research-article

CirclePIN: A Novel Authentication Mechanism for Smartwatches to Prevent Unauthorized Access to IoT Devices

Authors:

Luca Verderame,

Francesco Palmieri,

Mauro Migliardi,

Luca ValleriniAuthors Info & Claims

ACM Transactions on Cyber-Physical Systems, Volume 4, Issue 3

Article No.: 34, Pages 1 - 19

https://doi.org/10.1145/3365995

Published: 12 March 2020 Publication History

Abstract

In the last months, the market for personal wearable devices has been booming significantly, and, in particular, smartwatches are starting to assume a fundamental role in the Bring Your Own Device (BYOD) arena as well as in the more general Internet of Things (IoT) ecosystem, by acting both as sensitive data sources and as user identity proxies. These new roles, complementing the more traditional personal assistance and telemetry/tracking ones, open new perspectives in their integration in complex IoT-based critical infrastructures such as e-payment, health care monitoring, and emergency systems, as well as in their usage as remote control facilities in smart services. Users can access their IoT devices at any time from any place through smartwatches. We argue that this new scenario calls for a strengthened and more resilient authentication of users on these devices, despite their limitations in terms of dimensions and hardware constraints that may considerably affect the usability of security mechanisms. In this article, we present an innovative authentication scheme targeted at smartwatches, namely CirclePIN, that provides both resilience to most common attacks and a high level of usability in tests with real users.

References

[1]

Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT’10). USENIX Association, Berkeley, CA, 1--7. Retrieved from http://dl.acm.org/citation.cfm?id=1925004.1925009.

Digital Library

[2]

Andrea Bianchi, Ian Oakley, Vassilis Kostakos, and Dong Soo Kwon. 2011. The phone lock: Audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices. In Proceedings of the 5th International Conference on Tangible, Embedded, and Embodied Interaction (TEI’11). ACM, New York, NY, 197--200.

Digital Library

[3]

Alexander De Luca, Katja Hertzschuch, and Heinrich Hussmann. 2010. ColorPIN: Securing PIN entry through indirect input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI’10). ACM, New York, NY, 1103--1106.

Digital Library

[4]

Muhammad Ehatisham-ul Haq, Muhammad Awais Azam, Jonathan Loo, Kai Shuang, Syed Islam, Usman Naeem, and Yasar Amin. 2017. Authentication of smartphone users based on activity recognition and mobile sensing. Sensors 17, 9 (2017), 2043.

[5]

Nicola Gobbo, Alessio Merlo, and Mauro Migliardi. 2013. A denial of service attack to GSM networks via attach procedure. In Security Engineering and Intelligence Informatics, Alfredo Cuzzocrea, Christian Kittl, Dimitris E. Simos, Edgar Weippl, and Lida Xu (Eds.). Springer, Berlin, 361--376.

[6]

Meriem Guerar, Mohamed Benmohammed, and Vincent Alimi. 2016. Color wheel pin: Usable and resilient ATM authentication. Journal of High Speed Networks 22, 3 (2016), 231--240.

[7]

Meriem Guerar, Alessio Merlo, and Mauro Migliardi. 2017. ClickPattern: A pattern lock system resilient to smudge and side-channel attacks. JoWUA 8, 2 (2017), 64--78. Retrieved from http://isyou.info/jowua/papers/jowua-v8n2-4.pdf.

[8]

Meriem Guerar, Alessio Merlo, and Mauro Migliardi. 2018. Completely automated public physical test to tell computers and humans apart: A usability study on mobile devices. Future Generation Computer Systems 82 (2018), 617--630.

[9]

Meriem Guerar, Alessio Merlo, Mauro Migliardi, and Francesco Palmieri. 2018. Invisible CAPPCHA: A usable mechanism to distinguish between malware and humans on the mobile IoT. Computers 8 Security 78 (2018), 255--266.

[10]

M. Guerar, M. Migliardi, A. Merlo, M. Benmohammed, and B. Messabih. 2015. A completely automatic public physical test to tell computers and humans apart: A way to enhance authentication schemes in mobile devices. In 2015 International Conference on High Performance Computing Simulation (HPCS’15). IEEE, 203--210.

[11]

M. Guerar, M. Migliardi, A. Merlo, M. Benmohammed, F. Palmieri, and A. Castiglione. 2018. Using screen brightness to improve security in mobile social network access. IEEE Transactions on Dependable and Secure Computing 15, 4 (July 2018), 621--632.

[12]

HP. 2015. Internet of Things security study: Smartwatches. Retrieved from https://www.ftc.gov/system/files/documents/public_comments/2015/10/00050-98093.pdf.

[13]

Markus Jakobsson. 2018. Secure remote attestation. IACR Cryptology ePrint Archive 2018 (2018), 31. Retrieved from https://eprint.iacr.org/2018/031.pdf.

[14]

A. H. Johnston and G. M. Weiss. 2015. Smartwatch-based biometric gait recognition. In 2015 IEEE 7th International Conference on Biometrics Theory, Applications and Systems (BTAS’15). IEEE, 1--6.

[15]

Frederic Kerber, Tobias Kiefer, Markus Löchtefeld, and Antonio Krüger. 2017. Investigating current techniques for opposite-hand smartwatch interaction. In Proceedings of the 19th International Conference on Human-Computer Interaction with Mobile Devices and Services (MobileHCI’17). ACM, New York, NY, Article 24, 12 pages.

Digital Library

[16]

Taekyoung Kwon and Sarang Na. 2014. TinyLock: Affordable defense against smudge attacks on smartphone pattern lock systems. Computers 8 Security 42 (2014), 137--150.

[17]

A. Lewis, Y. Li, and M. Xie. 2016. Real time motion-based authentication for smartwatch. In 2016 IEEE Conference on Communications and Network Security (CNS’16). IEEE, 380--381.

[18]

Chris Xiaoxuan Lu, Bowen Du, Hongkai Wen, Sen Wang, Andrew Markham, Ivan Martinovic, Yiran Shen, and Agathoniki Trigoni. 2017. Snoopy: Sniffing your smartwatch passwords via deep sequence learning. IMWUT 1 (2017), 152:1--152:29.

[19]

Alexander De Luca, Emanuel von Zezschwitz, and Heinrich Hußmann. 2009. Vibrapass: Secure authentication based on shared lies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI'09). ACM, 913--916. https://doi.org/10.1145/1518701.1518840

Digital Library

[20]

Anindya Maiti, Murtuza Jadliwala, Jibo He, and Igor Bilogrevic. 2015. (Smart)Watch your taps: Side-channel keystroke inference attacks using smartwatches. In Proceedings of the 2015 ACM International Symposium on Wearable Computers (ISWC’15). ACM, New York, NY, 27--30.

Digital Library

[21]

A. Merlo, M. Migliardi, and P. Fontanelli. 2015. Measuring and estimating power consumption in Android to support energy-based intrusion detection. Journal of Computer Security 23, 5 (2015), 611--637.

[22]

M. Migliardi and A. Merlo. 2011. Modeling the energy consumption of distributed IDS: A step towards Green security. In 2011 Proceedings of the 34th International Convention MIPRO. IEEE, 1452--1457.

[23]

Mauro Migliardi and Alessio Merlo. 2013. Energy consumption simulation of different distributed intrusion detection approaches. In 2013 27th International Conference on Advanced Information Networking and Applications Workshops. IEEE, 1547--1552.

Digital Library

[24]

Toan Nguyen and Nasir Memon. 2017. Smartwatches locking methods: A comparative study. In 13th Symposium on Usable Privacy and Security (SOUPS’17). USENIX Association, Santa Clara, CA. Retrieved from https://www.usenix.org/conference/soups2017/workshop-program/way2017/nguyen.

[25]

Toan Nguyen and Nasir Memon. 2018. Tap-based user authentication for smartwatches. Computers 8 Security 78 (2018), 174--186.

[26]

Toan Van Nguyen, Napa Sae-Bae, and Nasir Memon. 2017. DRAW-A-PIN: Authentication using finger-drawn PIN on touch devices. Computers 8 Security 66 (2017), 115--128.

[27]

D. Nyang, A. Mohaisen, and J. Kang. 2014. Keylogging-resistant visual authentication protocols. IEEE Transactions on Mobile Computing 13, 11 (Nov. 2014), 2566--2579.

[28]

Ian Oakley, Jun Ho Huh, Junsung Cho, Geumhwan Cho, Rasel Islam, and Hyoungshick Kim. 2018. The personal identification chord: A four button authentication system for smartwatches. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS’18). ACM, New York, NY, 75--87.

Digital Library

[29]

A. Sarkisyan, R. Debbiny, and A. Nahapetian. 2015. WristSnoop: Smartphone PINs prediction using smartwatch motion sensors. In 2015 IEEE International Workshop on Information Forensics and Security (WIFS’15). IEEE, 1--6.

[30]

Hannes Tschofenig. 2016. Fixing user authentication for the Internet of Things (IoT). Datenschutz und Datensicherheit - DuD 40, 4 (April 2016), 222--224.

[31]

P. C. van Oorschot, A. Somayaji, and G. Wurster. 2005. Hardware-assisted circumvention of self-hashing software tamper resistance. IEEE Transactions on Dependable and Secure Computing 2, 2 (April 2005), 82--92.

Digital Library

[32]

Emanuel von Zezschwitz, Alexander De Luca, Bruno Brunkow, and Heinrich Hussmann. 2015. SwiPIN: Fast and secure PIN-entry on smartphones. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI’15). ACM, New York, NY, 1403--1406.

Digital Library

[33]

C. Wang, X. Guo, Y. Chen, Y. Wang, and B. Liu. 2018. Personal PIN leakage from wearable devices. IEEE Transactions on Mobile Computing 17, 3 (March 2018), 646--660.

[34]

Chen Wang, Xiaonan Guo, Yan Wang, Yingying Chen, and Bo Liu. 2016. Friend or foe?: Your wearable devices reveal your personal pin. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, 189--200.

Digital Library

[35]

J. Yang, Y. Li, and M. Xie. 2015. MotionAuth: Motion-based authentication for wrist worn smart devices. In 2015 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops’15). IEEE, 550--555.

Cited By

Chefrour DSedira YChabbi S(2024)An Intersection Attack on the CirclePIN Smartwatch Authentication MechanismIEEE Internet of Things Journal10.1109/JIOT.2023.333396411:7(12485-12494)Online publication date: 1-Apr-2024
https://doi.org/10.1109/JIOT.2023.3333964
Almheiri EAl-Emran MAl-Sharafi MArpaci I(2024)Drivers of smartwatch use and its effect on environmental sustainability: evidence from SEM-ANN approachAsia-Pacific Journal of Business Administration10.1108/APJBA-10-2023-0490Online publication date: 19-Feb-2024
https://doi.org/10.1108/APJBA-10-2023-0490
Matovu ROhu I(2024)DeepPayAuth: User Authentication in Mobile Payments Using Smartwatch Motion SensorsIntelligent Computing10.1007/978-3-031-62273-1_29(455-472)Online publication date: 15-Jun-2024
https://doi.org/10.1007/978-3-031-62273-1_29
Show More Cited By

Index Terms

CirclePIN: A Novel Authentication Mechanism for Smartwatches to Prevent Unauthorized Access to IoT Devices
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Leaking data from enterprise networks using a compromised smartwatch device
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

The recent proliferation of the Internet of Things (IoT) technology poses major security and privacy concerns. Specifically, the use of personal IoT devices, such as tablets, smartphones, and even smartwatches, as part of the Bring Your Own Device (BYOD)...
An attack scenario and mitigation mechanism for enterprise BYOD environments

The recent proliferation of the Internet of Things (IoT) technology poses major security and privacy concerns. Specifically, the use of personal IoT devices, such as tablets, smartphones, and even smartwatches, as part of the Bring Your Own Device (BYOD)...
Mobile device security
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development Lifecycle

This paper provides an overview of the mobile device security ecosystem and identifies the top security challenges.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Cyber-Physical Systems

ACM Transactions on Cyber-Physical Systems Volume 4, Issue 3

Special Issue on User-Centric Security and Safety for CPS

July 2020

279 pages

ISSN:2378-962X

EISSN:2378-9638

DOI:10.1145/3388234

Editor:
Tei-Wei Kuo
City University of Hong Kong and National Taiwan University, Taiwan

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 12 March 2020

Accepted: 01 October 2019

Revised: 01 May 2019

Received: 01 January 2019

Published in TCPS Volume 4, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
465
Total Downloads

Downloads (Last 12 months)53
Downloads (Last 6 weeks)2

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chefrour DSedira YChabbi S(2024)An Intersection Attack on the CirclePIN Smartwatch Authentication MechanismIEEE Internet of Things Journal10.1109/JIOT.2023.333396411:7(12485-12494)Online publication date: 1-Apr-2024
https://doi.org/10.1109/JIOT.2023.3333964
Almheiri EAl-Emran MAl-Sharafi MArpaci I(2024)Drivers of smartwatch use and its effect on environmental sustainability: evidence from SEM-ANN approachAsia-Pacific Journal of Business Administration10.1108/APJBA-10-2023-0490Online publication date: 19-Feb-2024
https://doi.org/10.1108/APJBA-10-2023-0490
Matovu ROhu I(2024)DeepPayAuth: User Authentication in Mobile Payments Using Smartwatch Motion SensorsIntelligent Computing10.1007/978-3-031-62273-1_29(455-472)Online publication date: 15-Jun-2024
https://doi.org/10.1007/978-3-031-62273-1_29
Krichen M(2023)Formal Methods and Validation Techniques for Ensuring Automotive Systems SecurityInformation10.3390/info1412066614:12(666)Online publication date: 18-Dec-2023
https://doi.org/10.3390/info14120666
Ayedh M AWahab AIdris M(2023)Systematic Literature Review on Security Access Control Policies and Techniques Based on Privacy Requirements in a BYOD Environment: State of the Art and Future DirectionsApplied Sciences10.3390/app1314804813:14(8048)Online publication date: 10-Jul-2023
https://doi.org/10.3390/app13148048
Fei WOhno HSampalli S(2023)A Systematic Review of IoT Security: Research Potential, Challenges, and Future DirectionsACM Computing Surveys10.1145/362509456:5(1-40)Online publication date: 25-Nov-2023
https://dl.acm.org/doi/10.1145/3625094
Vhaduri SCheung WDibbo S(2023)Bag of On-Phone ANNs to Secure IoT Objects Using Wearable and Smartphone BiometricsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326903721:3(1127-1138)Online publication date: 21-Apr-2023
https://dl.acm.org/doi/10.1109/TDSC.2023.3269037
Jiang ZVan Zoest VDeng WNgai ELiu J(2023)Leveraging Machine Learning for Disease Diagnoses Based on Wearable Devices: A SurveyIEEE Internet of Things Journal10.1109/JIOT.2023.331315810:24(21959-21981)Online publication date: 15-Dec-2023
https://doi.org/10.1109/JIOT.2023.3313158
Siwakoti YBhurtel MRawat DOest AJohnson R(2023)Advances in IoT Security: Vulnerabilities, Enabled Criminal Services, Attacks and CountermeasuresIEEE Internet of Things Journal10.1109/JIOT.2023.3252594(1-1)Online publication date: 2023
https://doi.org/10.1109/JIOT.2023.3252594
Majid MMansor ZSulaiman R(2023)Managing Security Hazards in BYOD: A Comparative Analysis of Artificial Intelligent Techniques2023 International Conference on Electrical Engineering and Informatics (ICEEI)10.1109/ICEEI59426.2023.10346644(1-5)Online publication date: 10-Oct-2023
https://doi.org/10.1109/ICEEI59426.2023.10346644
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents