Xiaopeng Li

Date of Award

Summer 2020

Document Type

Open Access Dissertation


Computer Science and Engineering

First Advisor

Lannan Luo

Second Advisor

Wenyuan Xu


Internet of Things (IoT) technologies have made our lives more convenient and better informed by sensing and monitoring our surroundings. Security applications, such as device pairing and user authentication, are the fundamentals for building a trustworthy smart environment. A secure and convenient pairing approach is critical to IoT enabled applications, as pairing is to establish a secure wireless communication channel for devices. Besides, a smart environment usually has multiple people (e.g., patients and doctors in a hospital), who have physical access to the deployed IoT devices and sensitive dumb objects (e.g., a cabinet storing medical records); but not all of them are supposed to operate the devices/objects and access potentially sensitive information stored in them. Therefore, how to authenticate users operating on the IoT devices and dumb objects is highly important.

Existing security measures either rely on special hardware, have bad usability, or are vulnerable to attacks, and thus fail to protect resource-constrained IoT devices and dumb objects. This thesis aims at addressing the above shortcomings and implementing three security applications: (1) performing secure pairing for IoT devices that lack conventional user interfaces, such as keyboards and display; (2) providing secure and applicable authentication for IoT devices; (3) validating uses of sensitive dumb objects that have no user input interfaces.

First, we propose a technique, Universal Operation Sensing, which allows an IoT device to sense the user’s physical operations on it without requiring inertial sensors. Based on this technique, a user carrying a smartphone or wearing a wristband can finish pairing in seconds by ‘touching’, in the form of some very simple operations, the target device. We design a pairing protocol based on fuzzy commitment, and build a prototype system named T2Pair. The comprehensive evaluation shows that it is secure and usable.

Second, we design three usable authentication gestures by asking the user to ‘pet’ (in the form of some very simple touches for about 2 seconds) on the devices. We build a secure and intuitive authentication method that authenticates device users by comparing the petting operations sensed by devices and those captured by the user wristband. The authentication method is highly secure as physical operations are required, rather than based on proximity. It is also intuitive, adopting very simple authentication operations, e.g., clicking buttons, twisting rotary knobs, and swiping touchscreens. Unlike the state-of-the-art methods, our method does not require any hardware modifications of devices, and thus can be applied to commercial off-the-shelf (COTS) devices.

Finally, We present the first implicit and accurate authentication approach for dumb objects, named MoMatch. (1) It provides implicit and continuous authentication for dumb objects, which do not have traditional authentication interfaces like keypads and mice. (2) It is accurate with average area under the curve (AUC) across 10 different dumb objects = 0.97. (3) It makes fast authentication decision based on a single object interaction, e.g., pushing a door. (4) It uses zero biometrics, so does not need user profiling. (5) Rigorous security studies are performed, showing that MoMatch is resilient to attacks. The approach is built on a solid causal relationship: an object has a motion typically because a human hand moves it; thus, the object’s motion and the legitimate user’s hand movement should correlate.