A Signal Injection Attack Against Zero Involvement Pairing and Authentication for the Internet of Things

TL;DR

This work presents the first successful signal injection attack on a ZIPA system, taking advantage of the fact that environmental signals do leak from adjacent unsecured spaces and influence the environment of the secured space.

Abstract

Zero Involvement Pairing and Authentication (ZIPA) is a promising technique for autoprovisioning large networks of Internet-of-Things (IoT) devices. In this work, we present the first successful signal injection attack on a ZIPA system. Most existing ZIPA systems assume there is a negligible amount of influence from the unsecured outside space on the secured inside space. In reality, environmental signals do leak from adjacent unsecured spaces and influence the environment of the secured space. Our attack takes advantage of this fact to perform a signal injection attack on the popular Schurmann & Sigg algorithm. The keys generated by the adversary with a signal injection attack at 95 dBA is within the standard error of the legitimate device.

Figures (9)

• Figure 1: Legitimate devices within the same environment authenticate. External adversary authenticates by injecting a predictable signal into the legitimate environment.
• Figure 2: General pipeline of ZIPA between two authenticating devices: $A$ and $B$ .
• Figure 3: Overview of our attack on the Sigg algorithm. The spectrogram (left) is divided in a grid. The energy of each box in the grid is computed to build an energy matrix $E$. Bits are computed as a function of nearby cells on $E$.
• Figure 4: Spectrogram of our injection signal with a blown up view of the Schurmann & Sigg grid that shows how elements of the energy matrix are computed from the spectrogram.
• Figure 5: Illustration of the testbed we used to carry out our injection. Adversary sits outside an office with the door closed and broadcasts the injection signal into the legitimate space. Legitimate device inside the office pairs with adversary.