Acoustic Eavesdropping Attacks on Constrained Wireless Device Pairing

Secure “pairing” of wireless devices based on auxiliary or out-of-band (OOB)-audio, visual, or tactile-communication is a well-established research direction. Specifically, authenticated as well as secret OOB (AS-OOB) channels have been shown to be quite useful for this purpose. Pairing can be achieved by simply transmitting the key or short password over the AS-OOB channel, avoiding potential serious human errors. This paper analyzes the security of AS-OOB pairing. Specifically, we take a closer look at three notable prior AS-OOB pairing proposals and challenge the assumptions upon which the security of these proposals relies, i.e., the secrecy of underlying audio channels. The first proposal (IMD Pairing) uses a low frequency audio channel to pair an implanted RFID tag with an external reader. The second proposal (PIN-Vibra) uses an automated vibrational channel to pair a mobile phone with a personal RFID tag. The third proposal (BEDA) uses vibration (or blinking) on one device and manually synchronized button pressing on another device or simultaneous button pressing on two devices. We demonstrate the feasibility of eavesdropping over acoustic emanations associated with these methods and conclude that they provide a weaker level of security than was originally assumed or desired for the pairing operation.