Document Type
Conference Proceeding
Publication Date
5-6-2025
Publication Title
Figshare
Pages
1-8
Abstract
Zero-involvement authentication (ZIA) offers a promising solution for autoprovisioning large IoT device networks by enabling devices to extract identical authentication keys from ambient environmental signals without user intervention.
However, we demonstrate that existing ZIA systems leak critical information during key negotiation when they exchange synchronization messages over public wireless channels.
Our novel passive attack, SyncBleed, exploits these leaked messages to reconstruct ZIA-generated keys, successfully cracking approximately 50% of keys in under one second in our testbed experiments.
To address this vulnerability, we introduce TREVOR (Time shift REsistant VEctor ExtractOR), which generates nearly identical bit sequences from environmental signals without exchanging any synchronization information. TREVOR produces keys in under 4~seconds with 90--95% bit agreement rates between legitimate devices across various environmental sources, while maintaining complete resistance to SyncBleed attacks.
Recommended Citation
Ahlgren, Isaac; Shirsat, Rushikesh; Achkar, Omar; Thiruvathukal, George K.; In Lee, Kyu; and Klingensmith, Neil. Not-so-Secret Authentication: The SyncBleed Attacks and Defenses for Zero-Involvement Authentication Systems. Figshare, , : 1-8, 2025. Retrieved from Loyola eCommons, Computer Science: Faculty Publications and Other Works, http://dx.doi.org/10.6084/m9.figshare.28935059
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Copyright Statement
© The Author(s), 2025.
Comments
Author Posting © The Author(s), 2025. This is a pre-print article.