T2Pair++: Secure and Usable IoT Pairing with Zero Information Loss

Secure pairing is crucial for ensuring the trustworthy deployment and operation of Internet of Things (IoT) devices. However, traditional pairing methods are often unsuitable for IoT devices due to their lack of conventional user interfaces, such as keyboards. Proximity-based pairing approaches are usable but vulnerable to exploitation by co-located malicious devices. While methods based on a user's physical operations (such as shaking) on IoT devices offer greater security, they typically rely on inertial sensors to sense the operations, which most IoT devices lack. We introduce a novel technique called Universal Operation Sensing, enabling IoT devices to sense the user's physical operations without the need for inertial sensors. With this technique, users can complete the pairing process within seconds using simple actions such as pressing a button or twisting a knob, whether they are holding a smartphone or wearing a smartwatch. Moreover, we reveal an inaccuracy issue in the fuzzy commitment protocol, which is frequently used for pairing. To address it, we propose an accurate pairing protocol, which does not use fuzzy commitment and incurs zero information loss. The comprehensive evaluation shows that it is secure, usable and efficient.