Jun Han,
Matthias Hollick
Abstract:
With the advent of the Internet of Things (IoT), establishing a secure channel between smart devices becomes crucial. Recent research proposes zero-interaction pairing (ZIP), which enables pairing without user assistance by utilizing devices' physical context (e.g., ambient audio) to obtain a shared secret key. The state-of-the-art ZIP schemes suffer from three limitations: (1) prolonged pairing t…
▽ More
With the advent of the Internet of Things (IoT), establishing a secure channel between smart devices becomes crucial. Recent research proposes zero-interaction pairing (ZIP), which enables pairing without user assistance by utilizing devices' physical context (e.g., ambient audio) to obtain a shared secret key. The state-of-the-art ZIP schemes suffer from three limitations: (1) prolonged pairing time (i.e., minutes or hours), (2) vulnerability to brute-force offline attacks on a shared key, and (3) susceptibility to attacks caused by predictable context (e.g., replay attack) because they rely on limited entropy of physical context to protect a shared key. We address these limitations, proposing FastZIP, a novel ZIP scheme that significantly reduces pairing time while preventing offline and predictable context attacks. In particular, we adapt a recently introduced Fuzzy Password-Authenticated Key Exchange (fPAKE) protocol and utilize sensor fusion, maximizing their advantages. We instantiate FastZIP for intra-car device pairing to demonstrate its feasibility and show how the design of FastZIP can be adapted to other ZIP use cases. We implement FastZIP and evaluate it by driving four cars for a total of 800 km. We achieve up to three times shorter pairing time compared to the state-of-the-art ZIP schemes while assuring robust security with adversarial error rates below 0.5%.
△ Less
Submitted 23 February, 2022; v1 submitted 9 June, 2021;
originally announced June 2021.
-
ChirpOTLE: A Framework for Practical LoRaWAN Security Evaluation
Authors:
Frank Hessel,
Lars Almon,
Flor Álvarez
Abstract:
Low-power wide-area networks (LPWANs) are becoming an integral part of the Internet of Things. As a consequence, businesses, administration, and, subsequently, society itself depend on the reliability and availability of these communication networks. Released in 2015, LoRaWAN gained popularity and attracted the focus of security research, revealing a number of vulnerabilities. This lead to the rev…
▽ More
Low-power wide-area networks (LPWANs) are becoming an integral part of the Internet of Things. As a consequence, businesses, administration, and, subsequently, society itself depend on the reliability and availability of these communication networks. Released in 2015, LoRaWAN gained popularity and attracted the focus of security research, revealing a number of vulnerabilities. This lead to the revised LoRaWAN 1.1 specification in late 2017. Most of previous work focused on simulation and theoretical approaches. Interoperability and the variety of implementations complicate the risk assessment for a specific LoRaWAN network. In this paper, we address these issues by introducing ChirpOTLE, a LoRa and LoRaWAN security evaluation framework suitable for rapid iteration and testing of attacks in testbeds and assessing the security of real-world networks.We demonstrate the potential of our framework by verifying the applicability of a novel denial-of-service attack targeting the adaptive data rate mechanism in a testbed using common off-the-shelf hardware. Furthermore, we show the feasibility of the Class B beacon spoofing attack, which has not been demonstrated in practice before.
△ Less
Submitted 23 May, 2020;
originally announced May 2020.
-
Bluemergency: Mediating Post-disaster Communication Systems using the Internet of Things and Bluetooth Mesh
Authors:
Flor Álvarez,
Lars Almon,
Hauke Radtki,
Matthias Hollick
Abstract:
Mobile devices have shown to be very useful during and post disaster. If the communication infrastructure breaks down, however, they become almost useless as most services rely on Internet connectivity. Building post-disaster networks based purely on smartphones remains a challenging task, and, as of today, no practical solutions exist. The rapidly growing Internet of Things (IoT) offers the possi…
▽ More
Mobile devices have shown to be very useful during and post disaster. If the communication infrastructure breaks down, however, they become almost useless as most services rely on Internet connectivity. Building post-disaster networks based purely on smartphones remains a challenging task, and, as of today, no practical solutions exist. The rapidly growing Internet of Things (IoT) offers the possibility to improve this situation. With an increase in smart spaces such as smart homes and smart offices, we move towards digital cities that are deeply penetrated by IoT technology. Many IoT devices are battery powered and can aid in mediating an emergency network. In scenarios where the electrical grid is still operational, yet communication infrastructure failed, non-battery powered IoT devices can similarly help to relief congestion or build a backup network in case of cyber attacks. With the recent release of the Bluetooth Mesh standard, a common interface between mobile devices and the IoT has become available. The key idea behind this standard is to allow existing and new devices to build large-scale multi-hop sensor networks. By enabling hundreds of devices to communicate with each other, Bluetooth Mesh (BT MESH) becomes a practical technical solution for enabling communication post disaster. In this paper, we propose a novel emergency network concept that utilises the parts of digital cities that remains operational in case of disaster, thus mediating large-scale post-disaster device-to-device communication. Since the Bluetooth Mesh standard is backwards compatible to Bluetooth 4.0, most of todays mobile devices can join such a network. No special hardware or software modifications are necessary, especially no jail-breaking of the smartphones.
△ Less
Submitted 10 September, 2019;
originally announced September 2019.
-
Perils of Zero-Interaction Security in the Internet of Things
Authors:
Mikhail Fomichev,
Max Maass,
Lars Almon,
Alejandro Molina,
Matthias Hollick
Abstract:
The Internet of Things (IoT) demands authentication systems which can provide both security and usability. Recent research utilizes the rich sensing capabilities of smart devices to build security schemes operating without human interaction, such as zero-interaction pairing (ZIP) and zero-interaction authentication (ZIA). Prior work proposed a number of ZIP and ZIA schemes and reported promising r…
▽ More
The Internet of Things (IoT) demands authentication systems which can provide both security and usability. Recent research utilizes the rich sensing capabilities of smart devices to build security schemes operating without human interaction, such as zero-interaction pairing (ZIP) and zero-interaction authentication (ZIA). Prior work proposed a number of ZIP and ZIA schemes and reported promising results. However, those schemes were often evaluated under conditions which do not reflect realistic IoT scenarios. In addition, drawing any comparison among the existing schemes is impossible due to the lack of a common public dataset and unavailability of scheme implementations.
In this paper, we address these challenges by conducting the first large-scale comparative study of ZIP and ZIA schemes, carried out under realistic conditions. We collect and release the most comprehensive dataset in the domain to date, containing over 4250 hours of audio recordings and 1 billion sensor readings from three different scenarios, and evaluate five state-of-the-art schemes based on these data. Our study reveals that the effectiveness of the existing proposals is highly dependent on the scenario they are used in. In particular, we show that these schemes are subject to error rates between 0.6% and 52.8%.
△ Less
Submitted 22 February, 2019; v1 submitted 22 January, 2019;
originally announced January 2019.
-
Conducting a Large-scale Field Test of a Smartphone-based Communication Network for Emergency Response
Authors:
Flor Álvarez,
Lars Almon,
Patrick Lieser,
Tobias Meuser,
Yannick Dylla,
Björn Richerzhagen,
Matthias Hollick,
Ralf Steinmetz
Abstract:
Smartphone-based communication networks form a basis for services in emergency response scenarios, where communication infrastructure is impaired or overloaded. Still, their design and evaluation are largely based on simulations that rely on generic mobility models and weak assumptions regarding user behavior. For a realistic assessment, scenario-specific models are essential. To this end, we cond…
▽ More
Smartphone-based communication networks form a basis for services in emergency response scenarios, where communication infrastructure is impaired or overloaded. Still, their design and evaluation are largely based on simulations that rely on generic mobility models and weak assumptions regarding user behavior. For a realistic assessment, scenario-specific models are essential. To this end, we conducted a large-scale field test of a set of emergency services that relied solely on ad hoc communication. Over the course of one day, we gathered data from smartphones distributed to 125 participants in a scripted disaster event. In this paper, we present the scenario, measurement methodology, and a first analysis of the data. Our work provides the first trace combining user interaction, mobility, and additional sensor readings of a large-scale emergency response scenario, facilitating future research.
△ Less
Submitted 14 August, 2018;
originally announced August 2018.
