Proximity Based IoT Device Authentication

Internet of Things (IoT) devices are largely embedded

devices which lack a sophisticated user interface, e.g., touch

screen, keyboard, etc. As a consequence, traditional Pre-Shared

Key (PSK) based authentication for mobile devices becomes

difficult to apply. For example, according to our study on home

automation devices which leverage smartphone for PSK input,

the current process does not protect against active impersonating

attack and also leaks the Wi-Fi password to eavesdroppers, i.e.,

currently these IoT devices can be exploited to enter into critical

infrastructures, e.g., home networks. Motivated by this realworld

security vulnerability, in this paper we propose a novel

proximity-based mechanism for IoT device authentication, called

Move2Auth, for the purpose of enhancing IoT device security. In

Move2Auth, we require user to hold smartphone and perform one

of two hand-gestures (moving towards and away, and rotating)

in front of IoT device. By combining (1) large RSS-variation and

(2) matching between RSS-trace and smartphone sensor-trace,

Move2Auth can reliably detect proximity and authenticate IoT

device accordingly. Based on our implementation on Samsung

Galaxy smartphone and commodity Wi-Fi adapter, we prove

Move2Auth can protect against powerful active attack, i.e., the

false-positive rate is consistently lower than 0:5%.