MagPairing: Pairing in Close Proximity Using Magnetometers Rong Jin∗, Liu Shi†, Kai Zeng‡ , Amit Pande§, Prasant Mohapatra§ ∗School of Electronic Information and Communications, Huazhong University of Science and Technology Email: [email protected] †Department of Computer and Information Science, University of Michigan - Dearborn, MI 48128 Email: [email protected] ‡ Department of Electrical and Computer Engineering, George Mason University, VA 22030 Email: [email protected] §Department of Computer Science, University of California, Davis, CA, 95616 Email: {amit,prasant}@cs.ucdavis.edu

Abstract—With the prevalence of mobile computing, lots of Using auxiliary out-of-band (OOB) channels to facilitate wireless devices need to establish secure communication on the device pairing has been studied as a feasible option involving fly without pre-shared secrets. Device pairing is critical for visual [1, 2, 3, 4, 5, 6, 7, 8], acoustic [9, 10, 11, 12, 13], bootstrapping secure communication between two previously u- nassociated devices over the wireless channel. Using auxiliary out- tactile [14] or vibrational sensors [15, 16]. However, these of-band channels involving visual, acoustic, tactile or vibrational methods are not optimized in terms of usability, which is sensors has been proposed as a feasible option to facilitate device considered of utmost importance in pairing scheme based on pairing. However, these methods usually require users to perform OOB channels [2, 17, 18, 19], and require users to perform additional tasks such as copying, comparing, and shaking. It is additional tasks such as copying, comparing and shaking. It preferable to have a natural and intuitive pairing method with minimal user tasks. is preferable to have a natural and intuitive pairing method In this paper, we introduce a new method, called MagPairing, designed with minimal user tasks. for pairing smartphones in close proximity by exploiting corre- In this work, we focus on device pairing using magnetome- lated magnetometer readings. In MagPairing, users only need to ter sensors in the smartphones and develop an intuitive scheme, naturally tap the smartphones together for a few seconds without called MagPairing, which pairs two smartphones when they performing any additional operations in authentication and key establishment. Our method exploits the fact that smartphones are tapped together. We prefer the use of magnetometer sensors are equipped with tiny magnets. Highly correlated magnetic over audio and visual schemes [2, 9] because this involves field patterns are produced when two smartphones are close to minimal user intervention and achieves better usability. Device each other. We design MagPairing protocol and implement it on pairing using sensors [15, 16] involves asking Android smartphones. We conduct extensive simulations and real user to perform some typical task such as shaking the phones world experiments to evaluate MagPairing. Experiments verify that the captured sensor data on which MagPairing is based which is less intuitive than simply tapping the devices. has high entropy and sufficient length, and is nondisclosure to In MagPairing, users only need to naturally tap the smart attackers more than few centimeters away. Usability tests on phones together for a few seconds without performing any various kinds of smartphones by totally untrained users show additional operations in authentication and key establishment. that the whole pairing process needs only 4.5 seconds on average The embedded magnetometer sensor in smartphones provides with more than 90% success rate. a measure of magnetic field along X, Y, and Z directions [20, 21]. Our method exploits the fact that smartphones are equipped with tiny magnets themselves. When two smart- I.INTRODUCTION phones are tapped together, their magnetometers are reading Smartphones have become increasingly popular in recent the magnetic fields at almost the same point, yielding highly years, leading to many new applications such as file swapping, correlated sensor data of magnetic field patterns. The sensor music sharing, and collaborative gaming, where nearby users data are used to authenticate early established DH-key to engage in spontaneous wireless data communications using prevent man-in-the-middle attacks. or WiFi interfaces. An important security issue In MagPairing, we tackle the challenge that sensor data during bootstrap phase is to securely associate two devices and collected by distributed smartphones are not synchronized and generate shared secret keys to protect the subsequent wireless spatial aligned. Moreover, we consider the problem that user communications, often without any prior context. Such “device may wag and rotate unconsciously when holding smartphones. pairing” or “first connect” is critical for bootstrapping secure We implemented MagPairing on Android smartphones. We communication between two previously unassociated devices conduct extensive simulations and real world experiments to over the wireless channel. evaluate MagPairing. Experiments verify that the captured sensor data on which MagPairing is based has high entropy ‡ Kai Zeng is the Corresponding author and sufficient length; the sensor data information cannot be estimated and forged by attacker to perform man-in-the-middle to transmit cryptographic protocol messages and requires the attacker even when the attacker is a few centimeters away from user to merely monitor device interaction for any extraneous tapped smartphones. Usability tests by totally untrained users interference. A pairing method based on synchronized audio- show that the whole pairing process needs only 4.5 seconds visual patterns [13] are further developed. The proposed meth- on average with more than 90% success rate. Scalability tests ods, “Blink–Blink”, “Beep–Beep” and “Beep–Blink”, involve on 3 types of smartphones: , GALAXY 3 and users comparing very simple audiovisual patterns, e.g., in the MX 4 validate that MagPairing is widely applicable form of “beeping” and “blinking”, transmitted as simultaneous and easy to use. The main contributions of this paper are streams, forming two synchronized channels. Comparing with summarized as follows: our solution, the use of acoustic signal is considered taking 1) We design a protocol to achieve secure more user’s attention of listening and comparing. While, in device paring by using the correlated readings on re- MagPairing, the comparing of the similarity of sensor data spective magnetometers. is done by smartphones automatically. Moreover, the use of 2) We conduct extensive simulations to evaluate our acoustic signal is constrained within noiseless environment. method. 3) We implement the protocol on Android smartphones and C. Tactile channel conduct extensive experiments to evaluate and validate Another approach [14], “Button-Enabled Device Authenti- our proposed method. cation (BEDA)”, suggests pairing devices with the help of user Although MagPairing is validated on smartphones, it can button presses, thus utilizing the tactile OOB channel. This be applied to facilitate the pairing of other wireless devices method has several variants: “LED–Button”, “Beep–Button”, which are equipped with magnetometers, such as generic body “Vibration–Button”, and “Button–Button”. In the first two sensors and wearable computing devices [19, 22], providing a variants, the sending device blinks its LED (or vibrates or method for intuitive secure device pairing. beeps) and the user presses a button on the receiving device. In the Button–Button variant, the user simultaneously presses II.RELATED WORK buttons on both devices. Comparing with our solution, the One prominent research direction for device pairing is the action of “button pressing” itself is considered taking more use of auxiliary – also referred to as “out-of-band” (OOB) user’s attention. channels, which are both perceivable and manageable by the users who own and operate the devices. Existing option D. Vibration channel involves 1) visual, 2) acoustic, 3) tactile or 4) vibrational “Smart-Its-Friends” [15] and “Shake-Well-Before-Use” [16] sensors. exploit common movement pattern to communicate a shared secret to both devices as they are shaken together by the A. Visual channel user. The user needs to hold the devices together and perform In some early approaches [3, 4, 5], OOB data are encoded shaking for around 5 seconds. Comparing with our solution, into images and the users are asked to compare them on the action of “shaking” is considered taking more strength two devices. In a more recent approach [6], “Seeing-is- than the action of “tapping”. Moreover, “shaking” is usually Believing” (SiB), one device encodes the public key into a an “up-down” movement, which provides randomness only in two-dimensional bar code and displays it on its screen, and z direction, leading to a relative longer pairing time. the other device “reads it” using a photo camera, operated by the user. Follow-on work [8] considers the scalability problem E. OOB channel summary when applying SiB to multiple handheld devices. It devises a system that takes only one photo during the authentication A usability analysis of the existing popular device pairing protocol for two handheld devices. Another approach [7], schemes are presented in [17]. It reports that many of the similar to SiB, requires that LED-equipped device transmits existing schemes have a large computational time and high OOB data via the blinking. Comparing with our solution, fatal error rate, and are perceived difficultly by the end-user. image comparison is considered taking more user’s attention Another comprehensive study on usability of secure device of opening camera application and concentration on certain pairing schemes [23] advocates the user of limited visual in- objective image. formation over methods that require comparing more extensive information. Results from another usability study [18] show that simple number comparison is quite attractive overall, be- B. Acoustic channel ing both fast and secure as well as readily acceptable by users In [10], audio channel is used to represent the information over blinking, audio, visual, phrase comparison approaches. exchanged over the main wireless channel. There are two It takes an average time of 8.6 seconds but requires human variants: “Display–Speaker” and “Speaker–Speaker”, where intervention. the user compares the displayed sentence with its vocalized A recent investigation to the security of device pairing counterpart and two vocalized sentences, respectively. Follow- based on OOB channels [24] demonstrates the feasibility of on works [11, 12] consider that pairing devices have no eavesdropping over acoustic emanations associated with audio, common wireless channel at pairing time. They use pure audio visual, or tactile methods and conclude that they provide a weaker level of security than was originally assumed or desired sensor data collected by MagPairing and analyze the security for the pairing operation. strength in practical use. (3) We analyze the impact of sensor As a conclusion, existing works on pairing are still not data collection duration on MagPairing. (4) We include the optimized in terms of usability and security. Tapping has a MagPairing’s schemes to protect against internal threat. (5) number of characteristics owning to which users may prefer. We discuss possible external magnetic field interferences and (1) It is intuitive. People are familiar with tapping objects as their impacts on MagPairing. (6) We add comparison of manual interaction that does not require learning, for instance MagPairing scheme with Physical Proximity Based Security from tapping photos or attached files on a form to glue them scheme, which exploits shared ambient radio signals in the together or tapping two objects to compare their size. This same geographic area to authenticate nearby devices. (7) We means that tapping is unobtrusive in the sense that it does include more references. not require the users full attention while being performed. (2) It involves little user interaction. From a user perspective, III.OVERVIEW OF MAGPAIRING bring two smartphones together is a simple and quick action. In this paper, we consider the scenario where two smart- While for instance, visual based techniques are considered a phones, Alice and Bob, want to bootstrap a secure communi- little bit slower since a user is expected to open the camera cation by generating a shared secret key between themselves application and focus on the object image. (3) It takes a over a wireless channel without any pre-shared secret. The short time. Since magnetic field patterns are three dimensional, two smartphones are both equipped with magnetometers and sensor data extracted by MagPairing has a high entropy rate wireless interfaces (i.e., WiFi). which leads to a short sensor data collection time and total Attacker model: We assume a powerful active attacker. The device pairing time. (4) It is extendable. In order for the attacker can intercept all messages sent by Alice and Bob and navigation leveraging Earths magnetic field, magnetometers inject arbitrary messages over its wireless interface. It can are increasingly integrated into today’s wearable electronics make independent connections with the victims and relays (e.g. Apple watch and Android wear), gamepads, remote con- messages between them, making them believe that they are trols, smart cameras, MP3/4/5 players and portable navigation talking directly to each other over a private connection, while devices [25, 26]. Theoretically, MagPairing is applicable to all in fact the entire conversation is controlled by the attacker. portable devices equipped with magnetometers. Such an attacker is generally known as man-in-the-middle (MITM) attacker. The attacker may be a device having more powerful computational ability than the pairing smartphones, F. Physical proximity based security such as a laptop or a personal computer. The attacker can also In [27, 28], Physical layer features are extracted as shared conduct sophisticated signal processing. However, it is known secret for nearby devices. The principle is based on that clients that breaking symmetric key encryption such as AES 128 by in the same geographic area can observe a certain shared am- brutal force is infeasible with current technology. The attacker bient signals, such as the same normalized packet arrival time is also equipped with magnetometers. It can be close to Alice and similar received signal strengths (RSS). These physical and Bob, but cannot be at the same points as Alice and Bob layer features are location specific due to random wireless (at least 10cm away) due to the physical constraints. fading and cannot be easily estimated and forged by a client Fig. 1 shows the work flow of MagPairing. After triggering, outside the proximity of half-wavelength. Therefore, users can two devices are tapped together and initialize a standard exploit the ambient radio signals to establish spatial temporal Diffie-Hellman (DH) key agreement protocol. During DH location tags and use the location tags for authentication. key exchange, the two devices records their magnetometer However, the method is limited to the areas with plenty of readings simultaneously. Because the generated DH key is ambient radio sources, e.g. indoor environments with multiple susceptible to MITM attack, after DH key exchange completes, WiFi access points (APs), bluetooth devices and FM radios. the devices need to verify that their keys are equivalent. They The difficulty in proximity range control is another problem. encrypt and exchange their magnetometer readings via an Experimental work has demonstrated that there does exist a interlock protocol, which guarantees no disclosure of sensor strong correlation in measurements observed by passive eaves- data during transmission. Afterwards, sensor data are decrypt- droppers located significantly greater than a half-wavelength ed, and mutual authentications are executed locally on the away from legitimate devices [29]. Therefore, there is not a respective devices by comparing the similarity of the sensor clear safe guard distance to ensure the secrecy of the device data collected separately. If the similarity check is passed, the pairing. early generated DH key will be used for consecutive secure In this paper, we further exploit the potential of magnetome- communication. On the other hand, the attacker is unable to ters in security applications [30, 31] to develop an intuitive, sense or fabricate a correlated sensor data, thus would not be fast, secure, and user-friendly device pairing scheme, Mag- able to pass the similarity check and would be detected if it Pairing, which achieves high successful pairing rate with short ever launched a MITM attack. pairing time and is immune to the man-in-the-middle attack. Note that raw sensor data are not directly suitable for Compared with our earlier work presented in conference [32], similarity check, because they are collected by different s- (1) we include more experiments to test our protocol on 3 martphones and are not synchronized and spatially aligned. types of smartphones: NEXUS 5, GALAXY 3 and MEIZU Moreover, users may wag and rotate unconsciously when hold- MX 4. (2) We add experiments to calculate the entropy of ing smartphones. Thus, a series of sensor data pre-processing Fig. 2. Magnetic field under the coordinates of Alice and Bob

data acquisition is conceptually straightforward, but requires careful implementation. Magnetometer readings are assumed to be available in the form of time series of magnetic fields in all three directions, sampled at equidistant time steps. These must be taken locally and not be communicated wirelessly – for security purposes, it is critical not to leak any of this raw data, which can be difficult considering the possibility of powerful side-channel attacks. Our practical experience shows Fig. 1. Architecture of MagPairing protocol a sample rate of 50 Hz to be appropriate. must be conducted before the similarity check. We introduce sensor data pre-processing in detail in section IV. We introduce B. Sensor data synchronization triggering, DH key agreement, interlock schemes as well as As the two devices sample magnetic field time series the whole MagPairing protocol in Section V. independently, we require sensor data synchronization for comparison. We assume that Alice and Bob are equipped IV. SENSOR DATA PRE-PROCESSING with similar clocks so that the difference in sampling rate is According to the superposition principle, the net magnetic insignificant. However, they may start the sampling at different field is simply the vector sum of all contributing fields. When time. Therefore, we need to synchronize the starting points for two smartphones are tapped together, their magnetometers are time series comparison. reading the magnetic fields at almost the same point, which Suppose Alice and Bob sample the magnetic field respec- can be approximated as tively to get NA and NB sample points at each direction, yielding B = B + B + B (1) x T y T z T T net Earth 1 2 BAlice = [B , B , B ] Alice Alice Alice (3) x T y T z T T where BEarth is the Earth’s magnetic field. B1 and B2 are the BBob = [BBob , BBob , BBob ] magnetic fields produced by Alice and Bob’s inside magnets. where Conceptually, Bnet can be sampled to time series by Alice and Bob respectively as their shared information for x(y,z) x(y,z) x(y,z) x(y,z) BAlice = [BAlice (1),BAlice (2), ··· ,BAlice (NA)] (4) authentication. However, Bnet is the net magnetic field vector with respect to the Earth’s coordinates. The magnetometers’ x(y,z) x(y,z) x(y,z) x(y,z) BBob = [BBob (1),BBob (2), ··· ,BBob (NB)] (5) readings, BAlice and BBob, are under Alice and Bob’s own coordinates (as shown in Fig. 2). x y z where BAlice(i), BAlice(i), BAlice(i) represent the ith sample points at X, Y, and Z directions respectively measured by BAlice ≈ TEarth→AliceBnet x y z (2) Alice. BBob(i), BBob(i), BBob(i) represent the sample points BBob ≈ TEarth→BobBnet measured by Bob. where TEarth→Alice and TEarth→Bob are transformation We then calculate the average cross correlation between matrices from the Earth’s coordinates to Alice and Bob’s BAlice and BBob coordinates, respectively. Four pre-processing tasks executed as consecutive steps are |C (n)| + |C (n)| + |C (n)| C(n) = x y z (6) used to sample and align the sensor data so that correlation σx σx + σy σy + σz σz can build on normalized time series. 1) sensor data acquisition Alice Bob Alice Bob Alice Bob a (output BAlice, BBob), 2) synchronization (output BAlice, where Cx(n), Cy(n) and Cz(n) are the cross correlations at a b b BBob), 3) spatial alignment (output BAlice, BBob), 4) mean X, Y and Z directions by shifting Alice’s readings to the left c c value removal (output BAlice, BBob), by n, respectively, defined as

Ns−n 1 X x(y,z) x(y,z) A. Sensor data acquisition C (n) = (B (i + n) − µ ) x(y,z) N − n Alice Alice s i=1 (7) In this step, magnetic field data Bnet is sampled by Alice x(y,z) x(y,z) and Bob, yielding BAlice(i) and BBob(i), respectively. Sensor (BBob (i) − µBob ) −1 where TAlice→Bob = [TEarth→Alice] × TEarth→Bob is the coordinate transformation matrix between Alice and Bob, representing the spatial misalignment. The least squares estimation of TAlice→Bob is

ˆ a a TAlice→Bob = BBob × pinv(BAlice) (13)

where pinv(BAlice) is the Generalized inverse matrix of BAlice. Fig. 3. Two smart phones are face to face tapped We compensate TAlice→Bob to get the spatial aligned sensor data Bb and Bb . where Alice Bob

NA x(y,z) X x(y,z) D. Mean value removal µAlice = 1/NA [BAlice (i)] i=1 Final correlation should be performed on the randomness (8) Alice N of the sensor data after removing the mean value µ , 2 A x(y,z) X x(y,z) x(y,z) 2 µBob, otherwise a Reply attacker can keep the magnetometer σAlice = 1/NA [BAlice (i) − µAlice ] i=1 readings in the first attempt, and replay the readings in the second attempt. where N = Min(N ,N ). µ = [µx , µy , µz ] S A B Alice Alice Alice Alice A problem is that users prone to wag and rotate uncon- is the three directional mean magnetic field measured by Alice. sciously when holding smartphones, which makes the mean σ = [σx , σy , σz ] is the standard deviation. Alice Alice Alice Alice value of the sensor data a time varying parameter µAlice(t), Accordingly, µ and σ are the mean and standard Bob Bob µBob(t). To deal with the problem, we take short term average deviation of magnetic field measured by Bob. on Bb and Bb to follow the change of the mean value. When tapping two smart phones together as illustrated in Alice Bob

Fig. 3, the relative coordinate relationship of Alice and Bob is m+(Nw−1)/2 1 B B x(y,z) X x(y,z) “face to face”. That is, if Alice and Bob are synchronized: µAlice (m) = BAlice (i) Nw x x m−(Nw−1)/2 BAlice(i) ≈ BBob(i) (14) y y m+(Nw−1)/2 B (i) ≈ B (i) (9) x(y,z) 1 X x(y,z) Alice Bob µ (m) = B (i) z z Bob Bob B (i) ≈ −B (i) Nw Alice Bob m−(Nw−1)/2 It can be derived by substituting (9) into (6) that We remove the impact of mean value to get calibrated sensor data Bc and Bc . C(n) ≤ C(0) ≈ 1 (10) Alice Bob c b B = B − µAlice When there is a synchronization offset n0 between Alice Alice Alice c b (15) and Bob, we can get a similar equation BBob = BBob − µBob C(n) ≤ C(n ) ≈ 1 (11) 0 E. Sensor data reshaping Thus in implementation, we can take a peak search on C(n) In our case, the magnetometer readings are three dimen- to get the synchronization offset n0. We compensate the offset sional time series with arbitrary length – 3 × N matrices (we a a to get synchronized data BAlice and BBob. call them Matrix format). They must be reshaped to 1 × 3N It must be pointed out that C(n) is used for the purpose of strings to perform the correlation (we call them String format). synchronization, which is not a qualified correlation for the In addition, our encryption and decryption are based on block authentication of the shared key. In practice, Alice and Bob ciphers. Messages must fit in the size of the cipher block length may not have an ideal face to face coordinate relationship as (we call them Block format). illustrated in Fig. 3. Deviations come from the differences of Fig. 4 illustrates the sensor data reshaping scheme in the smart phones’ manufacturing, so that two devices may have MagPairing. To transform Matrix format to String format, heterogeneous internal coordinates. Moreover, users can hardly we simply align their row vectors together, and an opposite tap two smartphones exactly face to face. Fig. 2 illustrates operation is used for inverse transformation. practical coordinate relationship. To achieve higher correlation Bstr = [Bx , By , Bz ] Alice Alice Alice Alice (16) coefficient, spatial alignment is further required to match Alice Bstr = [Bx , By , Bz ] and Bob’s coordinates. Bob Bob Bob Bob To transform String format to Block format, we truncate the string to several blocks and add zeros at the end of the string C. Spatial alignment to fit in the final block, and an opposite operation is used for After two smartphones are tapped together, their relative inverse transformation. coordinate relationship is fixed, which can be written as In the rest of this paper, we will omit data format trans- formation process and assume that the sensor data are always a a TAlice→Bob × BAlice = BBob (12) transformed to correct format before processing. Fig. 4. Sensor data reshaping method in MagPairing

F. Correlation indicator. We ignore the magnetometer reading changes at The correlation is performed on pre-processed sensor data individual directions, which will not lead to the amplitude c c changes. To separate from the second situation, first we set BAlice, BBob of String format, which can be written as up a triggering interval [Blow,Bhigh] which matches the c c T BAliceBBob magnetic field strength of tapped smartphones to reduce the r = q (17) c c T c c T probability of false alarm. If the magnetometer’s amplitude BAliceBAlice BBobBBob change falls into the interval BAlice ∈ [Blow,Bhigh], the Two devices that are tapped together will experience similar, smartphone will try to contact to the respective device by but not exactly the same magnetic field patterns due to their sending a request. The pairing process will be terminated if no spatial separation, manufacturing differences and the impact reply is received within τ seconds (e.g. 3 seconds). After this of noise. According to our experiment, r is around 0.7, We termination, the pairing process will not be restarted unless a c c set the threshold r0 = 0.5 to judge whether BAlice and BBob pre-defined minimum time interval tinv is passed or the pairing are correlated. process is restarted manually by the user.

V. KEY ESTABLISHMENT AND AUTHENTICATION B. Diffie-Hellman and interlock PROTOCOL In this section, we describe the detail of MagPairing pro- In order to establish an identical key, we create a crypto- tocol, which includes pairing process triggering, DH key ex- graphically secure secret key via a standard Diffie-Hellman change, and interlock protocol used for mutual authentication. (DH) key agreement. Because DH is susceptible to MITM attack, it should be verified that their keys are equivalent. We then authenticate the key using the correlated strings as A. Pairing process triggering illustrated in Fig. 1. To achieve the goal of authentication, both strings need to Triggering can be direct user input, e.g. pressing an “authen- be available completely to both devices. Therefore, the mag- ticate now” button on both devices within a short time frame, netometers’ readings, B and B must be exchanged or implicit, simply by starting to tap both devices together. We Alice Bob during the interactive protocol – in a way that does not reveal prefer the second protocol due to its ease of use. them to an attacker. As two smartphones approach, Alice’s magnetometer read- This sensor data exchange is done with an interlock protocol ings B (t) change abruptly due to the proximity of Bob. Alice [33, 16]. Interlock is an efficient (in terms of message length) The same thing also happens to Bob. We use this abrupt method to verify that two parties share the same key. The magnetometer reading change as the signal of the start of strength of the protocol lies in the fact that half of an encrypted device pairing. Note that there are other situations which message cannot be decrypted. Thus, if Eve begins her attack will also cause the changes of magnetometer readings on and intercepts Bob and Alice’s keys, Eve will be unable to smartphone: 1) the user shakes or rotates the smartphone. This decrypt Alice’s half-message (encrypted using her key) and will cause the change of the relative coordinate relationship re-encrypt it using Bob’s key. Subsequently, Eve who try to between the Earth and the smartphone. The magnetic field separately generate independent keys with Alice and Bob will vector in free space is always aligned to the Earth’s magnetic be exposed (shown in Fig. 5). line. As a result, the magnetometer readings on the smartphone at two individual directions (or all three directions) change abruptly. 2) a magnet or magnetic substance is coming close C. MagPairing protocol to the smartphone. For the formal descriptions of our protocol, we use the The triggering process must be carefully designed to have following notation: c = E(K, m) describes the encryption small false alarm probability, otherwise the battery of smart- of plain text m under key K with a symmetric cipher, phone will be drained quickly. The problem of verifying that and m = D(K, c) is the corresponding decryption. H(m) two devices are tapping together becomes a classification prob- represents the hashing of message m with some secure hash lem. To separate from the first situation, we use the amplitude function, and m|n is the concatenation of strings m and n. B = |B | change of the magnetometer readings ( Alice Alice , The notation M[a : b] is used to describe the substring of a q 2 2 2 BBob = |BBob|, |B| = Bx + By + Bz as triggering message M starting at bit a and ending at bit b. The symbol Fig. 6. Protocol: Diffie-Hellman key agreement followed by the exchange of sensor data via interlock

B2. This ensures that the attacker cannot decrypt any of the blocks or learn parts of the plain text messages. After exchanging their messages a and b, Alice and Bob verify the similarity between two sensor data. This is done by using the pre-processing and correlation method described in section IV. A threshold r0 is used to judge whether the device pairing is successful.

D. Security analysis Fig. 5. Flow chart of interlock In the following, we analyse MagPairing tackling passive attacks, MITM attacks, replay attacks and reflection attacks ⊕ describes bit-wise XOR. We use AES with 128-bit key size respectively. as a block cipher for E() and D(). 1) Passive Attacks: A passive attacker only eavesdropping Fig. 6 shows our authentication protocol. Using DH key on the communications will not interrupt the key agreement agreement, Alice and Bob generate two shared keys KA, KB process. In this case, Alice and Bob can successfully generate Sess Sess and KA , KB , where it is impossible to infer one from DH key and pass the authentication. The DH key is guaranteed the other (under the assumption that the hash function does to be computational secure and will not be revealed to the not allow to find a pre-image). Creating two keys, one for attacker. authentication, one as session key, provides forward secrecy. 2) MITM Attacks: It is known that MITM attack is achieved Because DH is susceptible to MITMA, the devices need to by an attacker making independent keys KA, KB and connec- verify that their keys are equivalent. The unique key property tions with the victims and relaying messages between them. of DH guarantees with a very high probability, that is, if KA = This makes the victims believe that they are talking directly KB, there can be no attacker E with KEA = KA and KEB = to each other over a private connection. But in fact, the entire Sess Sess Sess KB, and subsequently, no KEA = KA and KEB = conversation is controlled by the attacker. To remain unde- Sess KB . tected, the attacker must pass the authentication. Normally, if After DH keys are established, Alice and Bob encrypt their Alice encrypts the packet BAlice with the key KA, the attacker IDs and magnetometer readings with the keys. Because inter- can decrypt the packet by KA, re-encrypt the packet with the lock is based on block ciphers, we reshape BAlice and BBob to key KB, and forward it to Bob. Block format of standard length as introduced in subsection However, this attack won’t succeed against interlock proto- IV-E, getting a and b. For our authentication protocol, we col, since the attacker cannot decrypt half-message as shown simply use the cipher block chaining (CBC) mode with a in Fig. 5. random initialization vector (IV). The resulting ciphertexts c After the attacker receives half-message, she is left with and d are then split into two messages by concatenating the only two options: either to forward the original packets, or to first halves of cipher blocks into the first messages A1 and create packets on her own. In the former case, Alice and Bob B1, and the second halves into the second messages A2 and will be unable to decrypt the messages properly, because they do not share the same key. In the latter case, the attacker must Considering magnetic field interference, (1) can be rewritten guess the contents of the messages, and encrypt them with the as appropriate keys, before it has access to the actual messages. Bnet = BEarth + B1 + B2 + Binf (18) When the messages sent by Alice and Bob have an entropy where B presents the magnetic field interferences. of e bits, this leaves the attacker with a single 2−e chance of inf In this subsection, we point out that: correctness. 1) External magnetic field interferences cannot cause denial As a conclusion, what can a MITM attacker do is caus- of services. Readers may worry that magnetic field interfer- ing the failure of device pairing, but MITM attacks cannot ences add noise to collected sensor data and result in the failure pass the authentication process and will be detected by our of device pairing. Such phenomenon is common in wireless protocol. Thus, the conversations will not be transmitted by communication and known as denial of service (DoS). compromised keys and revealed to the attacker. However, MagPairing is based on the fact that tapped 3) Replay Attacks: A smart MITM attacker may keep smartphones are reading the magnetic fields at almost the same the magnetometer readings in the first attempt. Then in the point. Magnetic field interferences could change the magnetic second attempt, it may just replay the readings. However this field distribution in the air, but cannot decorrelate collected attack won’t succeed because there is no strong correlation sensor data of magnetic field patterns. Thus, magnetic field between consecutive measurements. What we make use of is interferences, whether intended or not, do not cause DoSs. the random component in the readings, not the raw readings, 2) Intended interferences cannot cause injection attacks. A which is not correlated temporally or spatially. smart attacker may try to inject strong magnetic field interfer- The randomness mainly comes from: ence B to overwhelm and manipulate the magnetic field Ambient noise: extremely low frequency (ELF) magnetic inf pattern sampling by two pairing devices. Then, the attacker fields occur daily in the environment [34, 35]. They are can fabricate a string based on B to pass the sensor data associated with lightning discharges, atmospheric lability, solar inf authentication and launch a MITM attack. We call this type eruptions, geomagnetic micropulsations, power transmission of attacks as injection attacks. lines, video display terminals, electric blankets and other home In order to launch an injection attack, B has to be appliances. Reported range at 50-60 Hz is: 0.1-1000 uT [34]. inf larger than B and B , which is highly impracticable. The Tapping itself: 1 2 when tapping smartphones together, the ori- magnetic field has the characteristic of ultra-fast attenuation, entations of the smartphones are different for different people, which is proportional to the third power of the distance. which benefit large differences in collected sensor data. Notice that when tapping smartphones together, the magnets Human motion: when holding two devices, any possible inside themselves are much closer to the magnetometers than walk, wag, rotate or tremble can change the position and an outside magnet acquired by the attacker. As a result, direction of the magnetometer and affect the collected sensor Binf << B1(B2). The string fabricated based on Binf is data. weak correlated with the sensor data collected by pairing In order to increase the resistance to replay attack, for the devices and thus cannot pass the authentication to launch an same person, if the first attempt fails (as will be shown in the injection attack. experiments, the probability is very low), he/she will be asked In order to give reader an idea of how weak the intended to change a pairing gesture and encouraged to perform some interferences are, we give the following numerical result, human motion. It is important to note that users do not have to which is based on our real-world experiment. The increment follow a particular pattern of tapping or motion, but that they of magnetic field intensity when placing a normal magnet only can tap and move the devices as they like. Another important 1m away from the smartphone (measured by the smartphones thing is time consuming for the next trial will not increase. magnetometer) is less than 1uT. The increment of magnetic Thus, good user experiences are maintained. field intensity when tapping another smartphone to the previ- 4) Reflection Attacks: A MITM attacker may reflect the ous one is larger than 1000uT. messages sent by Alice and Bob back to themselves. In this In conclusion, MagPairing is immune to the threat of way, Alice and Bob will receive their own sensor data, yielding magnetic field interferences. high correlations equaling to 1, and pass the correlation check. However, this method won’t succeed and can be easily F. How does MagPairing protect against internal threat detected by checking the ID of the message sender. Malicious on either smartphone are internal threat of giving away the key generated by MagPairing. In this E. Impact of magnetic field interference subsection, interior security will be discussed. Notice that when collecting magnetic field data, there could Overview of Trusted Mobile Platform be external magnetic field interferences. Three types of pos- In 2004, Trusted Computing Group (TCG) [36] develops sible interferences are (a) Intended interference: an attacker Trusted Mobile Platform (TMP) hardware architecture, soft- acquires a magnet (ferromagnet or electromagnetic actuator) ware architecture and protocol specifications [37, 38, 39], and tries to disturb the pairing. (b) Unintended interference: which defines comprehensive end-to-end security architecture sensor data acquisition happens to be performed near some and focuses on mobile platform identity and integrity to prove magnetic materials. (c) Environmental interference: pairing trusted computing (TC) for mobile equipment ME. Trusted process is performed near a power substation or power lines. Platform Module (TPM) is a very important tamper-resistant component in TMP who is responsible for recording the VI.PERFORMANCE EVALUATION integrity measurements. TPM also provides security func- The correlation check in MagPairing can be modeled as a tionality, such as platform attestation, protected storage, and hypothesis test: sealing, to measure and validate the hardware and/or H0 : No attack configurations of the platform. For more detail about TMP, H1 : There is an attack refer to [37, 38, 39]. TPM maintains the platforms state in the where H0 and H1 are the null and alternative hypothesis, abstract form of aggregated integrity measurements stored in respectively. platform configuration registers (PCRs) in the TPM. A PCR The performance of the hypothesis test is usually evaluated cannot be simply overwritten with a new value, but only be by the receiver operating characteristic (ROC) curve. The extended with a new measurement. As a consequence, each ROC curve plots the false alarm rate α against detection rate PCR can hold an unlimited number of measurements and the β. The false alarm rate is the probability of assuming an order of the extensions will affect the aggregate value. Based attack but there is actually no attack. The detection rate is the on the PCRs, the TPM can quote the platform status to an probability of detecting the attack when the attack happens. external party. This attestation is a digital signature of the Our goal is to achieve high detection rate with low false alarm composite value of selected PCRs and parameters guaranteeing rate. protocol freshness. The Attestation Identity Key (AIK) used According to the protocol implementation, we have for signing is dedicated for only this use and has been certified by a certification authority. Z α = P r(r ≤ r0|H0) = f0(r)dr MagPairings interaction with trusted software r≤r0 Z (19) With the integrity measurement and storage, an integrity β = P r(r ≤ r0|H1) = f1(r)dr report can be generated by a platform and provided to an- r≤r0 other platform through a challenge-response protocol called where f and f are the pdf of the sample correlation coeffi- attestation. During attestation, a platform (challenger) sends 0 1 cient under null and alternative hypothesis, respectively. These attestation challenge message to another platform (attestor). two pdfs are hard to obtain due to the unavailability of the One or more PCR values are signed with an attestation close-form expression for distribution of the sample correlation identity key protected by the TPM of the attestor and provided coefficients. Even under Gaussian assumption, there is no to the challenger. The challenger verifies this attestation by close form solution for the sample correlation coefficient given comparing the signed values with expected values. Attestation the population correlation coefficient [40, 41]. Next, we will provides the authenticity of a platforms current integrity, numerically analyze the correlation and test the performance state, or configuration. Within a single platform, MagPairing of MagPairing. can send attestation challenge message to another running In the simulation, we randomly generate Alice’s three di- application to verify its integrity or running state. field 0 disturb mensional magnetic field: BAlice(n) = BAlice + BAlice (n); Sensitive data protection 0 where BAlice is the mean net magnetic field, which is the sum TPM protects sensitive data (i.e., secret key generated by of all contributing fields: the Earth’s magnetic field, Alice and disturb MagPairing) with integrity measurement values through sealed Bob’s inside magnet’s field. BAlice (n) is the magnetic field storage. In addition to applying a symmetric key to encrypt the disturbance due to the collision of phones when tapping them data, one or more PCR values are stored during the encryption together and the user’s unintended shaking. According to our 0 along with the protected object. A TPM releases a protected experiments, We set BAlice at each direction to a uniform disturb object only if the current PCR values match those stored with distribution between [−400µT 400µT ]. We set BAlice (n) the protected object. Therefore, a protected object is available at each direction to a zero mean Gaussian distribution with only when the platform is in a particular state. A key is the standard deviation of 40µT . Then, we generate a similar protected either by storing it in a TPM without releasing it, magnetic field (but not exactly the same magnetic field since or encrypting it with a key that is protected by the TPM. This their measurements do not take place at exactly the same spot) field forms a key hierarchy where the leaves are protected secrets BBob (n) for Bob. We set the correlation coefficient ρ between field field and arbitrary data, and the intermediate nodes are storage keys BAlice(n) and BBob (n) to 0.9. Further, we assign to Bob a and identity keys. Each TPM has a storage root key (SRK) that face-to-face coordinate relationship with respect to Alice, and is protected inside the hardware and is never released. A key introduce a deviation (because their coordinate relationship is can be asymmetric key, or an asymmetric key pair where the not exactly face-to-face due to their heterogeneous internal private part is the protected object. Each key has a flag with coordinates and non-ideal user operations). The deviation is value migratable or non-migratable. A non-migratable key is introduced by a rotation at a random direction of a random created by a TPM and never leaves the platform, therefore degree uniformly distributed between 0 to 20 degree. After it is guaranteed to be known only by the TPM that creates that, a random synchronization offset of less than 10 sample field field it. Entities who trust the TPM can thereby trust information points is added between BAlice(n) and BBob (n). protected by non-migratable keys. A migratable key can move The magnetometer readings are generated as follows: field field from one platform to another. Trust in a migratable key goes BAlice(n) = BAlice(n)+w(n), BBob(n) = BBob (n)+w(n); back to the entity that creates that key, such as a certificate where w(n) represent a zero-mean Gaussian noise. As intro- authority (CA). duced in section V, Alice and Bob use standard Diffie-Hellman key agreement protocol to generate a 128 bit key. Then, they reshape their three dimensional sensor data to strings a, b and exchange them by the interlock protocol. 1) False alarm rate: In this simulation, Alice and Bob establish an identical key K. They use K to encrypt, exchange and decrypt the sensor data (assuming no bit error in wireless transmission). 2) Detection rate: In this simulation, we assume that DH key agreement has been manipulated by a MITM attacker, who generates two keys, one with Alice KA and one with Bob KB separately. Alice (Bob) reshapes its magnetometer readings to a (b), encrypt it with KA (KB) and send its first half to Bob (Alice). The attacker intercepts the piece but it cannot decrypt the content a (b) now. The attacker has no other choice but to guess the content aA (bA) by generating a random string with the same distribution as Alice (Bob). The attacker then encrypts aA (bA) with KB (KA) and forwards it to Bob (Alice). Then Alice (Bob) sends its second half to Bob (Alice). This time, the attacker intercepts and gets both Fig. 8. Screen shot of MagPairing (left) two phones are tapped face to face halves; it decrypts the content a (b) now, encrypts the second as requested (right) two phones are separated half of a (b) with KB (KA) and forward it to Bob (Alice). After the sensor data exchange, Alice and Bob use the method in section IV to pre-process the data and compute the VII.IMPLEMENTATION correlation. They use a threshold r0 to judge whether there is an attacker. We implemented MagPairing and conduct experiments us- ing two 5 smartphones running Android version A. Impact of SNR 4.4.2 developed by Eclipse. As introduced in section V, We set SNR to 10dB, 5dB and 0dB respectively. We vary after triggering, two phones collect magnetometer readings of r0 from 0 to 1 to draw the ROC curve. For each point, we all three directions separately. Meanwhile, they use standard run the same simulation 10000 times to get the false alarm DH-protocol to establish a shared key of 1024 bits (hash rate and detection rate. In the simulation, the sensor data are to 128 bits); where p is a random prime number of 1024 quantized to Bytes (8 bits), the number of effective Bytes at bits, and g = 5. Then, the sensor data are encrypted split each direction is Npoint = 20 (60 for all three directions). into two messages and exchanged through Interlock protocol. Fig. 7 (left) shows that good performance is achieved even Two phones decrypt sensor data, pre-process (as introduced with ultra low SNR (for SNR = 0, 90% detection rate with in section IV) and compute the correlation r. We set the 7% false alarm rate). correlation threshold to r0 = 0.5 to judge whether device pairing is successful. There are 6 message transmissions during B. Impact of the number of effective Bytes the whole device pairing process as illustrated in Fig. 6. Fig. 8 (left) shows the result of an experiment when we We set Npoint to 30, 20 and 10, respectively. We fix SNR tap two phones face to face as requested by MagPairing (less to 5dB. We use the same method in previous subsection than 1cm). In this case, r ≈ 0.7 > r0; thus the authentication to draw the ROC curve. Fig. 7 (middle) shows that good and device pairing succeeded as desired. Fig. 8 (right) shows performance is achieved even with ultra small Npoint (for the result of an experiment when we separate two phones to Npoint = 10, 95% detection rate with 2% false alarm rate). perform the same experiment (about 20cm apart). In this case, Therefore, MagPairing requires a very short period of sensor correlation decreases dramatically, due to the separation of data capturing time. For example, assuming effective Bytes are magnetometers r ≈ 0.05 < r0; thus the authentication and sampled at 10Hz, it only takes 2s to capture sufficient amount device pairing failed as expected. of sensor data of Npoint = 20.

C. Correlation PDF A. Sensor data correlation verification We numerically draw the probability density function (PDF) In this experiment, we are aiming at verifying the similarity of correlation with SNR = 5dB, Npoint = 20. The PDFs under of sensor data. We capture magnetometer readings on two two conditions (no attacker, an attacker) are well separated, smartphones when they are tapping together and analyse the and thus appropriate for threshold detection. When there is no data on a computer. Fig. 9 (a) shows the raw sensor data attacker, Alice and Bob have an average correlation of 0.78; BAlice, BBob at X direction. The two sequences have the the correlations are more than 0.6 in most cases. When there similar trends of rise and fall. It can be seen that the correlation is an attacker, the average correlation decreases to 0.15; the between raw data is not high, which is a normal phenomenon correlations are less than 0.4 in most cases. as explained in section IV, and sensor data preprocessing is Fig. 7. Performance of MagPairing (left) impact of SNR (middle) impact of the number of effective Bytes at each direction Npoint (right) PDF of correlation

Fig. 9. Captured magnetometer readings of x-direction on both smartphones (a) raw sensor data BAlice, BBob (b) synchronized and spatial aligned sensor b b c c data BAlice, BBob (c) pre-processed sensor data after mean value removed BAlice, BBob (d) comparison with the sensor data of a nearby attacker needed. First, we perform synchronization and spatial align- approximate entropy indicates more randomness of the bit b b ment to get BAlice, BBob as introduced in subsection IV-B string. To quantify this shared randomness, we applied the and IV-C. Fig. 9 (b) shows the preprocessed sensor data. method proposed in [43] to compute the entropy of binary An obvious improvement on similarity is achieved. Next, string. c we remove the short-term mean value to get BAlice and In this experiment, we record pre-processed sensor data Bc as introduced in subsection IV-D. Fig. 9 (c) shows c Bob BAlice from one of the pairing smarthphones. The total the preprocessed sensor data. It can be seen from the figure number of recorded sensor data strings is 100, which is that the two sequences look like zero mean random noises completed by 10 different people with each person performing with high similarity. The result confirms that magnetometer 10 successful trials. For each string, the length of sensor data readings on two smartphones are highly correlated when they c BAlice is 1350 bits. are close to each other. Authentication and key agreement can It should be pointed out that users do not have to follow a be performed based on the sensor data. Finally, we use another particular pattern of tapping or motion, but that they can tap smartphone (10cm away from tapped ones) to eavesdrop the and move the devices as they like. Thus, the way of tapping is sensor data. Fig. 9 (d) shows the sensor data collected by totally depend on testers. We notice that some users prefer to Alice and a nearby attacker. The similarity is very low, which walk, wag, rotate and tremble when holding two smartphones, confirms that the sensor data can be treated as a shared secret while some users prefer to keep their body unmoved. As between legitimate devices. discussed in section V-D, the randomness of sensor data comes from many aspects: ambient noise, tapping and human motion. B. Sensor data randomness Thus, the entropy values differ for different testers on different Note that the security of MagPairing is based on the trails. Our practical experiments show that the entropy values nondisclosure of sampled magnetometer readings. The security drawn from the users of the first type are indeed slightly higher strength is fundamentally constrained by the randomness of than that of the second type due to the randomness of human c motion. Fig. 10 shows CDF of the entropy of the sensor data mean removed sensor data BAlice(Bob). In our implementation, the duration of sensor data collection is 3 seconds with of all testers for all 100 runs. The experiments are conducted the sampling rate of 50 Hz. The number of sample points on two Nexus 5 smartphones, two GALAXY 3 smartphones of all tree directions is 450. Considering that each sample and two MEIZU MX 4 smartphones respectively. point is quantized to 3 bits with the first bit denoting the It can be seen that the entropy is high on average (0.89, sign (corresponding to the four-level quantization), the length 0.88 and 0.87). Note that it is impossible for an attacker to of the bit string of the sensor data is 1350 bits. We use fabricate a string that is correlated with a bit string of 1350 the approximate entropy [42] as an indicator to test the bits with high randomness. The sensor data is highly secure randomness of the bit string of the sensor data. With log from forgery in practice. base 2, the approximate entropy scales from 0 to 1. Larger It can be concluded from section VII-A and VII-B that Fig. 12. (left) Success rate (right) minimum/average/maximum time con- suming on different testers

D. Usability test (1) Observable usability tests In this experiment, we ask 50 different testers without any Fig. 10. The CDF of approximate entropy of the sensor data prior training to implement MagPairing application. Each par- ticipant is requested to naturally tap two smartphones together 20 times. We record their success rate and time consuming. attacker does not have any chance to estimate and forge the Fig. 12(left) shows the success rate distribution for all sensor data to launch a man-in-the-middle attack. testers. The result demonstrates a high success rate from 85% to 100%, with 93% on average. Fig. 12(right) shows the time consuming. The minimum, average and maximum time C. Impact of sensor data collection duration on MagPairing consuming are from 3.84s to 4.31s, from 4.34s to 4.66s and from 4.69s to 5.37s. The result validates that MagPairing is In this experiment, we vary sensor data collection duration fast and easy to use in practice. from 2s to 5s to evaluate its impact on MagPairing. Each Comparing with device pairing methods operating over duration is tested 20 times. other OOB channels (the summary of their task performance Fig.11 shows the corresponding success rate, average time time and completion rate can be found in Fig.2 in [23]), consuming, average correlation and average effective bits, MagPairing has shortest task performance time, and is one where effective bits is defined as the number of bits multi- of the methods with the highest task completion rate. plying the entropy of the sensor data. (2) Subjective perception tests It can be seen that as sensor data collection duration in- In this experiment, we ask 50 testers of all ages and sexes creases, on the one hand the number of effective bits increases to try out and rate MagPairing application based on the open- linearly (as shown in Fig.11 (d)), which indicates the incre- source comparative usability testing framework in [44], a ment of security strength and the robustness, on the other hand widely used and highly reliable 10-item System Usability average time consuming increases linearly (as shown in Fig.11 Scale (SUS) questionnaire that polls subjects satisfaction. The (b)), which indicates the reduction of user experience. For scales count from 1 to 5 (from strongly disagree to strongly most applications, 3 seconds is considered to be appropriate agree). Subjects also required to rate the perceived security. with enough security strength and acceptable waiting time. If Table I shows the result. certain applications need higher security level, we can extend TABLE I sensor data collection time, but this would increase the time USABILITYMEASURESOF MAGPAIRING consuming. Accordingly, if certain applications need shorter Question Average Question Average waiting time, we can reduce sensor data collection time, but rate rate this would decrease the security level. I think that I would like I found the method to use the method 4.3 unnecessarily complex 1.24 It should be pointed out that reducing sensor data collection frequently time too much not only decreases security strength but also I thought the method I think that I would could affect success rate and average correlation. As shown in was easy to use 4.62 need the support of a 1.54 technical person Fig.11 (c), when the sensor data collection time decreases to I found the various I thought there was less than 2.5s, the impact of noise stands out. The correlation functions in this method 4.54 too much inconsis- 1.36 fluctuation becomes high and the average correlation decreas- were well integrated tency in this method es. As a result the success rate reduces (as shown in Fig.11 I would imagine that I found the method most people learn to 4.6 very cumbersome 1.28 (a)). use it very quickly to use Thus, it should be noticed that reducing sensor data col- I felt very confident I needed to learn lots using the method 4.16 of things before getting 1.32 lection duration too much cannot save time due to the high going with the method possibility of multiple-trials. Our practical experiments show that sensor data collection duration should be set to at least 2s. The final SUS score is 88.7; perceived security score is 87. Fig. 11. Sensor data collection duration with respect to (a) success rate (b) average time consuming (c) average correlation (d) average effective bits

Comparing with device pairing methods operating over other devices and the eavesdropper. It can be seen that minimum OOB channels [23], MagPairing is one of the methods with correlations and average correlations between pairing devices highest SUS score. The results validate that MagPairing is are larger than 0.43 and 0.66. On the other hand, the maximum convenient to use in practice. correlations between pairing device and the eavesdropper are (3) Qualitative post-test interview smaller than 0.2. The result demonstrates that MagPairing is The testers were then asked to select a favored pairing secure from eavesdropping on various kinds of smartphones. method between MagPairing and a popular visual based pair- Discussion: Different types of devices could have larger ing and text sharing scheme, i.e. scanning a QR code and discrepancies in terms of internal axis, sensor data sampling explain their choices. 24 participants preferred MagPairing; delay, scale and accuracy. 16 participants preferred visual based pairing scheme, while In the design of MagPairing, the discrepancies are consid- the remaining 10 have no preference and state that the two ered and the final correlation is based on the pre-processed sen- methods are equally convenient. sor data, where inconsistency of internal axis is pre-calibrated MagPairing The action of tapping was viewed as being by spatial alignment; difference in sensor data sampling delay quicker, taking less effort, and generally feeling more natural is pre-calibrated by sensor data synchronization; difference than taking a picture. Those that favored MagPairing also liked in sensor data sampling scale is solved by using correlation that it did not require opening any additional application. coefficient, a normalized correlation value, to indicate the Visual based Pairing Those that preferred the visual relative similarity of two waveforms. method stated that the physical action of taking a photo The difference in sensor data sampling accuracy leads to the is more comfortable and socially acceptable. Some people difference in probability density function (PDF) of correlation had reservations about the ‘convenience’ of MagPairing, and coefficient, which affects the optimum detection threshold worried that their smartphones could be pairing up without r0. It should be pointed out that since the PDFs under two intending to, for instance, when tapping two smartphones to conditions (tapping, no tapping) are well separated as shown compare their size. in Table III, this impact is very limited. In our experiments, we Overall, the interview shows that the majority of the par- find that r0 = 0.5 can well separate most conditions as shown ticipants accept the new pairing solution, inferring that Mag- in Table II. Thus there is no obvious performance degradation Pairing is promising to become popular and being frequently when applying MagPairing on two different types of devices. used in practice. TABLE II SUCCESS RATE AND TIME CONSUMING ON DIFFERENT TYPES OF E. Validity on heterogeneous devices SMARTPHONES We also apply MagPairing on 3 types of smartphones. Phone Success Minimum Maximum Average type rate time time time Type A: NEXUS 5 AA 95% 4.4s 5.9s 4.8s Type B: GALAXY 3 AB 90% 4.2s 4.9s 4.5s Type C: MEIZU MX 4 AC 95% 4.6s 4.9s 4.7s BB 100% 4.1s 4.5s 4.3s The eavesdropper who is 10cm apart : NEXUS 5 BC 90% 4.4s 4.9s 4.7s All these 3 types of smartphones are tested to pair with CC 95% 4.2s 4.7s 4.4s one anther 20 times. We record their success rate and time consuming. Table II shows the result. The success rates are more than 90% for all of the pairings among different types of smartphones. The minimum, maximum, average time VIII.DISCUSSION consuming are 4.1 s , 5.9 s and 4.6 s. The result validates It should be pointed out that magnets are necessary items that MagPairing is widely applicable to various kinds of inside smartphones to make sounds. Theoretically, MagPairing smartphones and easy to use. is generally applicable to all kinds of smartphones equipped Table III shows the minimum, average and the standard with magnetometers. MagPairing requires two smartphones deviation of the correlations of the sensor data among pairing are tapped together such that their magnetometers are close to each other. However, the location of magnetometer may vary on smartphones. Our method exploits the fact that smartphones from smartphone to smartphone. In some cases, “face-to-face” are equipped with tiny magnets. Highly correlated magnetic may not be the optimal choice to guarantee the proximity of field patterns are produced when two devices are close to each two smart phones’ inside magnetometers. Since MagPairing is other. designed for ordinary users, the inner structure of smartphone Numerical analysis show that MagPairing achieves high must be assumed unknown to the users. detection rate and low false alarm rate even under low SNR To deal with the problem, we can develop an app that or within a short period of sensor data capturing time. We stores the magnetometer location information for the various implemented MagPairing and conduct experiments on Android popular smartphones on the market. Then two smartphones smartphones. Concept proof experiments confirm that the can exchange this information before pairing and the user can magnetometer readings captured by two tapped smartphones find out the best way to tap the smartphones. are highly correlated, while their magnetometer readings are Although MagPairing is validated on smartphones, it can uncorrelated with that of a nearby attacker. Security strength be applied to facilitate the pairing of other wireless devices analysis demonstrates that the captured sensor data on which which are equipped with magnetometers, such as generic body MagPairing is based has high entropy (0.89 on average) and sensors and wearable computing devices, e.g. apple watch, sufficient length (1350 bits). Usability experiments show that Android wear. In this case, we can add a model match step MagPairing has a high success rate (more than 90% for all of right after triggering to exchange device information so as to the testers without any prior training) and short total device activate appropriate pairing protocol. paring time in practice (4.5s on average). Scalability tests on MagPairing relies on the principle that tapped smartphones 3 types of smartphones: Google Nexus 5, GALAXY 3 and are reading the magnetic fields in close proximity. Thus, as MEIZU MX 4 validate that MagPairing is widely applicable long as this condition holds, MagPairing should work. For and easy to use. small sensors or wearable devices, it is promising to extend MagPairing to pair multiple devices. A group Diffe-Hellman REFERENCES key agreement protocol can be applied [45] and the correlated [1] N. Saxena, J.-E. Ekberg, K. Kostiainen, and N. Asokan, “Secure sensor readings can be used to verify the keys shared among device pairing based on a visual channel: Design and usability Information Forensics and Security, IEEE Transactions co-located devices. study,” on, vol. 6, no. 1, pp. 28–38, March 2011. It should also be pointed out that, MagPairing has following [2] N. Saxena, M. B. Uddin, and J. Voris, “Universal device pairing constraints in practice. using an auxiliary device,” in Proceedings of the 4th symposium (1) MagPairing cannot be applied on those devices without on Usable privacy and security. ACM, 2008, pp. 56–67. a magnetometer integrated. [3] A. Perrig and D. Song, “Hash visualization: a new technique (2) When tapping two smartphones without intention, for to improve real-world security,” in In International Workshop on Cryptographic Techniques and E-Commerce, 1999, pp. 131– instance, comparing their size, it brings trouble of manually 138. closing MagPairing to avoid two devices being paired. [4] C. Ellison and S. Dohrmann, “Public-key support for (3) Currently it could be challenging to extend MagPairing group collaboration,” ACM Trans. Inf. Syst. Secur., vol. 6, to pair multiple smartphones given the fact that magnetometers no. 4, pp. 547–565, Nov. 2003. [Online]. Available: are inside of the smartphone and it could be hard to tap http://doi.acm.org/10.1145/950191.950195 [5] V. Roth, W. Polak, E. Rieffel, and T. Turner, “Simple multiple smartphones close enough to measure the magnetic and effective defense against evil twin access points,” in field at almost the same point. Thus, in multi-user case, Proceedings of the First ACM Conference on Wireless MagPairing is less efficient than visual based pairing method, Network Security, ser. WiSec ’08. New York, NY, in which multiple devices can take the same picture at the same USA: ACM, 2008, pp. 220–235. [Online]. Available: time to benefit the establishment of a session key. However, in http://doi.acm.org/10.1145/1352533.1352569 [6] J. McCune, A. Perrig, and M. Reiter, “Seeing-is-believing: using the future, if smartphones become thinner, it is not impossible camera phones for human-verifiable authentication,” in Security to stack or tap multiple smartphones closely and MagPairing and Privacy, 2005 IEEE Symposium on, May 2005, pp. 110– will be applicable. 124. [7] N. Saxena, J.-E. Ekberg, K. Kostiainen, and N. Asokan, “Secure IX.CONCLUSION device pairing based on a visual channel,” in Security and Privacy, 2006 IEEE Symposium on, May 2006, pp. 6 pp.–313. We have designed a reliable, fast and easy-to-use secure [8] C.-M. Chen, K.-H. Wang, T.-Y. Wu, J.-S. Pan, and H.-M. Sun, device pairing scheme, MagPairing, by using magnetometers “A scalable transitive human-verifiable authentication protocol for mobile devices,” Information Forensics and Security, IEEE TABLE III Transactions on, vol. 8, no. 8, pp. 1318–1330, Aug 2013. CORRELATIONS AMONG PAIRING DEVICES AND THE EAVESDROPPER [9] M. T. Goodrich, M. Sirivianos, J. Solis, C. Soriente, G. Tsudik, and E. Uzun, “Using audio in secure device pairing,” Inter- Phone Minimum Average Standard Maximum correlation national Journal of Security and Networks, vol. 4, no. 1, pp. type correlation correlation deviation at eavesdropper AA 0.45 0.68 0.14 0.12 57–68, 2009. AB 0.43 0.67 0.09 0.20 [10] M. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, and E. Uzun, AC 0.46 0.72 0.12 0.15 “Loud and clear: Human-verifiable authentication based on BB 0.54 0.69 0.11 0.11 audio,” in Distributed Computing Systems, 2006. ICDCS 2006. BC 0.45 0.66 0.14 0.17 26th IEEE International Conference on, 2006, pp. 10–10. CC 0.48 0.71 0.16 0.12 [11] C. Soriente, G. Tsudik, and E. Uzun, “Hapadep: Human-assisted pure audio device pairing,” in In ISC, 2008, pp. 385–400. [12] M. T. Goodrich, M. Sirivianos, J. Solis, C. Soriente, G. Tsudik, and Services, ser. MobiSys ’11. New York, NY, and E. Uzun, “Using audio in secure device pairing,” Int. J. USA: ACM, 2011, pp. 211–224. [Online]. Available: Secur. Netw., vol. 4, no. 1/2, pp. 57–68, Feb. 2009. [Online]. http://doi.acm.org/10.1145/1999995.2000016 Available: http://dx.doi.org/10.1504/IJSN.2009.023426 [29] M. Edman, A. Kiayias, and B. Yener, “On passive [13] R. Prasad and N. Saxena, “Efficient device pairing using inference attacks against physical-layer key extraction?” ”human-comparable” synchronized audiovisual patterns,” in in Proceedings of the Fourth European Workshop on Proceedings of the 6th International Conference on Applied System Security, ser. EUROSEC ’11. New York, NY, Cryptography and Network Security, ser. ACNS’08. Berlin, USA: ACM, 2011, pp. 8:1–8:6. [Online]. Available: Heidelberg: Springer-Verlag, 2008, pp. 328–345. [Online]. http://doi.acm.org/10.1145/1972551.1972559 Available: http://dl.acm.org/citation.cfm?id=1788857.1788877 [30] J. Zhu, P. Wu, X. Wang, and J. Zhang, “Sensec: Mobile [14] C. Soriente, G. Tsudik, and E. Uzun, “Beda: Button-enabled security through passive sensing,” in Computing, Networking device association,” in International Workshop on Security for and Communications (ICNC), 2013 International Conference Spontaneous Interaction IWSSI,UbiComp Workshop Proceed- on, 2013, pp. 1128–1133. ings, 2007. [31] T. Halevi, H. Li, D. Ma, N. Saxena, J. Voris, and T. Xiang, [15] L. Holmquist, F. Mattern, B. Schiele, P. Alahuhta, M. Beigl5, “Context-aware defenses to RFID unauthorized reading and re- and H.-W. Gellersen, “Smart-its friends: A technique for users lay attacks,” Emerging Topics in Computing IEEE Transactions to easily establish connections between smart artefacts,” in on, vol. 1, no. 2, pp. 307–318, 2013. Ubicomp 2001: Ubiquitous Computing, ser. Lecture Notes in [32] R. Jin, L. Shi, K. Zeng, A. Pande, and P. Mohapatra, “Mag- Computer Science, G. Abowd, B. Brumitt, and S. Shafer, Eds. pairing: Exploiting magnetometers for pairing smartphones in Springer Berlin Heidelberg, 2001, vol. 2201, pp. 116–122. close proximity,” in Proc. IEEE International Conference on [16] R. Mayrhofer and H. Gellersen, “Shake well before use: Au- Communications and Networks Security, 2014. thentication based on accelerometer data,” in Pervasive comput- [33] R. L. Rivest and A. Shamir, “How to expose an eavesdropper,” ing. Springer, 2007, pp. 144–161. Commun. ACM, vol. 27, no. 4, pp. 393–394, Apr. 1984. [17] E. Uzun, K. Karvonen, and N. Asokan, “Usability analysis of [Online]. Available: http://doi.acm.org/10.1145/358027.358053 secure pairing methods,” in Financial Cryptography and Data [34] K. P. Ossenkopp, W. T. Koltek, and M. A. Persinger, “Prenatal Security. Springer, 2007, pp. 307–324. exposure to an extremely low frequency-low intensity rotating [18] A. Kumar, N. Saxena, G. Tsudik, and E. Uzun, “Caveat eptor: magnetic field and increases in thyroid and testicle weight in A comparative study of secure device pairing methods,” in Per- rats.” Developmental Psychobiology, vol. 5, no. 3, p. 275C285, vasive Computing and Communications, 2009. PerCom 2009. 1972. IEEE International Conference on. IEEE, 2009, pp. 1–10. [35] N. Santoro, A. Lisi, D. Pozzi, E. Pasquali, A. Serafino, and [19] K. K. Venkatasubramanian, A. Banerjee, and S. K. S. Gupta, S. Grimaldi, “Effect of extremely low frequency (elf) magnetic “Pska: usable and secure key agreement scheme for body area field exposure on morphological and biophysical properties of networks,” IEEE Transactions on Information Technology in human lymphoid cell line (raji),” Biochimica Et Biophysica Biomedicine,, vol. 14, no. 1, pp. 60–68, 2010. Acta, vol. 1357, no. 3, p. 281C290, 1997. [20] H. Ketabdar, A. Jahanbekam, K. A. Yuksel, T. Hirsch, and [36] TCG, “https://www.trustedcomputinggroup.org/.” A. Haji Abolhassani, “Magimusic: using embedded compass [37] T. M. P. H. A. Description, “http://www.trusted-mobile.org (magnetic) sensor for touch-less gesture based interaction with /tmp hwad rev1 00.pdf.” digital music instruments in mobile devices,” in Proceedings of [38] T. M. P. S. A. Description, “http://www.trusted-mobile.org /tm- the fifth international conference on Tangible, embedded, and p swad rev1 00.pdf.” embodied interaction. ACM, 2011, pp. 241–244. [39] T. M. P. P. S. Document, “http://www.trusted-mobile.org /tm- [21] H. Ketabdar, K. A. Yuksel,¨ and M. Roshandel, “Magitact: p protocol rev1 00.pdf.” interaction with mobile devices based on compass (magnetic) [40] J. F. Kenney and E. S. Keeping, Mathematics of Statistics. Pt. sensor,” in Proceedings of the 15th international conference on 2, 2nd ed. Van Nostrand, 1951. Intelligent user interfaces. ACM, 2010, pp. 413–414. [41] K. Zeng, K. Govindan, D. Wu, and P. Mohapatra, “Identity- [22] X. H. Le, R. Sankar, M. Khalid, and S. Lee, “Public key based attack detection in mobile wireless networks,” in INFO- cryptography-based security scheme for wireless sensor net- COM, 2011 Proceedings IEEE, April 2011, pp. 1880–1888. works in healthcare,” in Proceedings of the 4th International [42] Y. Wei, K. Zeng, and P. Mohapatra, “Adaptive wireless channel Conference on Uniquitous Information Management and Com- probing for shared key generation based on pid controller,” munication. ACM, 2010, p. 5. Mobile Computing, IEEE Transactions on, vol. 12, no. 9, pp. [23] A. Kobsa, R. Sonawalla, G. Tsudik, E. Uzun, and Y. Wang, 1842–1852, Sept 2013. “Serial hook-ups: a comparative usability study of secure device [43] G. J. Croll, “Bientropy - the approximate entropy of a finite pairing methods,” in Proceedings of the 5th Symposium on binary string,” Computing Research Repository, 2013. Usable Privacy and Security. ACM, 2009, p. 10. [44] J. Brooke, “Sus: a ’quick and dirty’ usability scale,” 1996. [24] T. Halevi and N. Saxena, “Acoustic eavesdropping attacks on [45] M. Steiner, G. Tsudik, and M. Waidner, “Diffie-hellman key constrained wireless device pairing,” Information Forensics and distribution extended to group communication,” in Acm Con- Security, IEEE Transactions on, vol. 8, no. 3, pp. 563–577, ference on Computer and Communications Security, 1996, pp. March 2013. 31–37. [25] “https://technology.ihs.com/389408/electronic-compass-market- finds-its-way-to-73-percent-growth-in-2011.” [26] “http://www.sensorsmag.com/sensors- expo/prospectsforsiliconbasedmagneticsensors.” [27] L. Xiao, Q. Yan, W. Lou, G. Chen, and Y. Hou, “Proximity- based security techniques for mobile users in wireless network- s,” Information Forensics and Security, IEEE Transactions on, vol. 8, no. 12, pp. 2089–2100, Dec 2013. [28] S. Mathur, R. Miller, A. Varshavsky, W. Trappe, and N. Mandayam, “Proximate: Proximity-based secure pairing using ambient wireless signals,” in Proceedings of the 9th International Conference on Mobile Systems, Applications, Rong Jin received the BE, ME, and PhD degrees in electronic and information engineering from the Huazhong University of Science and Technology (HUST), P.R. , in 2006, 2008, and 2012, respectively. He was a postdoctoral scholar in the Department of Computer and Information Science at the University of Michigan-Dearborn from 2012 to 2014. He is now a lecturer in the School of Electron- ics Information and Communications at HUST. His research interests include microwave remote sensing, antenna array, electromagnetics, and physical layer wireless network security.

Liu Shi received the B.S degree of Computer Science from University of Electronic and Science Technology of China, P.R.China, in 2013. He re- ceived the M.S degree in the Department of Comput- er and Information Science at University of Michi- gan Dearborn in 2014. His research focuses on wireless network security.

Kai Zeng is an assistant professor in Department of Electrical and Computer Engineering, Department of Computer Science, and Center for Secure Infor- mation Systems at George Mason University. He received his Ph.D. degree in Electrical and Com- puter Engineering at Worcester Polytechnic Institute (WPI) in 2008. He was a postdoctoral scholar in the Department of Computer Science at University of California, Davis (UCD) from 2008 to 2011. He worked in the Department of Computer and Informa- tion Science at University of Michigan - Dearborn as an assistant professor from 2011 to 2014. He was a recipient of the U.S. National Science Foundation Faculty Early Career Development (CAREER) award in 2012. He won Excellence in Postdoctoral Research Award at UCD in 2011 and Sigma Xi Outstanding Ph.D. Dissertation Award at WPI in 2008. He is an editor of IEEE Transactions on Wireless Communications. His current research interests are in cyber-physical system security and privacy, physical layer security, network forensics, and cognitive radio networks.

Amit Pande received his PhD in Computer Engi- neering from Iowa State University, USA in 2010 and Bachelors in Electronics and Communications Engineering from IIT Roorkee, India in 2007. He has been working as Research Scientist at University of California Davis since 2010. He has published more than 65 peer-reviewed conference and journal paper- s, won many University-research-excellence awards as well as Best Paper Awards at International confer- ences. His current research interests are in applica- tion of data analytics to mobile, health, networking and other applications as well as in Network Security.

Prasant Mohapatra is a Professor in the Depart- ment of Computer Science and is currently serving as the Associate Chancellor of the University of California, Davis. Dr. Mohapatra received his doc- toral degree from Penn State University in 1993, and received an Outstanding Engineering Alumni Award in 2008. He is a Fellow of the IEEE and a Fellow of AAAS. Dr. Mohapatras research interests are in the areas of wireless networks, mobile communications, cybersecurity, and Internet protocols.