Touch Well Before Use: Intuitive and Secure Authentication for IoT Devices

Authors:
Xiaopeng Li

University of South Carolina, Columbia, SC, USA

University of South Carolina, Columbia, SC, USA
View Profile

,
Fengyao Yan

University of South Carolina, Columbia, SC, USA

University of South Carolina, Columbia, SC, USA
View Profile

,
Fei Zuo

University of South Carolina, Columbia, SC, USA

University of South Carolina, Columbia, SC, USA
View Profile

,
Qiang Zeng

University of South Carolina, Columbia, SC, USA

University of South Carolina, Columbia, SC, USA
View Profile

,
Lannan Luo

University of South Carolina, Columbia, SC, USA

University of South Carolina, Columbia, SC, USA
View Profile

MobiCom '19: The 25th Annual International Conference on Mobile Computing and NetworkingAugust 2019Article No.: 33Pages 1–17https://doi.org/10.1145/3300061.3345434

Published:11 October 2019Publication History

MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking

Pages 1–17

ABSTRACT

Internet of Things (IoT) are densely deployed in smart environments, such as homes, factories and laboratories, where many people have physical access to IoT devices. How to authenticate users operating on these devices is thus an important problem. IoT devices usually lack conventional user interfaces, such as keyboards and mice, which makes traditional authentication methods inapplicable. We present a virtual sensing technique that allows IoT devices to virtually sense user 'petting' (in the form of some very simple touches for about 2 seconds) on the devices. Based on this technique, we build a secure and intuitive authentication method that authenticates device users by comparing the petting operations sensed by devices and those captured by the user wristband. The authentication method is highly secure as physical operations are required, rather than based on proximity. It is also intuitive, adopting very simple authentication operations, e.g., clicking buttons, twisting rotary knobs, and swiping touchscreens. Unlike the state-of-the-art methods, our method does not require any hardware modifications of devices, and thus can be applied to commercial off-the-shelf (COTS) devices. We build prototypes and evaluate them comprehensively, demonstrating their high effectiveness, security, usability, and efficiency.

References

Gildas Avoine, Muhammed Ali Bingöl, Ioana Boureanu, Srdjan capkun, Gerhard Hancke, Süleyman Karda, Chong Hee Kim, Cédric Lauradoux, Benjamin Martin, Jorge Munilla, Alberto Peinado, Kasper Bonne Rasmussen, Dave Singelée, Aslan Tchamkerten, Rolando Trujillo-Rasua, and Serge Vaudenay. 2018. Security of Distance-Bounding: A Survey. Comput. Surveys 51, 5 (2018).Google Scholar
Kemal Bicakci and Bulent Tavli. 2009. Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks. Computer Standards & Interfaces 31, 5 (2009).Google Scholar
John Brooke. 1996. SUS: A quick and dirty usability scale. In Usability Evaluation in Industry. Taylor & Francis, Chapter 21.Google Scholar
Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. 2016. Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security).Google Scholar
Jason Cipriani. 2018. 13 new things you can do with your Android Wear smartwatch. https://www.cnet.com/how-to/tips-and-tricks-forandroid- wear-2-0/. (2018). Accessed: 2019-03-04.Google Scholar
Mark D. Corner and Brian D. Noble. 2002. Zero-interaction Authentication. In Proceedings of the 8th Annual International Conference on Mobile Computing and Networking (MobiCom).Google Scholar
Cas Cremers, Kasper B Rasmussen, Benedikt Schmidt, and Srdjan Capkun. 2012. Distance hijacking attacks on distance bounding protocols. In IEEE Symposium on Security and Privacy (Oakland).Google ScholarDigital Library
Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and I know it's you!: Implicit Authentication based on Touch Screen Patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.Google ScholarDigital Library
Michael Esterman, Benjamin J Tamber-Rosenau, Yu-Chin Chiu, and Steven Yantis. 2010. Avoiding non-independence in fMRI data analysis: leave one subject out. Neuroimage 50, 2 (2010).Google Scholar
Rong-En Fan, Pai-Hsuen Chen, and Chih-Jen Lin. 2005. Working set selection using second order information for training support vector machines. Journal of machine learning research 6, Dec (2005).Google Scholar
Huan Feng, Kassem Fawaz, and Kang G. Shin. 2017. Continuous Authentication for Voice Assistants. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (Mobi- Com).Google Scholar
NFC Forum. 2018. NFC and Contactless Technologies. https://nfcforum. org/what-is-nfc/about-the-technology/. (2018).Google Scholar
Lishoy Francis, Gerhard P Hancke, Keith Mayes, and Konstantinos Markantonakis. 2011. Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones. IACR Cryptology ePrint Archive 2011 (2011).Google Scholar
Mario Frank, Ralf Biedert, Eugene Ma, Ivan Martinovic, and Dawn Song. 2012. Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication. IEEE Transactions on Information Forensics and Security 8, 1 (2012).Google ScholarDigital Library
Gartner. 2014. The Future Smart Home: 500 Smart Objects Will Enable NewBusiness Opportunities. https://www.gartner.com/en/documents/ 2793317. (2014). Accessed: 2019-03-02.Google Scholar
Nirnimesh Ghose, Loukas Lazos, and Ming Li. 2018. SFIRE: Secret- Free-in-band Trust Establishment for COTS Wireless Devices. In IEEE International Conference on Computer Communications (INFOCOM).Google Scholar
T. P. Ghuntla, H. B. Mehta, P. A. Gokhale, and C. J. Shah. 2012. A Comparative Study of Visual Reaction Time in Basketball Players and Healthy Controls. National Journal of Integrated Research in Medicine 3, 1 (2012).Google Scholar
Jun Han, Shijia Pan, Manal Kumar Sinha, Hae Young Noh, Pei Zhang, and Patrick Tague. 2017. Sensetribute: Smart Home Occupant Identification via Fusion Across On-Object Sensing Devices. In Proceedings of the 4th ACM International Conference on Systems for Energy-Efficient Built Environments (BuildSys).Google ScholarDigital Library
Gerhard Hancke. 2005. A practical relay attack on ISO 14443 proximity cards. Technical Report.Google Scholar
Cynthia Harvey. 2016. 75 Top IoT Devices. https://www.datamation. com/mobile-wireless/75-top-iot-devices-1.html. (2016). Accessed: 2019-02--22.Google Scholar
Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur. 2018. Rethinking Access Control and Authentication for the Home Internet of Things (IoT). In 27th USENIX Security Symposium (USENIX Security).Google ScholarDigital Library
Chong Hee Kim and Gildas Avoine. 2011. RFID Distance Bounding Protocols with Mixed Challenges. IEEE Transactions on Wireless Communications 10, 5 (2011).Google ScholarCross Ref
Software Testing Help. 2019. 18 Most Popular IoT Devices in 2019. https://www.softwaretestinghelp.com/iot-devices/. (2019). Accessed: 2019-03--18.Google Scholar
Mark R. Hodges and Martha E. Pollack. 2007. An "Object-Use Fingerprint': The Use of Electronic Sensors for Human Identification. In UbiComp 2007: Ubiquitous Computing.Google ScholarDigital Library
Tâm Huynh and Bernt Schiele. 2006. Towards Less Supervision in Activity Recognition from Wearable Sensors. In IEEE International Symposium on Wearable Computers (ISWC).Google ScholarCross Ref
B. Iglewicz and D.C. Hoaglin. 1993. How to detect and handle outliers. Milwaukee, WI.: American Society for Quality (1993).Google Scholar
Apple Inc. 2019. Apple Watch. https://www.apple.com/watch/. (2019). Accessed: 2019-03-04.Google Scholar
Apple Inc. 2019. How to unlock your Mac with your Apple Watch. https://support.apple.com/en-us/HT206995. (2019). Accessed: 2019- 02-09.Google Scholar
Motiv Inc. 2019. Motiv Ring. https://mymotiv.com/. (2019). Accessed: 2019-03--10.Google Scholar
Aditya Jain, Ramta Bansal, Avnish Kumar, and K. D. Singh. 2015. A comparative study of visual and auditory reaction times on the basis of gender and physical activity levels of medical first year students. International Journal of Applied & Basic Medical Research 5, 2 (2015).Google ScholarCross Ref
Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound. In 24th USENIX Security Symposium (USENIX Security).Google Scholar
Nima Karimian, Zimu Guo, Mark Tehranipoor, and Domenic Forte. 2017. Human recognition from photoplethysmography (ppg) based on non-fiducial features. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).Google ScholarCross Ref
John Krumm and Ken Hinckley. 2004. The NearMe Wireless Proximity Server. In UbiComp 2004: Ubiquitous Computing.Google Scholar
Arun Kumar, Nitesh Saxena, Gene Tsudik, and Ersin Uzun. 2009. A comparative study of secure device pairing methods. Pervasive and Mobile Computing 5, 6 (2009).Google Scholar
Jennifer R Kwapisz, Gary M Weiss, and Samuel A Moore. 2011. Activity Recognition using Cell Phone Accelerometers. ACM SIGKDD Explorations Newsletter 12, 2 (2011).Google Scholar
Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable Reauthentication for Smartphones. In Proceedings of the 20th Annual Network Distributed System Security Symposium (NDSS).Google Scholar
Xiaopeng Li, Sharaf Malebary, Xianshan Qu, Xiaoyu Ji, Yushi Cheng, and Wenyuan Xu. 2018. iCare: Automatic and User-friendly Child Identification on Smartphones. In Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications (HotMobile).Google ScholarDigital Library
Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz. 2017. LightTouch: Securely connecting wearables to ambient displays with user intent. In IEEE International Conference on Computer Communications (INFOCOM).Google ScholarCross Ref
Feng Lin, Chen Song, Yan Zhuang, Wenyao Xu, Changzhi Li, and Kui Ren. 2017. Cardiac Scan: A Non-contact and Continuous Heart-based User Authentication System. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (MobiCom).Google ScholarDigital Library
Atama Designs Ltd. [n. d.]. Sesame 2. https://atama.io/. ([n. d.]). Accessed: 2019-01--31.Google Scholar
Shrirang Mare, Andrés Molina Markham, Cory Cornelius, Ronald Peterson, and David Kotz. 2014. Zebra: Zero-effort bilateral recurring authentication. In IEEE Symposium on Security and Privacy (Oakland).Google ScholarDigital Library
Ivan Martinovic, Kasper Rasmussen, Marc Roeschlin, and Gene Tsudik. 2014. Authentication Using Pulse-Response Biometrics. In Proceedings of the 21th Annual Network Distributed System Security Symposium (NDSS).Google Scholar
Rene Mayrhofer and Hans Gellersen. 2009. Shake well before use: Intuitive and secure pairing of mobile devices. IEEE Transactions on Mobile Computing 8, 6 (2009).Google Scholar
Daniel V. McGehee, Elizabeth N. Mazzae, and G. H. Scott Baldwin. 2000. Driver Reaction Time in Crash Avoidance Research: Validation of a Driving Simulator Study on a Test Track. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting.Google Scholar
Yuxin Meng, Duncan S Wong, Roman Schlegel, et al. 2012. Touch gestures based biometric authentication scheme for touchscreen mobile phones. In International Conference on Information Security and Cryptology.Google Scholar
Fabian Monrose and Aviel Rubin. 1997. Authentication via Keystroke Dynamics. In Proceedings of the 4th ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
Dibya Mukhopadhyay, Maliheh Shirvanian, and Nitesh Saxena. 2015. All your voices are belong to us: Stealing voices to fool humans and machines. In European Symposium on Research in Computer Security.Google ScholarCross Ref
F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, and et al. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (2011).Google Scholar
Konstantinos Pelechrinis, Marios Iliofotou, and Srikanth V Krishnamurthy. 2010. Denial of Service Attacks in Wireless Networks: The Case of Jammers. IEEE Communications Surveys & Tutorials 13, 2 (2010).Google Scholar
Postscapes. 2019. IoT Devices & Products. https://www.postscapes. com/internet-of-things-award/winners/. (2019). Accessed: 2019-02--22.Google Scholar
Juhi Ranjan and Kamin Whitehouse. 2015. Object Hallmarks: Identifying Object Users Using Wearable Wrist Sensors. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp).Google ScholarDigital Library
Nishkam Ravi, Nikhil Dandekar, Preetham Mysore, and Michael L. Littman. 2005. Activity Recognition from Accelerometer Data. In Proceedings of the 17th Conference on Innovative Applications of Artificial Intelligence.Google Scholar
Kimberly Redmond, Lannan Luo, and Qiang Zeng. 2019. A crossarchitecture instruction embedding model for natural language processing-inspired binary code analysis. The NDSS Workshop on Binary Analysis Research (BAR).Google Scholar
Napa Sae-Bae, Kowsar Ahmed, Katherine Isbister, and Nasir Memon. 2012. Biometric-rich gestures: a novel approach to authentication on multi-touch devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.Google ScholarDigital Library
Hataichanok Saevanee and Pattarasinee Bhatarakosol. 2008. User authentication using combination of behavioral biometrics over the touchpad acting like touch screen of mobile device. In International Conference on Computer and Electrical Engineering.Google ScholarDigital Library
Sairul I Safie, John J Soraghan, and Lykourgos Petropoulakis. 2011. Electrocardiogram (ECG) biometric authentication using pulse active ratio (PAR). IEEE Transactions on Information Forensics and Security 6, 4 (2011).Google Scholar
Samsung. [n. d.]. SmartThings. https://www.samsung.com/global/ galaxy/apps/smartthings/. ([n. d.]). Accessed: 2019-01--15.Google Scholar
Abhijit Sarkar, A Lynn Abbott, and Zachary Doerzaph. 2016. Biometric authentication using photoplethysmography signals. In IEEE 8th International Conference on Biometrics Theory, Applications and Systems.Google ScholarCross Ref
Mohamed Shahin, Ahmed Badawi, and Mohamed Kamel. 2007. Biometric authentication using fast correlation of near infrared hand vein patterns. International Journal of Biological and Medical Sciences 2, 3 (2007).Google Scholar
Sheng Shen, Mahanth Gowda, and Romit Roy Choudhury. 2018. Closing the Gaps in Inertial Motion Tracking. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom).Google ScholarDigital Library
Sheng Shen, He Wang, and Romit Roy Choudhury. 2016. I Am a Smartwatch and I Can Track My User's Arm. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys).Google ScholarDigital Library
Babins Shrestha, Maliheh Shirvanian, Prakash Shrestha, and Nitesh Saxena. 2016. The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login Based on Ambient Audio. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
Santosh Singh. 2019. Top 20 IoT Platforms in 2018. https:// internetofthingswiki.com/top-20-iot-platforms/634/. (2019). Accessed: 2019-03--17.Google Scholar
Zdeka Sitová, Jaroslav ednka, Qing Yang, Ge Peng, Gang Zhou, Paolo Gasti, and Kiran S Balagani. 2016. HMOG: New behavioral biometric features for continuous authentication of smartphone users. IEEE Transactions on Information Forensics and Security 11, 5 (2016).Google Scholar
Michael Stanley and Jongmin Lee. 2018. Sensor Analysis for the Internet of Things. Morgan & Claypool Publishers.Google Scholar
Jing Tian, Chengzhang Qu, Wenyuan Xu, and Song Wang. 2013. Kin- Write: Handwriting-Based Authentication Using Kinect. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS).Google Scholar
José Vila and Ricardo J. Rodríguez. 2015. Practical Experiences on NFC Relay Attacks with Android. In Radio Frequency Identification.Google Scholar
Wei Wang, Lin Yang, and Qian Zhang. 2016. Touch-and-guard: secure pairing through hand resonance. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp).Google ScholarDigital Library
Sheng Wei, Jong Hoon Ahnn, and Miodrag Potkonjak. 2013. Energy Attacks and Defense Techniques for Wireless Systems. In Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks.Google ScholarDigital Library
Zhenyu Yan, Qun Song, Rui Tan, Yang Li, and Adams Wai Kin Kong. 2019. Towards Touch-to-Access Device Authentication Using Induced Body Electric Potentials. arXiv preprint arXiv:1902.07057 (2019).Google Scholar
Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, XiaoFengWang, and Carl A. Gunter. 2018. CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition. In 27th USENIX Security Symposium (USENIX Security).Google Scholar
Sangki Yun, Yi-Chao Chen, and Lili Qiu. 2015. Turning a Mobile Device into a Mouse in the Air. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys).Google ScholarDigital Library
Qiang Zeng, Jianhai Su, Chenglong Fu, Golam Kayas, Lannan Luo, Xiaojiang Du, Chiu C. Tan, and Jie Wu. 2019. A multiversion programming inspired approach to detecting audio adversarial examples. In Proceedings of the 49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).Google ScholarCross Ref
Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu. 2017. Dolphinattack: Inaudible voice commands. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
Jiansong Zhang, Zeyu Wang, Zhice Yang, and Qian Zhang. 2017. Proximity Based IoT Device Authentication. In IEEE International Conference on Computer Communications (INFOCOM).Google Scholar
Nan Zheng, Aaron Paloski, and HainingWang. 2011. An Efficient User Verification System via Mouse Movements. In Proceedings of the 18th ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
Pengfei Zhou, Mo Li, and Guobin Shen. 2014. Use It Free: Instantly Knowing Your Phone Attitude. In Proceedings of the 20th Annual International Conference on Mobile Computing and Networking (MobiCom).Google ScholarDigital Library
Fei Zuo, Xiaopeng Li, Patrick Young, Lannan Luo, Qiang Zeng, and Zhexin Zhang. 2019. Neural Machine Translation Inspired Binary Code Similarity Comparison beyond Function Pairs. In Proceedings of the 26th Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref

Index Terms

Touch Well Before Use: Intuitive and Secure Authentication for IoT Devices
1. Networks
  1. Network properties
    1. Network security
      1. Mobile and wireless security
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

A new provably secure certificateless signature scheme for Internet of Things
Abstract
With the rapid popularization of Internet of Things (IoT) in various fields, the security of the IoT has been widely concerned. Security authentication technology is the foundation of the security of the IoT. Certificateless signature, ...
Read More
Capacitive Touch Communication: A Technique to Input Data through Devices' Touch Screen

As we are surrounded by an ever-larger variety of post-PC devices, the traditional methods for identifying and authenticating users have become cumbersome and time consuming. In this paper, we present a capacitive communication method through which a ...
Read More
REST-ful CoAP Message Authentication
SIOT '15: Proceedings of the 2015 International Workshop on Secure Internet of Things

One core technology for implementing and integrating the architectural principles of REST into the Internet of Things (IoT) is CoAP, a REST-ful application protocol for constrained networks and devices. Since CoAP defaults to UDP as transport protocol, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking
August 2019
1017 pages
ISBN:9781450361699
DOI:10.1145/3300061
General Chairs:
Sharad Agarwal
Microsoft
,
Ben Greenstein
Google
,
Aruna Balasubramanian
Stony Brook University
,
Program Chairs:
Shyam Gollakota
University of Washington
,
Xinyu Zhang
University of California, San Diego
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 October 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authentication
internet of things
virtual sensing
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate440of2,972submissions,15%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 30
  Total Citations
  View Citations
- 1,906
  Total Downloads
- Downloads (Last 12 months)222
- Downloads (Last 6 weeks)35
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ePub

View this article in ePub.

View ePub

Touch Well Before Use: Intuitive and Secure Authentication for IoT Devices

MobiCom '19: The 25th Annual International Conference on Mobile Computing and Networking

ABSTRACT

References

Cited By

Index Terms

Recommendations

A new provably secure certificateless signature scheme for Internet of Things

Capacitive Touch Communication: A Technique to Input Data through Devices' Touch Screen

REST-ful CoAP Message Authentication