On the Usability of Secure Association of Wireless Devices Based on Distance Bounding

Abstract. When users wish to establish wireless communication between their devices, the channel needs to be bootstrapped first. Usually, the channel is desired to be authenticated and confidential, in order to mitigate any malicious control of or eavesdropping over the communication. When there is no prior security context, such as, shared secrets, common key servers or public key certificates, device association necessitates some level of user involvement into the process. A wide variety of user-aided security association techniques have been proposed in the past. A promising set of techniques require out-of-band communication between the devices (e.g., auditory, visual, or tactile). The usability evaluation of such techniques has been an active area of research. In this paper, our focus is on the usability of an alternative method of secure association – Integrity regions (I-regions) [40] – based on distance bounding. I-regions achieves secure association by verification of entity proximity through time-to-travel measurements over ultrasonic or radio channels. Security of I-regions crucially relies on the assumption that human users can correctly gauge the distance between two communicating devices. We demonstrate, via a thorough usability study of the I-regions technique and related statistical analysis, that such an assumption does not hold in practice. Our results indicate that I-regions can yield high error rates, undermining its security and usability under common communication scenarios