A Signal Injection Attack Against Zero Involvement Pairing and Authentication for the Internet of Things

A Signal Injection Attack Against Zero Involvement Pairing and Authentication for the Internet of Things#

Overview#

Zero Involvement Pairing and Authentication (ZIPA) is a technique for automatically provisioning large networks of Internet-of-Things (IoT) devices with no user involvement. Prior ZIPA work generally assumes that the environment used for pairing is sufficiently isolated from external, adversarial signals. In our DESTION 2024 paper [1], we present the first signal-injection attack capable of influencing ZIPA-based key generation, demonstrating that these assumptions can fail in realistic settings.

Abstract Summary#

We show that an adversary can broadcast audio at approximately 95 dBA and cause the popular Schürmann & Sigg ZIPA algorithm to generate keys that statistically match those produced by legitimate devices. Under these conditions, adversary-generated keys become indistinguishable from the legitimate keys within standard error, effectively breaking the security guarantees of the scheme. This result challenges the core premise that ambient environmental signals used for ZIPA cannot be meaningfully controlled by an attacker.

Key Contributions#

  • A practical, experimentally validated signal-injection attack against a representative ZIPA system.

  • Empirical evidence that adversarially generated keys fall within the standard error of legitimate keys.

  • A re-examination of the assumptions underlying ZIPA, especially regarding ambient channel isolation and leakage.

  • Design guidance and discussion of mitigation strategies for secure IoT auto-provisioning in adversarial environments.

Background#

ZIPA (Zero Involvement Pairing and Authentication) schemes seek to make IoT deployment scalable by minimizing or eliminating user input during pairing. The Schürmann & Sigg algorithm is a canonical example, using correlated ambient audio to derive shared cryptographic keys between nearby devices. Earlier work assumes that adversaries cannot significantly alter or inject signals into the ambient environment, an assumption our work directly challenges.

Threat Model and Attack Description#

In our threat model, the attacker is able to place or control a signal source in an adjacent or partially connected space near the target environment. By injecting a controlled, high-volume audio signal (around 95 dBA), the attacker biases the ambient signal measurements that ZIPA devices rely on. As a result, the attacker’s device generates a key that closely matches the key produced by the legitimate device, within statistical error bounds.

Experimental Setup & Results#

Our evaluation includes:

  • A controlled experimental setup with prototype ZIPA devices using the Schürmann & Sigg algorithm.

  • Measurements of ambient correlation under normal conditions versus adversarial signal injection.

  • Key-agreement statistics comparing the keys produced by legitimate devices and the attacker.

The data show that, under signal injection, adversary-generated keys are highly correlated with legitimate keys and fall within the standard error of the intended ZIPA pairing. This demonstrates a clear and practical break of the security model for ambient-signal-based pairing.

Mitigation Discussion#

Our results suggest several directions for improving ZIPA-style schemes:

  • Signal-level monitoring: Detecting abnormal ambient signal power or patterns that could indicate injection.

  • Environmental sanity checks: Rejecting key generation when environmental measurements fall outside expected thresholds.

  • Active elements: Adding challenge-response mechanisms or additional authenticated steps instead of relying solely on passive ambient correlation.

  • Stronger threat models: Designing ZIPA systems under the assumption that adversaries can inject or manipulate ambient signals, especially in shared or semi-public spaces.

Conclusion#

This work presents the first demonstrated signal-injection attack on ZIPA-based IoT provisioning. We show that relying purely on ambient signals for secure pairing is not sufficient in adversarial environments, even at moderate sound levels such as 95 dBA. Designers of large-scale IoT auto-provisioning systems should adopt more robust threat models, incorporate active defenses, and treat ZIPA schemes with caution when security is a primary concern.

Bibliography#

[1]

Isaac Ahlgren, Rushikesh Shirsat, Omar Achkar, George K Thiruvathukal, Kyu In Lee, and Neil Klingensmith. Not-so-Secret Authentication: The SyncBleed Attacks and Defenses for Zero-Involvement Authentication Systems. In 2025 IEEE International Conference on Cyber Security and Resilience (CSR), 592–599. 2025. tex.author+an: 1=graduate;2=graduate;3=graduate;4=myself. doi:10.1109/CSR64739.2025.11130070.

Contents