Touch to Pair: Secure and Usable IoT Pairing without Information Loss

Secure pairing is essential for trustworthy deployment and operation of Internet of Things (IoT) devices. However, traditional pairing methods are unsuitable due to the lack of user interfaces such as keyboards. Proximity-based approaches are usable but vulnerable to nearby attackers, while methods relying on physical operations (e.g., shaking) offer higher security but require inertial sensors that most IoT devices lack. We introduceUniversal Operation Sensing, which enables IoT devices to detect user operations without inertial sensors. With this technique, users can complete pairing within seconds through simple actions, such as pressing a button or twisting a knob, using either a smartphone or a smartwatch. We further identify an accuracy issue caused by information loss in the commonly used fuzzy-commitment protocol. To address this issue, we propose TimeWall, an accurate pairing protocol that avoids fuzzy commitment and incurs zero information loss. A comprehensive evaluation shows that it is secure, usable, and efficient.