SyncBleed: A Realistic Threat Model and Mitigation Strategy for Zero-Involvement Pairing and Authentication (ZIPA)

Authors

Isaac Ahlgren, Loyola University ChicagoFollow
Jack WestFollow
Kyuin Lee, University of Houston
George K. Thiruvathukal, Loyola University ChicagoFollow
Neil Klingensmith, Loyola University ChicagoFollow

Document Type

Technical Report

Publication Date

11-8-2023

Publication Title

ArXiv

Abstract

Zero Involvement Pairing and Authentication (ZIPA) is a promising technique for auto-provisioning large networks of Internet-of-Things (IoT) devices. Presently, these networks use password-based authentication, which is difficult to scale to more than a handful of devices. To deal with this challenge, ZIPA enabled devices autonomously extract identical authentication or encryption keys from ambient environmental signals. However, during the key negotiation process, existing ZIPA systems leak information on a public wireless channel which can allow adversaries to learn the key. We demonstrate a passive attack called SyncBleed, which uses leaked information to reconstruct keys generated by ZIPA systems. To mitigate SyncBleed, we present TREVOR, an improved key generation technique that produces nearly identical bit sequences from environmental signals without leaking information. We demonstrate that TREVOR can generate keys from a variety of environmental signal types under 4 seconds, consistently achieving a 90-95% bit agreement rate across devices within various environmental sources.

Identifier

arXiv:2311.04433

Comments

Technical report - Work in Progress.

Recommended Citation

Isaac Ahlgren, Jack West, Kyuin Lee, George K. Thiruvathukal, Neil Klingensmith, SyncBleed: A Realistic Threat Model and Mitigation Strategy for Zero-Involvement Pairing and Authentication (ZIPA), arXiv:2311.04433.

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.