ABSTRACT
Internet of Things (IoT) are densely deployed in smart environments, such as homes, factories and laboratories, where many people have physical access to IoT devices. How to authenticate users operating on these devices is thus an important problem. IoT devices usually lack conventional user interfaces, such as keyboards and mice, which makes traditional authentication methods inapplicable. We present a virtual sensing technique that allows IoT devices to virtually sense user 'petting' (in the form of some very simple touches for about 2 seconds) on the devices. Based on this technique, we build a secure and intuitive authentication method that authenticates device users by comparing the petting operations sensed by devices and those captured by the user wristband. The authentication method is highly secure as physical operations are required, rather than based on proximity. It is also intuitive, adopting very simple authentication operations, e.g., clicking buttons, twisting rotary knobs, and swiping touchscreens. Unlike the state-of-the-art methods, our method does not require any hardware modifications of devices, and thus can be applied to commercial off-the-shelf (COTS) devices. We build prototypes and evaluate them comprehensively, demonstrating their high effectiveness, security, usability, and efficiency.
- Gildas Avoine, Muhammed Ali Bingöl, Ioana Boureanu, Srdjan capkun, Gerhard Hancke, Süleyman Karda, Chong Hee Kim, Cédric Lauradoux, Benjamin Martin, Jorge Munilla, Alberto Peinado, Kasper Bonne Rasmussen, Dave Singelée, Aslan Tchamkerten, Rolando Trujillo-Rasua, and Serge Vaudenay. 2018. Security of Distance-Bounding: A Survey. Comput. Surveys 51, 5 (2018).Google Scholar
- Kemal Bicakci and Bulent Tavli. 2009. Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks. Computer Standards & Interfaces 31, 5 (2009).Google Scholar
- John Brooke. 1996. SUS: A quick and dirty usability scale. In Usability Evaluation in Industry. Taylor & Francis, Chapter 21.Google Scholar
- Nicholas Carlini, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou. 2016. Hidden Voice Commands. In 25th USENIX Security Symposium (USENIX Security).Google Scholar
- Jason Cipriani. 2018. 13 new things you can do with your Android Wear smartwatch. https://www.cnet.com/how-to/tips-and-tricks-forandroid- wear-2-0/. (2018). Accessed: 2019-03-04.Google Scholar
- Mark D. Corner and Brian D. Noble. 2002. Zero-interaction Authentication. In Proceedings of the 8th Annual International Conference on Mobile Computing and Networking (MobiCom).Google Scholar
- Cas Cremers, Kasper B Rasmussen, Benedikt Schmidt, and Srdjan Capkun. 2012. Distance hijacking attacks on distance bounding protocols. In IEEE Symposium on Security and Privacy (Oakland).Google ScholarDigital Library
- Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. 2012. Touch me once and I know it's you!: Implicit Authentication based on Touch Screen Patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.Google ScholarDigital Library
- Michael Esterman, Benjamin J Tamber-Rosenau, Yu-Chin Chiu, and Steven Yantis. 2010. Avoiding non-independence in fMRI data analysis: leave one subject out. Neuroimage 50, 2 (2010).Google Scholar
- Rong-En Fan, Pai-Hsuen Chen, and Chih-Jen Lin. 2005. Working set selection using second order information for training support vector machines. Journal of machine learning research 6, Dec (2005).Google Scholar
- Huan Feng, Kassem Fawaz, and Kang G. Shin. 2017. Continuous Authentication for Voice Assistants. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (Mobi- Com).Google Scholar
- NFC Forum. 2018. NFC and Contactless Technologies. https://nfcforum. org/what-is-nfc/about-the-technology/. (2018).Google Scholar
- Lishoy Francis, Gerhard P Hancke, Keith Mayes, and Konstantinos Markantonakis. 2011. Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones. IACR Cryptology ePrint Archive 2011 (2011).Google Scholar
- Mario Frank, Ralf Biedert, Eugene Ma, Ivan Martinovic, and Dawn Song. 2012. Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication. IEEE Transactions on Information Forensics and Security 8, 1 (2012).Google ScholarDigital Library
- Gartner. 2014. The Future Smart Home: 500 Smart Objects Will Enable NewBusiness Opportunities. https://www.gartner.com/en/documents/ 2793317. (2014). Accessed: 2019-03-02.Google Scholar
- Nirnimesh Ghose, Loukas Lazos, and Ming Li. 2018. SFIRE: Secret- Free-in-band Trust Establishment for COTS Wireless Devices. In IEEE International Conference on Computer Communications (INFOCOM).Google Scholar
- T. P. Ghuntla, H. B. Mehta, P. A. Gokhale, and C. J. Shah. 2012. A Comparative Study of Visual Reaction Time in Basketball Players and Healthy Controls. National Journal of Integrated Research in Medicine 3, 1 (2012).Google Scholar
- Jun Han, Shijia Pan, Manal Kumar Sinha, Hae Young Noh, Pei Zhang, and Patrick Tague. 2017. Sensetribute: Smart Home Occupant Identification via Fusion Across On-Object Sensing Devices. In Proceedings of the 4th ACM International Conference on Systems for Energy-Efficient Built Environments (BuildSys).Google ScholarDigital Library
- Gerhard Hancke. 2005. A practical relay attack on ISO 14443 proximity cards. Technical Report.Google Scholar
- Cynthia Harvey. 2016. 75 Top IoT Devices. https://www.datamation. com/mobile-wireless/75-top-iot-devices-1.html. (2016). Accessed: 2019-02--22.Google Scholar
- Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur. 2018. Rethinking Access Control and Authentication for the Home Internet of Things (IoT). In 27th USENIX Security Symposium (USENIX Security).Google ScholarDigital Library
- Chong Hee Kim and Gildas Avoine. 2011. RFID Distance Bounding Protocols with Mixed Challenges. IEEE Transactions on Wireless Communications 10, 5 (2011).Google ScholarCross Ref
- Software Testing Help. 2019. 18 Most Popular IoT Devices in 2019. https://www.softwaretestinghelp.com/iot-devices/. (2019). Accessed: 2019-03--18.Google Scholar
- Mark R. Hodges and Martha E. Pollack. 2007. An "Object-Use Fingerprint': The Use of Electronic Sensors for Human Identification. In UbiComp 2007: Ubiquitous Computing.Google ScholarDigital Library
- Tâm Huynh and Bernt Schiele. 2006. Towards Less Supervision in Activity Recognition from Wearable Sensors. In IEEE International Symposium on Wearable Computers (ISWC).Google ScholarCross Ref
- B. Iglewicz and D.C. Hoaglin. 1993. How to detect and handle outliers. Milwaukee, WI.: American Society for Quality (1993).Google Scholar
- Apple Inc. 2019. Apple Watch. https://www.apple.com/watch/. (2019). Accessed: 2019-03-04.Google Scholar
- Apple Inc. 2019. How to unlock your Mac with your Apple Watch. https://support.apple.com/en-us/HT206995. (2019). Accessed: 2019- 02-09.Google Scholar
- Motiv Inc. 2019. Motiv Ring. https://mymotiv.com/. (2019). Accessed: 2019-03--10.Google Scholar
- Aditya Jain, Ramta Bansal, Avnish Kumar, and K. D. Singh. 2015. A comparative study of visual and auditory reaction times on the basis of gender and physical activity levels of medical first year students. International Journal of Applied & Basic Medical Research 5, 2 (2015).Google ScholarCross Ref
- Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound. In 24th USENIX Security Symposium (USENIX Security).Google Scholar
- Nima Karimian, Zimu Guo, Mark Tehranipoor, and Domenic Forte. 2017. Human recognition from photoplethysmography (ppg) based on non-fiducial features. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).Google ScholarCross Ref
- John Krumm and Ken Hinckley. 2004. The NearMe Wireless Proximity Server. In UbiComp 2004: Ubiquitous Computing.Google Scholar
- Arun Kumar, Nitesh Saxena, Gene Tsudik, and Ersin Uzun. 2009. A comparative study of secure device pairing methods. Pervasive and Mobile Computing 5, 6 (2009).Google Scholar
- Jennifer R Kwapisz, Gary M Weiss, and Samuel A Moore. 2011. Activity Recognition using Cell Phone Accelerometers. ACM SIGKDD Explorations Newsletter 12, 2 (2011).Google Scholar
- Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable Reauthentication for Smartphones. In Proceedings of the 20th Annual Network Distributed System Security Symposium (NDSS).Google Scholar
- Xiaopeng Li, Sharaf Malebary, Xianshan Qu, Xiaoyu Ji, Yushi Cheng, and Wenyuan Xu. 2018. iCare: Automatic and User-friendly Child Identification on Smartphones. In Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications (HotMobile).Google ScholarDigital Library
- Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz. 2017. LightTouch: Securely connecting wearables to ambient displays with user intent. In IEEE International Conference on Computer Communications (INFOCOM).Google ScholarCross Ref
- Feng Lin, Chen Song, Yan Zhuang, Wenyao Xu, Changzhi Li, and Kui Ren. 2017. Cardiac Scan: A Non-contact and Continuous Heart-based User Authentication System. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (MobiCom).Google ScholarDigital Library
- Atama Designs Ltd. [n. d.]. Sesame 2. https://atama.io/. ([n. d.]). Accessed: 2019-01--31.Google Scholar
- Shrirang Mare, Andrés Molina Markham, Cory Cornelius, Ronald Peterson, and David Kotz. 2014. Zebra: Zero-effort bilateral recurring authentication. In IEEE Symposium on Security and Privacy (Oakland).Google ScholarDigital Library
- Ivan Martinovic, Kasper Rasmussen, Marc Roeschlin, and Gene Tsudik. 2014. Authentication Using Pulse-Response Biometrics. In Proceedings of the 21th Annual Network Distributed System Security Symposium (NDSS).Google Scholar
- Rene Mayrhofer and Hans Gellersen. 2009. Shake well before use: Intuitive and secure pairing of mobile devices. IEEE Transactions on Mobile Computing 8, 6 (2009).Google Scholar
- Daniel V. McGehee, Elizabeth N. Mazzae, and G. H. Scott Baldwin. 2000. Driver Reaction Time in Crash Avoidance Research: Validation of a Driving Simulator Study on a Test Track. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting.Google Scholar
- Yuxin Meng, Duncan S Wong, Roman Schlegel, et al. 2012. Touch gestures based biometric authentication scheme for touchscreen mobile phones. In International Conference on Information Security and Cryptology.Google Scholar
- Fabian Monrose and Aviel Rubin. 1997. Authentication via Keystroke Dynamics. In Proceedings of the 4th ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Dibya Mukhopadhyay, Maliheh Shirvanian, and Nitesh Saxena. 2015. All your voices are belong to us: Stealing voices to fool humans and machines. In European Symposium on Research in Computer Security.Google ScholarCross Ref
- F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, and et al. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (2011).Google Scholar
- Konstantinos Pelechrinis, Marios Iliofotou, and Srikanth V Krishnamurthy. 2010. Denial of Service Attacks in Wireless Networks: The Case of Jammers. IEEE Communications Surveys & Tutorials 13, 2 (2010).Google Scholar
- Postscapes. 2019. IoT Devices & Products. https://www.postscapes. com/internet-of-things-award/winners/. (2019). Accessed: 2019-02--22.Google Scholar
- Juhi Ranjan and Kamin Whitehouse. 2015. Object Hallmarks: Identifying Object Users Using Wearable Wrist Sensors. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp).Google ScholarDigital Library
- Nishkam Ravi, Nikhil Dandekar, Preetham Mysore, and Michael L. Littman. 2005. Activity Recognition from Accelerometer Data. In Proceedings of the 17th Conference on Innovative Applications of Artificial Intelligence.Google Scholar
- Kimberly Redmond, Lannan Luo, and Qiang Zeng. 2019. A crossarchitecture instruction embedding model for natural language processing-inspired binary code analysis. The NDSS Workshop on Binary Analysis Research (BAR).Google Scholar
- Napa Sae-Bae, Kowsar Ahmed, Katherine Isbister, and Nasir Memon. 2012. Biometric-rich gestures: a novel approach to authentication on multi-touch devices. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.Google ScholarDigital Library
- Hataichanok Saevanee and Pattarasinee Bhatarakosol. 2008. User authentication using combination of behavioral biometrics over the touchpad acting like touch screen of mobile device. In International Conference on Computer and Electrical Engineering.Google ScholarDigital Library
- Sairul I Safie, John J Soraghan, and Lykourgos Petropoulakis. 2011. Electrocardiogram (ECG) biometric authentication using pulse active ratio (PAR). IEEE Transactions on Information Forensics and Security 6, 4 (2011).Google Scholar
- Samsung. [n. d.]. SmartThings. https://www.samsung.com/global/ galaxy/apps/smartthings/. ([n. d.]). Accessed: 2019-01--15.Google Scholar
- Abhijit Sarkar, A Lynn Abbott, and Zachary Doerzaph. 2016. Biometric authentication using photoplethysmography signals. In IEEE 8th International Conference on Biometrics Theory, Applications and Systems.Google ScholarCross Ref
- Mohamed Shahin, Ahmed Badawi, and Mohamed Kamel. 2007. Biometric authentication using fast correlation of near infrared hand vein patterns. International Journal of Biological and Medical Sciences 2, 3 (2007).Google Scholar
- Sheng Shen, Mahanth Gowda, and Romit Roy Choudhury. 2018. Closing the Gaps in Inertial Motion Tracking. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking (MobiCom).Google ScholarDigital Library
- Sheng Shen, He Wang, and Romit Roy Choudhury. 2016. I Am a Smartwatch and I Can Track My User's Arm. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys).Google ScholarDigital Library
- Babins Shrestha, Maliheh Shirvanian, Prakash Shrestha, and Nitesh Saxena. 2016. The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login Based on Ambient Audio. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Santosh Singh. 2019. Top 20 IoT Platforms in 2018. https:// internetofthingswiki.com/top-20-iot-platforms/634/. (2019). Accessed: 2019-03--17.Google Scholar
- Zdeka Sitová, Jaroslav ednka, Qing Yang, Ge Peng, Gang Zhou, Paolo Gasti, and Kiran S Balagani. 2016. HMOG: New behavioral biometric features for continuous authentication of smartphone users. IEEE Transactions on Information Forensics and Security 11, 5 (2016).Google Scholar
- Michael Stanley and Jongmin Lee. 2018. Sensor Analysis for the Internet of Things. Morgan & Claypool Publishers.Google Scholar
- Jing Tian, Chengzhang Qu, Wenyuan Xu, and Song Wang. 2013. Kin- Write: Handwriting-Based Authentication Using Kinect. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS).Google Scholar
- José Vila and Ricardo J. Rodríguez. 2015. Practical Experiences on NFC Relay Attacks with Android. In Radio Frequency Identification.Google Scholar
- Wei Wang, Lin Yang, and Qian Zhang. 2016. Touch-and-guard: secure pairing through hand resonance. In Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp).Google ScholarDigital Library
- Sheng Wei, Jong Hoon Ahnn, and Miodrag Potkonjak. 2013. Energy Attacks and Defense Techniques for Wireless Systems. In Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks.Google ScholarDigital Library
- Zhenyu Yan, Qun Song, Rui Tan, Yang Li, and Adams Wai Kin Kong. 2019. Towards Touch-to-Access Device Authentication Using Induced Body Electric Potentials. arXiv preprint arXiv:1902.07057 (2019).Google Scholar
- Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, XiaoFengWang, and Carl A. Gunter. 2018. CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition. In 27th USENIX Security Symposium (USENIX Security).Google Scholar
- Sangki Yun, Yi-Chao Chen, and Lili Qiu. 2015. Turning a Mobile Device into a Mouse in the Air. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys).Google ScholarDigital Library
- Qiang Zeng, Jianhai Su, Chenglong Fu, Golam Kayas, Lannan Luo, Xiaojiang Du, Chiu C. Tan, and Jie Wu. 2019. A multiversion programming inspired approach to detecting audio adversarial examples. In Proceedings of the 49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).Google ScholarCross Ref
- Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu. 2017. Dolphinattack: Inaudible voice commands. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Jiansong Zhang, Zeyu Wang, Zhice Yang, and Qian Zhang. 2017. Proximity Based IoT Device Authentication. In IEEE International Conference on Computer Communications (INFOCOM).Google Scholar
- Nan Zheng, Aaron Paloski, and HainingWang. 2011. An Efficient User Verification System via Mouse Movements. In Proceedings of the 18th ACM SIGSAC Conference on Computer and Communications Security (CCS).Google ScholarDigital Library
- Pengfei Zhou, Mo Li, and Guobin Shen. 2014. Use It Free: Instantly Knowing Your Phone Attitude. In Proceedings of the 20th Annual International Conference on Mobile Computing and Networking (MobiCom).Google ScholarDigital Library
- Fei Zuo, Xiaopeng Li, Patrick Young, Lannan Luo, Qiang Zeng, and Zhexin Zhang. 2019. Neural Machine Translation Inspired Binary Code Similarity Comparison beyond Function Pairs. In Proceedings of the 26th Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
Index Terms
- Touch Well Before Use: Intuitive and Secure Authentication for IoT Devices
Recommendations
A new provably secure certificateless signature scheme for Internet of Things
AbstractWith the rapid popularization of Internet of Things (IoT) in various fields, the security of the IoT has been widely concerned. Security authentication technology is the foundation of the security of the IoT. Certificateless signature, ...
Capacitive Touch Communication: A Technique to Input Data through Devices' Touch Screen
As we are surrounded by an ever-larger variety of post-PC devices, the traditional methods for identifying and authenticating users have become cumbersome and time consuming. In this paper, we present a capacitive communication method through which a ...
REST-ful CoAP Message Authentication
SIOT '15: Proceedings of the 2015 International Workshop on Secure Internet of ThingsOne core technology for implementing and integrating the architectural principles of REST into the Internet of Things (IoT) is CoAP, a REST-ful application protocol for constrained networks and devices. Since CoAP defaults to UDP as transport protocol, ...
Comments