While passwords are a common security measure to prevent hackers from accessing a device, they’re not perfect, and don’t always do the job of protecting sensitive information. That said, researchers have long sought an alternative measure of protection, one that’s not only more convenient for the user to implement, but also something a bit more secure.
Researchers at the University of Alabama (Birmingham) believe they’ve created a solution, and it’s based on a technology referred to as “zero-interaction authentication.”
Zero-interaction authentication allows a user to access a terminal, whether it be their laptop or their automobile, without actually interacting with the device. Instead of punching in a passcode, access is granted when the verification system is able to detect the user’s security token. This could be a smartphone, car key, etc., and it can be detected using an authentication protocol over a short-range wireless communication channel like Bluetooth. This set-up eliminates the need for a password, and lessens the risks associated with them.
If the technology sound familiar, that’s because it’s already in use as a passive keyless entry and start system that unlocks a car door and starts the engine based on the token’s proximity to the car. This same technology is also used with computers: An app called “BlueProximity” allows a user to unlock the idle screen on their computer by approaching the device while holding a smartphone that’s been set up to connect with it.
Now, while the technology is already set up and in use, it’s not perfect. One way in which hackers have found a way to circumvent the technology is to impose relay attacks, or ghost-and-leech attacks as they are more commonly called. When this scheme is implemented, a hacker authenticates access to the terminal by using another hacker, or leech, who is close to the user at another location, and relaying the authentication to the terminal.
The goal of the research is to stop this sort of attack, and make zero-interaction authentication the most secure way to go about accessing a terminal.
“The goal of our research is to examine the existing security measures that zero-interaction authentication systems employ and improve them,” said Nitesh Saxena, Ph.D., an associate professor in the Department of Computer and Information Sciences, a co-leader of the Center for Information Assurance and Joint Forensics Research, and the one responsible for leading this research. “We want to identify a mechanism that will provide increased security against relay attacks and maintain the ease of use.”
Two types of sensor modalities were examined to see if they could be used to protect zero-interaction systems from relay attacks without affecting usability. The first type examined was the sensors commonly present on devices, including Wi-Fi, Bluetooth, GPS, and audio. Second, the group looked at the capabilities of using ambient physical sensors as a proximity-detection mechanism. Seeing an opportunity with this particular grouping, they focused on four particular sensors: ambient temperature, precision gas, humidity, and altitude. Each one, the team found, helped the system verify that the two devices attempting to connect to one another are, in fact, in the same location, thereby thwarting a ghost-and-leech attach.
What’s more, when these sensor modalities were used in combination with one another, security was that much better.
“Our results suggest that an individual sensor modality may not provide a sufficient level of security and usability,” Saxena said. “However, multiple modality combinations result in a robust relay-attack defense and good usability.”
The good news is that there are already platforms out there that employ sensor modalities to prevent relay attacks in mobile and wireless systems on existing smartphones; they can also be easily added using extension devices. According to Saxena, this technology will become more commonplace in the near future.
“Users will be able to use an app on their phones to lock and unlock their laptops, desktops or even their cars, without passwords and without having to worry about relay attacks,” said Babins Shrestha, a UAB doctoral student and co-author on the papers. “Our research shows that this can be done while preserving a high level of usability and security.”
Saxena’s group at the University of Alabama collaborated with researchers at the University of Helsinki and Aalto University (Finland) on the study. Their work was recently presented at the International Conference on Pervasive Computing and Communication and the Financial Cryptography and Data Security conference.
Looking ahead, the group will continue to work toward further perfecting the system.
Story via uab.edu
Advertisement
Learn more about Electronic Products Magazine
