Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Bingsheng Zhang,Qin Zhan,Si Chen,Muyuan Li,Kui Ren,Cong Wang,Di Ma

DOI: https://doi.org/10.1109/jiot.2014.2297998

IF: 10.6

2014-01-01

IEEE Internet of Things Journal

Abstract:Short-range wireless communication technologies have been used in many security-sensitive smartphone applications and services such as contactless micro payment and device pairing. Typically, the data confidentiality of the existing short-range communication systems relies on so-called “key-exchange then encryption” mechanism, which is inefficient, especially for short communication sessions. In this work, we present ${\\ssb{PriWhisper}}$ —a keyless secure acoustic short-range communication system for smartphones. It is designed to provide a software-based solution to secure smartphone communication without the key agreement phase. ${\\ssb{PriWhisper}}$ adopts the emerging friendly jamming technique from radio communication for data confidentiality. The system prototype is implemented and evaluated on several Android smartphone platforms for efficiency and usability. We theoretically and experimentally analyze the security of our proposed acoustic communication system against eavesdropping. In particular, we study the (in)separability of the data signal and jamming signal against blind signal segmentation (BSS) attacks such as independent component analysis (ICA). The result shows that ${\\ssb{PriWhisper}}$ provides sufficient security guarantees for commercial smartphone applications and yet strong compatibilities with most legacy smartphone platforms. As an application, we also develop ${\\ssb{AcousAuth}}$ —a novel smartphone-empowered system for personal authentication.

Li Lü,Jiadi Yu,Yingying Chen,Yan Wang

DOI: https://doi.org/10.1145/3397320

2020-01-01

Proceedings of the ACM on Interactive Mobile Wearable and Ubiquitous Technologies

Abstract:Recent years have witnessed the surge of biometric-based user authentication for mobile devices due to its promising security and convenience. As a natural and widely-existed behavior, human speaking has been exploited for user authentication. Existing voice-based user authentication explores the unique characteristics from either the voiceprint or mouth movements, which is vulnerable to replay attacks and mimic attacks. During speaking, the vocal tract, including the static shape and dynamic movements, also exhibits the individual uniqueness, and they are hardly eavesdropped and imitated by adversaries. Hence, our work aims to employ the individual uniqueness of vocal tract to realize user authentication on mobile devices. Moreover, most voice-based user authentications are passphrase-dependent, which significantly degrade the user experience. Thus, such user authentications are pressed to be implemented in a passphrase-independent manner while being able to resist various attacks. In this paper, we propose a user authentication system, VocalLock, which senses the whole vocal tract during speaking to identify different individuals in a passphrase-independent manner on smartphones leveraging acoustic signals. VocalLock first utilizes FMCW on acoustic signals to characterize both the static shape and dynamic movements of the vocal tract during speaking, and then constructs a passphrase-independent user authentication model based on the unique characteristics of vocal tract through GMM-UBM. The proposed VocalLock can resist various spoofing attacks, while achieving a satisfactory user experience. Extensive experiments in real environments demonstrate VocalLock can accurately authenticate user identity in a passphrase-independent manner and successfully resist various attacks.

Xiaoyu Ji,Xinyan Zhou,Chen Yan,Jiangyi Deng,Wenyuan Xu

DOI: https://doi.org/10.1109/tmc.2020.3025023

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:With the proliferation of mobile devices, face-to-face device-to-device (D2D) communication has been applied to a variety of daily scenarios such as mobile payment and short distance file transfer. In D2D communications, a critical security problem is to verify the device legitimacy when they share no secrets in advance. Previous research proposed device authentication schemes based on pre-built database or exploiting physical properties. However, a remaining challenge is to secure face-to-face D2D communication even in the middle of a crowd, within which an attacker may hide. In this paper, we present NAuth, a nonlinearity-enhanced, location-sensitive authentication mechanism. Especially, we target at the secure authentication within a limited range such as 20 cm, which is typical for face-to-face scenarios. NAuth designs a verification scheme based on the nonlinear distortion of speaker-microphone systems and a location-based validation model. The verification scheme guarantees device authentication consistency by extracting acoustic nonlinearity patterns (ANP) while the validation model ensures device legitimacy by measuring the time difference of arrival (TDOA) at two microphones. We analyze the feasibility and security of NAuth theoretically and evaluate its performance experimentally. Results demonstrate that NAuth can verify the device legitimacy in the presence of nearby attackers.

Xinyan Zhou,Xiaoyu Ji,Chen Yan,Jiangyi Deng,Wenyuan Xu

DOI: https://doi.org/10.1109/infocom.2019.8737572

2019-01-01

Abstract:With the increasing prevalence of mobile devices, face-to-face device-to-device (D2D) communication has been applied to a variety of daily scenarios such as mobile payment and short distance file transfer. In D2D communications, a critical security problem is verifying the legitimacy of devices when they share no secrets in advance. Previous research addressed the problem with device authentication and pairing schemes based on user intervention or exploiting physical properties of the radio or acoustic channels. However, a remaining challenge is to secure face-to-face D2D communication even in the middle of a crowd, within which an attacker may hide. In this paper, we present Nhuth, a nonlinearity-enhanced, location-sensitive authentication mechanism for such communication. Especially, we target at the secure authentication within a limited range such as 20 cm, which is the common case for face-to-face scenarios. Nhuth contains averification scheme based on the nonlinear distortion of speaker-microphone systems and a location-based-validation model. The verification scheme guarantees device authentication consistency by extracting acoustic nonlinearity patterns (ANP) while the validation model ensures device legitimacy by measuring the time difference of arrival (TDOA) at two microphones. We analyze the security of Nhuth theoretically and evaluate its performance experimentally. Results show that Nhuth can verify the device legitimacy in the presence of nearby attackers.

Dianqi Han,Ang Li,Tao Li,Lili Zhang,Yan Zhang,Jiawei Li,Rui Zhang,Yanchao Zhang

DOI: https://doi.org/10.1109/tmc.2021.3053282

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Acoustic fingerprinting aims to identify a mobile device based on its internal microphone(s) and speaker(s) which are unique due to manufacturing imperfection. This paper seeks a thorough understanding of the (in)security of exploring acoustic fingerprints for achieving distributed mobile authentication. Our contributions are threefold. First, we present a new acoustic fingerprint-emulation attack and demonstrate that it is a common vulnerability of acoustic mobile authentication systems. Second, we propose a dynamic challenge-response defense to secure acoustic mobile authentication systems against the acoustic fingerprint-emulation attack. Finally, we thoroughly investigate existing acoustic fingerprinting schemes and identify the best option for accurate, secure, and deployable acoustic mobile authentication systems.

computer science, information systems,telecommunications

Si Chen,Zhan Qin,Guoliang Xing,Kui Ren

DOI: https://doi.org/10.1007/bf03391579

2016-01-01

Journal of Communications and Information Networks

Abstract:Mobile devices such as smartphones and tablets have continued to grow in recent years. Nowadays, people rely on these ubiquitous smart devices and carry them everywhere in their daily lives. Acoustic signal, as a simple and prevalent transmitting vector for end-to-end communication, shows unique characteristics comparing with another popular communication method, i.e., optical signal, especially on the applications performed over smart devices. Acoustic signal does not require line-of-sight when transmission, the computational power of most smart devices are sufficient to modulate/demodulate acoustic signal using software acoustic modem only, which can be easily deployed on current off-the-shelf smart devices. Therefore, many acoustics-based short range communication systems have been developed and are used in sensitive applications such as building access control and mobile payment system. However, past work shows that an acoustic eavesdropper snooping on the communication between a transmitter and its legitimate receiver can easily break their communication protocol and decode the transmitted information. To solve this problem, many solutions have been proposed to protect the acoustic signal against eavesdroppers. In this overview, we explore the designs of existing solutions, the corresponding implementations, and their methodologies to protect acoustic signal communication. For each dependable and secure acoustics-based short range communication system, we present the major technical hurdles to be overcome, the state-of-the-art, and also offer a vision of the future research issues on this promising technology.

Xiaoyan Zhu,Suiyu Yu,Qingqi Pei

DOI: https://doi.org/10.1109/glocom.2016.7842192

2016-01-01

Abstract:Authentication is the first step to access a resource (service, website, data, etc.), so it is of vital importance in a system. The most widely used authentication mechanisms are one-factor authentication based on password and two-factor authentication methods which require a password and another factor (verification code, biometric feature, hardware token, software plug-in, etc.). However, in many public areas, passwords may be exposed to other monitoring equipments or even other people; while authentication for the second factor always requires human-machine interaction. As a result, password might suffer misuse by others; the latter may need extra procedures and incur long delay, decreasing usability and deployability of the system. In this paper, we propose QuickAuth, which aims to develop a simple, yet quick authentication method that does not rely on password such that the entire authentication procedure can be implemented automatically with minimal user involvement. In QuickAuth, one authentication factor is the user's cellphone, and the other is the proximity of the cellphone to the computer which the user wants to login to. The proximity of the two devices is obtained by comparing ambient sound recorded by microphones. Through the real-world implementation and evaluation, we show that QuickAuth works well in terms of usability, deployability, and security in the environment of public areas.

Dan Liu,Qian Wang,Man Zhou,Peipei Jiang,Qi Li,Chao Shen,Cong Wang

DOI: https://doi.org/10.1109/tdsc.2022.3162718

2023-01-01

Abstract:Mobile two-factor authentication (TFA), which uses mobile devices as a second security layer of protection to online accounts, has been widely applied with the proliferation of mobile phones. Currently, many studies propose to use acoustic fingerprints as the second factor. However, these solutions ignore the variations of the extracted static acoustic fingerprints incurred by the acoustic propagation process, which we show can be leveraged to develop an enhanced man-in-the-middle (MITM) attack to compromise the security strength of these systems, while hiding the traces of the attacking devices. To address this newly-uncovered vulnerability, we propose SoundID, a secure and novel authentication system that introduces a dual challenge-response design through the acoustic signals of the enrolled phone and the login device. Specifically, the enrolled phone first evaluates its proximity to the login device by the similarity of their audio recordings, and then the login authentication server compares the calculated dynamic acoustic fingerprint with the one received from the enrolled phone. To the best of our knowledge, SoundID is the first scheme that extracts dynamic acoustic fingerprints and can effectively defend against the enhanced MITM attack. SoundID combines the benefits of unpredictable influencing factors of acoustic propagation processes and the stable frequency response of the acoustic hardware, whose high complexity prevents attackers from predicting or impersonating them. We build a prototype of SoundID with off-the-shelf smartphones to validate its robustness and effectiveness. Our results show that SoundID is user-friendly and achieves over 96.62% accuracy with an equal error rate around 4.27%.

Shuhua Zhu,Xiaojie Li,Chunsheng Zhu,Lei Shu,Wei Sun

DOI: https://doi.org/10.1155/2015/846739

IF: 1.938

2015-01-01

International Journal of Distributed Sensor Networks

Abstract:We address the problem of authentication and secure communication between wearable devices. As people rely heavily on such mobile and wearable devices, the need for seamless and secure communication across these spectra of devices becomes increasingly important. In order to provide secure communication, mutually trusted authentication becomes the first line of protection to guard our personal information. We propose an acoustic-based signcryption mutual authentication (ASMA), which is a key-agreement protocol by employing timestamp and owning functions of multiple-times identity authentication, password change, and devices addition and alteration. Through series of experiments verifying the reliability and accuracy, the protocol shows that it can ensure secure data transmission and data sharing for multiwearable devices.

Yanzhi Ren,Tingyuan Yang,Zhiliang Xia,Hongbo Liu,Jiadi Yu,Bo Liu,Hongwei Li

DOI: https://doi.org/10.1109/tmc.2024.3391184

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:The two-factor authentication (2FA) has become pervasive as the mobile devices become prevalent. Existing 2FA solutions usually require some form of user involvement, which could severely affect user experience and bring extra burdens to users. In this work, we propose a secure 2FA that utilizes the individual acoustic fingerprint of the speaker/microphone on enrolled device as the second proof. The main idea behind our system is to use both magnitude and phase fingerprints derived from the frequency response of the enrolled device by emitting acoustic beep signals alternately from both enrolled and login devices and receiving their direct arrivals for 2FA. Given the input microphone samplings, our system designs an arrival time detection scheme to accurately identify the beginning point of the beep signal from the received signal. To achieve a robust authentication, we develop a new distance mitigation scheme to eliminate the impact of transmission distances from the sound propagation model for extracting stable fingerprint in both magnitude and phase domain. Our device authentication component then calculates a weighted correlation value between the device profile and fingerprints extracted from run-time measurements to conduct the device authentication for 2FA. Moreover, to thwart the possible co-located attacks, our proximity detection component further makes the enrolled phone to generate an active random vibration signal by its built-in motor, and then matches the signal received by the microphone of login device with the signal received by the accelerometer of enrolled phone to verify the proximity of two devices. Our experimental results show that our proposed system is accurate and robust to various attacks across different scenarios and device models.

Mengjun Xie,Yanyan Li,Kenji Yoshigoe,Remzi Seker,Jiang Bian

DOI: https://doi.org/10.1109/hase.2015.41

2015-01-01

Abstract:Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authentication. Leveraging the unprecedented popularity of both personal mobile devices (e.g., Smartphones) and barcode scans through camera, we explore a new horizon in the design space of two-factor authentication. In this paper, we present CamAuth, a web authentication scheme that exploits pervasive mobile devices and digital cameras to counter various password attacks including man-in-the-middle and phishing attacks. In CamAuth, a mobile device is used as the second authentication factor to vouch for the identity of a use who is performing a web login from a PC. The device communicates directly with the PC through the secure visible light communication channels, which incurs no cellular cost and is immune to radio frequency attacks. CamAuth employs public-key cryptography to ensure the security of authentication process. We implemented a prototype system of CamAuth that consists of an Android application, a Chrome browser extension, and a Java-based web server. Our evaluation results indicate that CamAuth is a viable scheme for enhancing the security of web authentication.

Zhenyang Guo,Hao Yan,Jin Cao,Jiawei Yang,Ben Niu,Ang Li,Hui Li

DOI: https://doi.org/10.1109/jiot.2024.3450692

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Presently, the prevalent authentication approaches in smartphones are susceptible to interference from light,0 noise, temperature, and the risk of replay attacks. In light of these vulnerabilities, and taking into account user behavior alongside smartphone interaction patterns, we have developed an innovative behavioral-based authentication system. This system harnesses the distinctiveness of individual keystroke dynamics for secure user authentication, offering resilience against noise and light fluctuations. In this unique approach, our smartphone’s speakers and microphones emit and capture high-frequency acoustic signals (AS). To the best of our knowledge, this is the first instance of employing the Doppler effect generated by the high-frequency AS in response to keystroke activity as a distinctive user feature. Our definition of ’keystroke behavior’ encompasses the motions involved in tapping screen buttons while holding the smartphone, effectively capturing unique user attributes without necessitating any special procedures or passwords. Our initial experiments have convincingly shown that the AS Doppler effect, triggered by keystroke actions, is uniquely identifiable per user during button presses. Subsequently, we utilized a Convolutional Autoencoder (CAE) to distill keystroke behaviors from the reflected signals, employing a One-Class Support Vector Machine (OCSVM) for user authentication and identification processes. We then implemented a prototype of this scheme on smartphones and rigorously tested its performance across four real-world scenarios. The outcomes are promising, demonstrating that our scheme not only withstands disturbances from noise and light but also achieves an impressive average accuracy rate of 95.08%. Regarding security, it effectively thwarts replay and record attacks, further underscoring its robustness and reliability.

Daojing He,Maode Ma,Yan Zhang,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1016/j.comcom.2010.02.031

IF: 5.047

2011-01-01

Computer Communications

Abstract:Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.

Yanzhi Ren,Tingyuan Yang,Zhiliang Xia,Hongbo Liu,Yingying Chen,Nan Jiang,Zhaohui Yuan,Hongwei Li

DOI: https://doi.org/10.1109/infocom53939.2023.10229054

2023-01-01

Abstract:The two-factor authentication (2FA) has become pervasive as the mobile devices become prevalent. Existing 2FA solutions usually require some form of user involvement, which could severely affect user experience and bring extra burdens to users. In this work, we propose a secure 2FA that utilizes the individual acoustic fingerprint of the speaker/microphone on enrolled device as the second proof. The main idea behind our system is to use both magnitude and phase fingerprints derived from the frequency response of the enrolled device by emitting acoustic beep signals alternately from both enrolled and login devices and receiving their direct arrivals for 2FA. Given the input microphone samplings, our system designs an arrival time detection scheme to accurately identify the beginning point of the beep signal from the received signal. To achieve a robust authentication, we develop a new distance mitigation scheme to eliminate the impact of transmission distances from the sound propagation model for extracting stable fingerprint in both magnitude and phase domain. Our device authentication component then calculates a weighted correlation value between the device profile and fingerprints extracted from run-time measurements to conduct the device authentication for 2FA. Our experimental results show that our proposed system is accurate and robust to both random impersonation and Man-in-the-middle (MiM) attack across different scenarios and device models.

Dajiang Chen,XuFei Mao,Zhen Qin,Weiyi Wang,Xiang-Yang Li,Zhiguang Qin

DOI: https://doi.org/10.1007/978-3-319-22047-5_16

2015-01-01

Abstract:Authentication between wireless devices is critical for many wireless network applications, especially in some secure wireless communication scenarios. One of ingenious solutions is to extract a fingerprint to perform device authentication by exploiting variations in the transmitted signal caused by hardware and manufacturing inconsistencies. In this work, we propose a device identification protocol (named S2M) by leveraging the frequency response of a speaker and a microphone from two wireless devices as an acoustic hardware fingerprint. S2M authenticates the legitimate user based on the results of matching the fingerprint extracted at the learning process with the one extracted at the verification process. We design and implement S2M for both mobile phones and PCs and the extensive experimental results show that S2M achieves both a low false negative rate and a low false positive rate in various of scenarios under different attacks.

Yanzhi Ren,Chen Chen,Hongbo Liu,Jiadi Yu,Zhourong Zheng,Yingying Chen,Pengcheng Huang,Hongwei Li

DOI: https://doi.org/10.1109/tmc.2022.3232172

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:The two-factor authentication ($2$FA) has drawn increasingly attention as the mobile devices become more prevalent. For example, the user's possession of the enrolled phone could be used by the $2$FA system as the second proof to protect his/her online accounts. Existing $2$FA solutions mainly require some form of user-device interaction, which may severely affect user experience and creates extra burdens to users. In this work, we propose a secure $2$FA system utilizing the proximity of a user's enrolled phone and the login device as the second proof without requiring the user's interactions. The basic idea of our $2$FA system is to derive location signatures based on acoustic beep signals emitted alternately by both devices and sensing the echoes with microphones, and compare the extracted signatures for proximity detection. Moreover, to further enhance the security of our system, we also design a device authentication scheme which derives the acoustic fingerprint between the login device and enrolled phone to verify the identity of two devices. Given the received beep signal, our system designs a period selection scheme to identify two sound segments accurately: the chirp period is the sound segment propagating directly from the speaker to the microphone whereas the echo period is the sound segment reflected back by surrounding objects. To achieve an accurate proximity detection, we develop a new energy loss compensation extraction scheme by utilizing the extracted chirp periods to estimate the intrinsic differences of energy loss between microphones of the enrolled phone and the login device. Our proximity detection component then conducts the similarity comparison between the identified two echo periods after the energy loss compensation to effectively determine whether the enrolled phone and the login device are in proximity for $2$FA. Moreover, to provide higher security, our device fingerprint-assisted proximity detection further utilizes the overall energy loss between the login device and enrolled phone as their hardware fingerprint to authenticate the identity of two devices. Our experimental results show that our system is accurate in providing $2$FA and robust to both man-in-the-middle (MiM) and co-located attacks across different scenarios and device models.

computer science, information systems,telecommunications

Xiping Sun,Jing Chen,Kun He,Zhixiang He,Ruiying Du,Yebo Feng,Qingchuan Zhao,Cong Wu

2024-04-23

Abstract:Private voice communication often contains sensitive information, making it critical to ensure that only authorized users have access to such calls. Unfortunately, current authentication mechanisms, such as PIN-based passwords, fingerprint recognition, and face recognition, fail to authenticate the call receiver, leaving a gap in security. To fill the gap, we present EarPass, a secure and implicit call receiver authentication scheme designed for smartphones. EarPass sends inaudible acoustic signals through the earpiece speaker to actively sense the outer ear, and records echoes using the top microphone. It focuses on extracting ear-related signals from echoes and performs spectrogram analysis in the magnitude and phase domains. To overcome posture and position variability, EarPass utilizes a learning-based feature extractor for extracting representative features, and a one-class classifier for authentication. EarPass does not increase any burdens on users or change users' call answering habits. Furthermore, it does not require extra devices but only uses the speaker and microphone on the smartphone. We conducted comprehensive experiments to evaluate EarPass's effectiveness and security. Our results show that EarPass can achieve a balanced accuracy of 96.95% and an equal error rate of 1.53%. Additionally, EarPass exhibits resilience against potential attacks, including zero-effort attacks and mimicry attacks.

Cryptography and Security

Xiao Zhang,Jiqiang Liu,Si Chen,Yongjun Kong,Kui Ren

DOI: https://doi.org/10.1109/jiot.2018.2850524

IF: 10.6

2018-01-01

IEEE Internet of Things Journal

Abstract:The recent proliferation of Internet of Things (IoT) device coupled with the demand for an inexpensive way of transmitting data has been the primary factors behind the popularity of the short-range acoustic communication. It enables a seamless transfer of digital information via soundwaves, using device’s loudspeaker and microphone only and the whole interaction takes place without the need for network connection. Due to the limited computational power of the IoT device, the short-range acoustic communication system has adopted the friendly jamming technology to save energy. However, the security of the friendly jamming technology in mobile applications has not been thoroughly studied. When propagating sound in public, the soundwaves are subject to eavesdropping by nature. In particular, the friendly jamming technology is vulnerable to the separation attacks which can separate data signals from mixed signals. In this paper, we propose PriWhisper+—a secure acoustic short-range communication system between IoT devices. We analyze the security of PriWhisper+ via information theory and propose physical security enhancement mechanisms for acoustic communication by combining device mobility with secret sharing scheme. We then design a secure data communication scheme that transmits data in acoustic signals. This scheme can be applied in many security-sensitive situations, such as device pairing, contactless payments, and privacy data sharing. At last, we evaluate the performance of our proposed PriWhisper+ by extensive experiments on Android smartphones. The results of the experiment show that the PriWhisper+ can protect the data confidentiality within thirty centimeters of communication range.

Dajiang Chen,Ning Zhang,Zhen Qin,Xufei Mao,Zhiguang Qin,Xuemin Shen,Xiang-Yang Li

DOI: https://doi.org/10.1109/jiot.2016.2619679

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:Device authentication is a critical and challenging issue for the emerging Internet of Things (IoT). One promising solution to authenticate IoT devices is to extract a fingerprint to perform device authentication by exploiting variations in the transmitted signal caused by hardware and manufacturing inconsistencies. In this paper, we propose a lightweight device authentication protocol [named speaker-to-microphone (S2M)] by leveraging the frequency response of a speaker and a microphone from two wireless IoT devices as the acoustic hardware fingerprint. S2M authenticates the legitimate user by matching the fingerprint extracted in the learning process and the verification process, respectively. To validate and evaluate the performance of S2M, we design and implement it in both mobile phones and PCs and the extensive experimental results show that S2M achieves both low false negative rate and low false positive rate in various scenarios under different attacks.