Time-Print: Authenticating USB Flash Drives with Novel Timing Fingerprints

Cronin, Patrick; Gao, Xing; Wang, Haining; Cotton, Chase

doi:10.1109/sp46214.2022.9833595

Cited by 7 publications

(14 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Various hardware-based authentication mechanisms [24], [14] are proposed to secure IoT authentication. These approaches consider various hardware features such as physical signal characteristics [36], [26], magnetic characteristics [21], sensors with human interaction [49], [38], [59], or physically unclonable functions (PUFs) [42].…”

Section: A Hardware-based Authenticationmentioning

confidence: 99%

“…These approaches utilize hardware-derived data to generate unique device fingerprints as the device identifier to distinguish different devices. The fingerprint data can be uploaded along with the payload or concealed as side-channel information, like physical signal strength [36] or time delay [24].…”

Section: A Hardware-based Authenticationmentioning

confidence: 99%

“…Flash. Previous study [24] uses NAND-flash's different sector read times as distinctive fingerprinting features because the NAND-Flash is located on a separate chip with dedicated drivers, which requires access via the I2C/SPI bus and can affect the access time of sectors. In contrast, most MCUs are only equipped with NOR-Flash, where different sectors exhibit similar read times due to their integration on the same chip as the MCU, enabling direct access.…”

Section: Srammentioning

confidence: 99%

“…Hardware Fingerprints are widely explored on various platforms such as mobile, PC, and IoT devices, to distinguish and track devices [37], [52], [65] or to authenticate devices [36], [26], [56], [24], [21], [22]. Unfortunately, most of these fingerprinting features require special hardware support, such as GPU [37], [52], mobile sensors [65], [32], and NADA flash [60], [24], which are absent in MCU-based embedded devices. For the approaches target IoT devices, HODOR [36] and [26] employ RFID signal features to fingerprint devices which is not a general solution for other kinds of IoT devices.…”

Section: Related Workmentioning

confidence: 99%

“…Although unclonable hardware authentication factors have been proposed to prevent these attacks [21], [38], [24], [2], [49], [56], they are ineffective when they are applied to MCU-based IoT devices. First, most of the required hardware features (e.g., magnetic sensor [21], NAND-Flash [24] and TEE [2]) are not supported by most commercial-off-the-shell (COTS) MCUs. Although physically unclonable functions (PUF) [41] can produce device-specific crypto keys or fingerprints, they need extra integrity circuit (IC) manufacturing procedures to provide special circuits.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

From Hardware Fingerprint to Access Token: Enhancing the Authentication on IoT Devices

Xiao,

He,

Zhang

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The proliferation of consumer IoT products in our daily lives has raised the need for secure device authentication and access control. Unfortunately, these resource-constrained devices typically use token-based authentication, which is vulnerable to token compromise attacks that allow attackers to impersonate the devices and perform malicious operations by stealing the access token. Using hardware fingerprints to secure their authentication is a promising way to mitigate these threats. However, once attackers have stolen some hardware fingerprints (e.g., via MitM attacks), they can bypass the hardware authentication by training a machine learning model to mimic fingerprints or by reusing these fingerprints to craft forged requests.In this paper, we present MCU-Token, a secure hardware fingerprinting framework for MCU-based IoT devices even if the cryptographic mechanisms (e.g., private keys) are compromised. MCU-Token can be easily integrated into various IoT devices by simply adding a short hardware fingerprint-based token to the existing payload. To prevent the reuse of this token, we propose a message mapping approach that binds the token to a specific request by generating the hardware fingerprints based on the request payload. To defeat the machine learning attacks, we mix the valid fingerprints with poisoning data so that attackers cannot train a usable model with the leaked tokens. MCU-Token can defend against adversaries who may replay, craft, and offload the requests via MitM or use both hardware (e.g., use identical devices) and software (e.g., machine learning attacks) strategies to mimic the fingerprints. The system evaluation shows that MCU-Token can achieve high accuracy (over 97%) with low overhead across various IoT devices and application scenarios.

show abstract

Section: A Hardware-based Authenticationmentioning

confidence: 99%

Section: A Hardware-based Authenticationmentioning

confidence: 99%

Section: Srammentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

From Hardware Fingerprint to Access Token: Enhancing the Authentication on IoT Devices

Xiao,

He,

Zhang

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

USB Fort Knox: Building a Robust Defense Against Data Breaches

Hingmire,

Sawant,

Patil

et al. 2024

Information Systems Engineering and Management

View full text Add to dashboard Cite

Plug and Power: Fingerprinting USB Powered Peripherals via Power Side-channel

Spolaor,

Liu,

Turrin

et al. 2023

IEEE INFOCOM 2023 - IEEE Conference on Computer Communications

View full text Add to dashboard Cite

The literature and the news regularly report cases of exploiting Universal Serial Bus (USB) devices as attack tools for malware injections and private data exfiltration. To protect against such attacks, security researchers proposed different solutions to verify the identity of a USB device via sidechannel information (e.g., timing or electromagnetic emission). However, such solutions often make strong assumptions on the measurement (e.g., electromagnetic interference-free area around the device), on a device's state (e.g., only at the boot or during specific actions), or are limited to one particular type of USB device (e.g., flash drive or input devices).In this paper, we present PowerID, a novel method to fingerprint USB peripherals based on their power consumption. PowerID analyzes the power traces from a peripheral to infer its identity and properties. We evaluate the effectiveness of our method on an extensive power trace dataset collected from 82 USB peripherals, including 35 models and 8 types. Our experimental results show that PowerID accurately recognizes a peripheral type, model, activity, and identity.

show abstract

Time-Print: Authenticating USB Flash Drives with Novel Timing Fingerprints

Cited by 7 publications

References 37 publications

From Hardware Fingerprint to Access Token: Enhancing the Authentication on IoT Devices

From Hardware Fingerprint to Access Token: Enhancing the Authentication on IoT Devices

USB Fort Knox: Building a Robust Defense Against Data Breaches

Plug and Power: Fingerprinting USB Powered Peripherals via Power Side-channel

Contact Info

Product

Resources

About