Document Type
Conference Proceeding
Publication Date
8-26-2025
Publication Title
2025 IEEE International Conference on Cyber Security and Resilience (CSR)
Pages
1-8
Publisher Name
IEEE
Abstract
Zero-involvement authentication (ZIA) offers a promising solution for autoprovisioning large IoT device networks by enabling devices to extract identical authentication keys from ambient environmental signals without user intervention.
However, we demonstrate that existing ZIA systems leak critical information during key negotiation when they exchange synchronization messages over public wireless channels.
Our novel passive attack, SyncBleed, exploits these leaked messages to reconstruct ZIA-generated keys, successfully cracking approximately 50% of keys in under one second in our testbed experiments.
To address this vulnerability, we introduce TREVOR (Time shift REsistant VEctor ExtractOR), which generates nearly identical bit sequences from environmental signals without exchanging any synchronization information. TREVOR produces keys in under 4~seconds with 90--95% bit agreement rates between legitimate devices across various environmental sources, while maintaining complete resistance to SyncBleed attacks.
Recommended Citation
Ahlgren, Isaac; Shirsat, Rushikesh; Achkar, Omar; Thiruvathukal, George K.; In Lee, Kyu; and Klingensmith, Neil. Not-so-Secret Authentication: The SyncBleed Attacks and Defenses for Zero-Involvement Authentication Systems. 2025 IEEE International Conference on Cyber Security and Resilience (CSR), , : 1-8, 2025. Retrieved from Loyola eCommons, Computer Science: Faculty Publications and Other Works, http://dx.doi.org/10.1109/CSR64739.2025.11130070
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Copyright Statement
© IEEE, 2025.
Author Manuscript
This is a pre-publication author manuscript of the final, published article.
Comments
Author Posting © 2025 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. The definitive version was published in 2025 IEEE International Conference on Cyber Security and Resilience (CSR) (August 26, 2025), https://doi.org/10.1109/CSR64739.2025.11130070.