2,357 research outputs found
Lights, Camera, Action! Exploring Effects of Visual Distractions on Completion of Security Tasks
Human errors in performing security-critical tasks are typically blamed on
the complexity of those tasks. However, such errors can also occur because of
(possibly unexpected) sensory distractions. A sensory distraction that produces
negative effects can be abused by the adversary that controls the environment.
Meanwhile, a distraction with positive effects can be artificially introduced
to improve user performance.
The goal of this work is to explore the effects of visual stimuli on the
performance of security-critical tasks. To this end, we experimented with a
large number of subjects who were exposed to a range of unexpected visual
stimuli while attempting to perform Bluetooth Pairing. Our results clearly
demonstrate substantially increased task completion times and markedly lower
task success rates. These negative effects are noteworthy, especially, when
contrasted with prior results on audio distractions which had positive effects
on performance of similar tasks. Experiments were conducted in a novel (fully
automated and completely unattended) experimental environment. This yielded
more uniform experiments, better scalability and significantly lower financial
and logistical burdens. We discuss this experience, including benefits and
limitations of the unattended automated experiment paradigm
MagicPairing: Apple's Take on Securing Bluetooth Peripherals
Device pairing in large Internet of Things (IoT) deployments is a challenge
for device manufacturers and users. Bluetooth offers a comparably smooth trust
on first use pairing experience. Bluetooth, though, is well-known for security
flaws in the pairing process. In this paper, we analyze how Apple improves the
security of Bluetooth pairing while still maintaining its usability and
specification compliance. The proprietary protocol that resides on top of
Bluetooth is called MagicPairing. It enables the user to pair a device once
with Apple's ecosystem and then seamlessly use it with all their other Apple
devices. We analyze both, the security properties provided by this protocol, as
well as its implementations. In general, MagicPairing could be adapted by other
IoT vendors to improve Bluetooth security. Even though the overall protocol is
well-designed, we identified multiple vulnerabilities within Apple's
implementations with over-the-air and in-process fuzzing
Survey and Systematization of Secure Device Pairing
Secure Device Pairing (SDP) schemes have been developed to facilitate secure
communications among smart devices, both personal mobile devices and Internet
of Things (IoT) devices. Comparison and assessment of SDP schemes is
troublesome, because each scheme makes different assumptions about out-of-band
channels and adversary models, and are driven by their particular use-cases. A
conceptual model that facilitates meaningful comparison among SDP schemes is
missing. We provide such a model. In this article, we survey and analyze a wide
range of SDP schemes that are described in the literature, including a number
that have been adopted as standards. A system model and consistent terminology
for SDP schemes are built on the foundation of this survey, which are then used
to classify existing SDP schemes into a taxonomy that, for the first time,
enables their meaningful comparison and analysis.The existing SDP schemes are
analyzed using this model, revealing common systemic security weaknesses among
the surveyed SDP schemes that should become priority areas for future SDP
research, such as improving the integration of privacy requirements into the
design of SDP schemes. Our results allow SDP scheme designers to create schemes
that are more easily comparable with one another, and to assist the prevention
of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications
Surveys & Tutorials 2017 (Volume: PP, Issue: 99
e-SAFE: Secure, Efficient and Forensics-Enabled Access to Implantable Medical Devices
To facilitate monitoring and management, modern Implantable Medical Devices
(IMDs) are often equipped with wireless capabilities, which raise the risk of
malicious access to IMDs. Although schemes are proposed to secure the IMD
access, some issues are still open. First, pre-sharing a long-term key between
a patient's IMD and a doctor's programmer is vulnerable since once the doctor's
programmer is compromised, all of her patients suffer; establishing a temporary
key by leveraging proximity gets rid of pre-shared keys, but as the approach
lacks real authentication, it can be exploited by nearby adversaries or through
man-in-the-middle attacks. Second, while prolonging the lifetime of IMDs is one
of the most important design goals, few schemes explore to lower the
communication and computation overhead all at once. Finally, how to safely
record the commands issued by doctors for the purpose of forensics, which can
be the last measure to protect the patients' rights, is commonly omitted in the
existing literature. Motivated by these important yet open problems, we propose
an innovative scheme e-SAFE, which significantly improves security and safety,
reduces the communication overhead and enables IMD-access forensics. We present
a novel lightweight compressive sensing based encryption algorithm to encrypt
and compress the IMD data simultaneously, reducing the data transmission
overhead by over 50% while ensuring high data confidentiality and usability.
Furthermore, we provide a suite of protocols regarding device pairing,
dual-factor authentication, and accountability-enabled access. The security
analysis and performance evaluation show the validity and efficiency of the
proposed scheme
Enhancement of bluetooth security authentication using hash-based message authentication code (HMAC) algorithm
Recently, Bluetooth technology is widely used by
organizations and individuals to provide wireless personal area
network (WPAN). This is because the radio frequency (RF)
waves can easily penetrate obstacles and can propagate without
direct line-of-sight (LoS). These two characteristics have led to
replace wired communication by wireless systems. However,
there are serious security challenges associated with wireless
communication systems because they are easier to eavesdrop,
disrupt and jam than the wired systems. Bluetooth technology
started with a form of pairing called legacy pairing prior to any
communication. However, due to the serious security issues found
in the legacy pairing, a secure and simple pairing called SPP was
announced with Bluetooth 2.1 and later since 2007. SPP has
solved the main security issue which is the weaknesses of the PIN
code in the legacy pairing, however it has been found with some
vulnerabilities such as eavesdropping and man-in-the-middle
(MITM) attacks. Since the discovery of these vulnerabilities,
some enhancements have been proposed to the Bluetooth
Specification Interest Group (SIG) which is the regulatory body
of Bluetooth technology; nevertheless, some proposed
enhancements are ineffective or are not yet implemented by
Manufacturers. Therefore, an improvement of the security
authentication in Bluetooth connection is highly required to
overcome the existing drawbacks. This proposed protocol uses
Hash-based Message Authentication Code (HMAC) algorithm
with Secure Hash Algorithm (SHA-256). The implementation of
this proposal is based on the Arduino Integrated Development
Environment (IDE) as software and a Bluetooth (BT) Shield
connected to an Arduino Uno R3 boards as hardware. The result
was verified on a Graphical User Interface (GUI) built in
Microsoft Visual Studio 2010 with C sharp as default
environment. It has shown that the proposed scheme works
perfectly with the used hardware and software. In addition, the
protocol thwarts the passive and active eavesdropping attacks
which exist during SSP. These attacks are defeated by avoiding
the exchange of passwords and public keys in plain text between
the Master and the Slave. Therefore, this protocol is expected to
be implemented by the SIG to enhance the security in Bluetooth
connection
- …