Full Program
Summary:
Zero-involvement authentication (ZIA) offers a promising solution for autoprovisioning large IoT device networks by enabling devices to extract identical authentication keys from ambient environmental signals without user intervention. However, we demonstrate that existing ZIA systems leak critical information during key negotiation when they exchange synchronization messages over public wireless channels. Our novel passive attack, SyncBleed, exploits these leaked messages to reconstruct ZIA-generated keys, successfully cracking approximately 50% of keys in under one second in our testbed experiments. To address this vulnerability, we introduce TREVOR (Time shift REsistant VEctor ExtractOR), which generates nearly identical bit sequences from environmental signals without exchanging any synchronization information. TREVOR produces keys in under 4 seconds with 90--95% bit agreement rates between legitimate devices across various environmental sources, while maintaining complete resistance to SyncBleed attacks.Author(s):
Isaac Ahlgren
Loyola University Chicago
United States
Rushikesh Shirsat
Loyola University Chicago
United States
Omar Achkar
University of Houston
United States
George K. Thiruvathukal
Loyola University Chicago
United States
Kyu In Lee
University of Houston
United States
Neil Klingensmith
Loyola University Chicago
United States