Department of Computer Science and Engineering
University of South Carolina
Author : Xiaopeng Li
Advisor : Dr. Lannon Luo
Date : May 8, 2020
Time : 9:00 am
Place : Virtual Defense
Internet of Things (IoT) technologies have made our lives more convenient and better informed by sensing and monitoring our surroundings. Security applications, such as device pairing and user authentication, are the fundamentals for building a trustworthy smart environment. A secure and convenient pairing approach is critical to IoT enabled applications, as pairing is to establish a secure wireless communication channel for devices. Besides, since a smart environment usually has multiple people (e.g., kids and adults, patients and doctors), how to authenticate users operating on the densely deployed devices and sensitive objects (e.g., a cabinet storing medical records) is also an important problem.
Existing security measures either rely on special hardware, have bad usability, or are vulnerable to attacks, and thus fail to protect resource-constrained IoT devices and dumb objects. This thesis aims at addressing the above shortcomings and implementing three security applications: (1) performing secure pairing for IoT devices that lack conventional user interfaces, such as keyboards and display; (2) providing secure and applicable authentication for IoT devices; (3) validating uses of sensitive dumb objects that have no user input interfaces.
First, we propose a technique, Universal Operation Sensing, which allows an IoT device to sense the user’s physical operations on it without requiring inertial sensors. Based on this technique, a user carrying a smartphone or wearing a wristband can finish pairing in seconds by touching, in the form of some very simple operations, the target device. We design a pairing protocol based on fuzzy commitment, and build a prototype system named T2Pair. The comprehensive evaluation shows that it is secure and usable.
Second, we design three usable authentication gestures by asking the user to ‘pet’ (in the form of some very simple touches for about 2 seconds) on the devices. We build a secure and intuitive authentication method that authenticates device users by comparing the petting operations sensed by devices and those captured by the user wristband. The authentication method is highly secure as physical operations are required, rather than based on proximity. It is also intuitive, adopting very simple authentication operations, e.g., clicking buttons, twisting rotary knobs, and swiping touchscreens. Unlike the state-of-the-art methods, our method does not require any hardware modifications of devices, and thus can be applied to commercial off-the-shelf (COTS) devices.
Finally, We present the first implicit and accurate authentication approach for dumb objects, named MoMatch. (1) It provides implicit and continuous authentication. (2) It makes fast authentication decision based on a single object interaction, e.g., pushing a door. (3) It is accurate with average area under the curve (AUC) across 10 different objects =0.97. (4) It works with objects that have zero authentication interfaces. (5) It uses zero biometrics, so does not need per-user profiling. (6) Rigorous security studies are performed, showing that MoMatch is resilient to attacks. The approach is built on a solid causal relationship: an object has a motion typically because a human hand moves it. Thus, the object’s motion and the legitimate user’s hand movement must correlate to validate the use. The main challenge is how to calculate the correlation, as conventional approaches, such as Dynamic Time Warping (DTW) and SVM, all fail to work. We propose an Imagified Curve Comparison (ICC) technique that converts the motion-data correlation evaluation problem into an image comparison problem, and resolve it using neural networks successfully.