Touch to Pair: Secure and Usable IoT Pairing without Information Loss

TL;DR

This work tackles secure and usable IoT pairing for devices with limited user interfaces by introducing Universal Operation Sensing (UOS), which enables sensing user actions without inertial sensors on the IoT device. It proposes two pairing protocols: T2Pair, a faithful fuzzy-commitment scheme that handles observation differences, and T2Pair++, TimeWall, which eliminates information loss through a commitment-deadline mechanism and uses a PAKE-based key exchange. The system is implemented on a smartwatch and a smartphone with multiple IoT devices, and evaluated through two datasets, a comprehensive in-lab study, and a usability study, achieving high accuracy (AUC > 0.999 in TimeWall) and fast pairing times (a few seconds) while maintaining strong resistance to mimicry attacks. The approach offers broad applicability to the vast majority of IoT devices that feature basic UIs, provides low deployment costs, and delivers solid security, usability, and efficiency in real-world conditions. Overall, TimeWall/T2Pair++ provides a practical, scalable, and robust solution for secure IoT pairing without requiring dedicated sensors or clock synchronization.

Abstract

Secure pairing is essential for trustworthy deployment and operation of Internet of Things (IoT) devices. However, traditional pairing methods are unsuitable due to the lack of user interfaces such as keyboards. Proximity-based approaches are usable but vulnerable to nearby attackers, while methods relying on physical operations (e.g., shaking) offer higher security but require inertial sensors that most IoT devices lack. We introduceUniversal Operation Sensing, which enables IoT devices to detect user operations without inertial sensors. With this technique, users can complete pairing within seconds through simple actions, such as pressing a button or twisting a knob, using either a smartphone or a smartwatch. We further identify an accuracy issue caused by information loss in the commonly used fuzzy-commitment protocol. To address this issue, we propose TimeWall, an accurate pairing protocol that avoids fuzzy commitment and incurs zero information loss. A comprehensive evaluation shows that it is secure, usable, and efficient.

Figures (15)

• Figure 1: Distribution of UIs on 270 popular IoT devices. "With BKT" means the device has a normal Button, Knob or Touchscreen; "Recessed button" refers to a small hole that can be pressed using, e.g., a ball-point pen.
• Figure 2: Architecture (a wristband as the helper and an IoT device with a button as an example).
• Figure 3: Gyroscope data captured when three users twist knobs. The black lines show the ground truth of twisting direction.
• Figure 4: Salient points for the three types of pairing operations. A pause is involved in each type of pairing operations shown in the subfigure.
• Figure 5: Six devices are used in our experiments, including two keypads (a plastic keypad labeled as 1, and a rubber one as 2; in either case, we only use one button for pairing); two knobs (a large knob labeled as 3, and a small one as 4); two touchscreens (a 5.2" Google Nexus 5X labeled as 5, and a 2.45" Unihertz Atom labeled as 6).