FastZIP: Faster and More Secure Zero-Interaction Pairing

TL;DR

FastZIP is a novel zero-interaction pairing scheme that significantly reduces pairing time and enhances security for IoT devices by combining fuzzy password-authenticated key exchange with sensor data fusion, demonstrated in automotive scenarios.

Contribution

FastZIP introduces a faster, more secure ZIP protocol using fPAKE and sensor fusion, addressing key limitations of existing schemes.

Findings

Up to three times faster pairing than existing ZIP schemes.

Achieved low adversarial error rates below 0.5%.

Validated in real-world car driving scenarios over 800 km.

Abstract

With the advent of the Internet of Things (IoT), establishing a secure channel between smart devices becomes crucial. Recent research proposes zero-interaction pairing (ZIP), which enables pairing without user assistance by utilizing devices' physical context (e.g., ambient audio) to obtain a shared secret key. The state-of-the-art ZIP schemes suffer from three limitations: (1) prolonged pairing time (i.e., minutes or hours), (2) vulnerability to brute-force offline attacks on a shared key, and (3) susceptibility to attacks caused by predictable context (e.g., replay attack) because they rely on limited entropy of physical context to protect a shared key. We address these limitations, proposing FastZIP, a novel ZIP scheme that significantly reduces pairing time while preventing offline and predictable context attacks. In particular, we adapt a recently introduced Fuzzy Password-Authenticated Key Exchange (fPAKE) protocol and utilize sensor fusion, maximizing their advantages. We instantiate FastZIP for intra-car device pairing to demonstrate its feasibility and show how the design of FastZIP can be adapted to other ZIP use cases. We implement FastZIP and evaluate it by driving four cars for a total of 800 km. We achieve up to three times shorter pairing time compared to the state-of-the-art ZIP schemes while assuring robust security with adversarial error rates below 0.5%.