A Signal Injection Attack Against Zero Involvement Pairing and Authentication for the Internet of Things
I'm pleased to report that our paper has been accepted and presented by my talented student, Isaac Ahlgren (co-supervised with Neil Klingensmith), at DESTION 2024, which is part of the IEEE/ACM CPS-IoT WEEK, May 13-16, 2024, Hong Kong, China.
In the rapidly evolving landscape of the Internet-of-Things (IoT), security remains a critical concern. As we integrate more devices into our homes and workplaces, the need for robust, seamless, and secure auto-provisioning methods has never been more pressing. Enter Zero Involvement Pairing and Authentication (ZIPA), a technique designed to streamline the setup of large networks of IoT devices without user intervention. However, as with any technology, understanding its limitations is crucial to ensuring its reliability and security.
Today, we unveil novel research that marks a key moment for IoT security using ZIPA: the first successful signal injection attack on a ZIPA system. Our work sheds light on an often-overlooked vulnerability in ZIPA systems—the influence of environmental signals from unsecured spaces on secured spaces.
Most existing ZIPA systems operate under the assumption that the impact of external, unsecured signals on a secured environment is negligible. However, our research reveals a starkly different reality. Environmental signals from adjacent unsecured spaces do, in fact, permeate secured environments, creating an unexpected vulnerability.
By exploiting this overlooked aspect, we successfully executed a signal injection attack on the widely-used Schurmann & Sigg algorithm. Our findings are both alarming and enlightening: the keys generated by the adversary through a signal injection attack at 95 dBA were within the standard error range of the legitimate device's keys.
This work is not merely a technical achievement; it serves as a wake-up call for the industry. As we continue to push the boundaries of IoT integration, it is imperative that we also advance our understanding and mitigation of potential security threats. Our research highlights the need for a more nuanced approach to securing ZIPA systems.
Join us as continue to research the implications for the future of IoT security. By addressing these vulnerabilities head-on, we can work toward more resilient and secure IoT ecosystems, ensuring that the convenience of ZIPA does not come at the expense of safety.
See the 6th Workshop on Design Automation for CPS and IoT (DESTION 2024) program page at https://cps-vo.org/group/DESTION2024/program.