On Pairing Constrained Wireless Devices Based on Secrecy of Auxiliary Channels: The Case of Acoustic Eavesdropping
Abstract
Secure “pairing” of wireless devices based on auxiliary or out-of-band (OOB) – audio, visual or tactile – communication is a well-established research direction. Lack of good quality interfaces on or physical access to certain constrained devices (e.g., headsets, access points, medical implants) makes pairing a challenging problem in practice. Prior work shows that pairing of constrained devices based on authenticated OOB (A-OOB) channels can be prone to human errors that eventually translate into man-in-the-middle attacks. An alternative and more usable solution is to use OOB channel(s) that are authenticated as well as secret (AS-OOB). AS-OOB pairing can be achieved by simply transmitting the key or a short password over the AS-OOB channel, avoiding potential serious human errors.
A higher level goal of this paper is to analyze the security of AS-OOB pairing. More specifically, we take a closer look at three notable prior AS-OOB pairing proposals and challenge the direct or indirect assumption upon which the security of these proposals relies, i.e., the secrecy of underlying or associated audio channels. The first proposal (IMD Pairing) uses a low frequency audio channel to pair an implanted RFID tag with an external reader. The second proposal (PIN-Vibra) uses an automated vibrational channel to pair a mobile phone with a personal RFID tag. The third proposal (BEDA) uses vibration (or blinking) on one device and manually synchronized button pressing on the other device.
In particular, we demonstrate the feasibility of eavesdropping over acoustic emanations associated with these methods. Based on our results, we conclude that these methods provide a weaker level of security compared to what was originally assumed or is desired for the pairing operation.