BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @InProceedings{mangar:testbed, author = {Ravindra Mangar and Jingyu Qian and Wondimu Zegeye and Mounib Khanafer and Abdulrahman AlRabah and Ben Civjan and Shalni Sundram and Sam Yuan and Carl Gunter and Kevin Kornegay and Timothy J. Pierson and David Kotz}, title = {Designing and Evaluating a Testbed for the Matter Protocol: Insights into User Experience}, booktitle = {Proceedings of the NDSS Workshop on Security and Privacy in Standardized IoT (SDIoTSec)}, year = 2024, month = {February}, publisher = {NDSS}, copyright = {the authors}, DOI = {10.14722/sdiotsec.2024.23012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mangar-testbed/index.html}, note = {Distinguished Paper Award}, abstract = {As the integration of smart devices into our daily environment accelerates, the vision of a fully integrated smart home is becoming more achievable through standards such as the Matter protocol. In response, this research paper explores the use of Matter in addressing the heterogeneity and interoperability problems of smart homes. We built a testbed and introduce a network utility device, designed to sniff network traffic and provide a wireless access point within IoT networks. This paper also presents experience of students using the testbed in an academic scenario.}, } @Misc{pierson:snap-patent, author = {Timothy J. Pierson and Ronald Peterson and David F. Kotz}, title = {System and method for proximity detection with single-antenna device}, howpublished = {U.S. Patent 11,871,233; International Patent Application WO2019210201A1}, year = 2024, month = {January}, day = 9, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-patent/index.html}, note = {Priority date 2018-04-27; Filed 2019-04-26; Published 2021-07-29, Issued 2024-01-09}, abstract = {A single-antenna device includes a single antenna, at least one processor, and at least one memory. The single-antenna device is operable to receive a signal including at least one frame. Each of said frame includes a repeating portion. The single-antenna device determines a difference of phase and amplitude of the repeating portion and further determines whether the signal is transmitted from a trusted source based at least in part on the difference of phase and amplitude of the repeating portion.}, } @Misc{pierson:closetalker-patent2, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}, howpublished = {U.S. Patent 11,894,920}, year = 2024, month = {February}, day = 6, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent2/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, Continuation of 11,153,026; Issued 2024-02-06}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @InProceedings{perez:identification, author = {Beatrice Perez and Timothy J. Pierson and Gregory Mazzaro and David Kotz}, title = {Identification and Classification of Electronic Devices Using Harmonic Radar}, booktitle = {Proceedings of the Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT)}, year = 2023, month = {June}, pages = {248--255}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/DCOSS-IoT58021.2023.00050}, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-identification/index.html}, abstract = { Smart home electronic devices invisibly collect, process, and exchange information with each other and with remote services, often without a home occupants' knowledge or consent. These devices may be mobile or fixed and may have wireless or wired network connections. Detecting and identifying all devices present in a home is a necessary first step to control the flow of data, but there exists no universal mechanism to detect and identify all electronic devices in a space. In this paper we present ICED (Identification and Classification of Electronic Devices), a system that can (i) identify devices from a known set of devices, and (ii) detect the presence of previously unseen devices. ICED, based on harmonic radar technology, collects measurements at the first harmonic of the radar's transmit frequency. We find that the harmonic response contains enough information to infer the type of device. It works when the device has no wireless network interface, is powered off, or attempts to evade detection. We evaluate performance on a collection of 17 devices and find that by transmitting a range of frequencies we correctly identify known devices with 97.6\% accuracy and identify previously unseen devices as `unknown' with 69.0\% balanced accuracy.}, } @Misc{pierson:wanda-patent2, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Apparatus for securely configuring a target device}, howpublished = {U.S. Patent 11,683,071}, year = 2023, month = {June}, day = 20, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent2/index.html}, note = {Continuation of U.S. Patent 10,574,298. Priority date 2015-06-23; Filed 2020-01-20; Allowed 2023-02-10; Issued 2023-06-20}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{mare:saw-patent, author = {Shrirang Mare and David Kotz and Ronald Peterson}, title = {Effortless authentication for desktop computers using wrist wearable tokens}, howpublished = {U.S. Patent 11,574,039}, year = 2023, month = {February}, day = 7, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw-patent/index.html}, note = {Priority date 2018-07-20; International application Filed 2019-07-19; National stage Filed 2021-01-20; Issued 2023-02-07}, abstract = {A system and method for authenticating users of a digital device includes an authentication device attached to an authorized user. The authentication device includes one or more motion sensors and acts as a user identity token. To authenticate with a digital device, the user performs one or more interactions with the digital device using the hand associated with the authentication device. The digital device correlates the inputs received due to the interactions with the user's hand and/or wrist movement, as measured by the authentication device. Access to the digital device is allowed if the inputs and movements are correlated.}, } @InProceedings{peters:via, author = {Travis Peters and Timothy J. Pierson and Sougata Sen and Jos{\'{e}} Camacho and David Kotz}, title = {Recurring Verification of Interaction Authenticity Within Bluetooth Networks}, booktitle = {Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021)}, year = 2021, month = {June}, pages = {192--203}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3448300.3468287}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-via/index.html}, abstract = {Although user authentication has been well explored, device-to-device authentication -- specifically in Bluetooth networks -- has not seen the same attention. We propose Verification of Interaction Authenticity (VIA) -- a recurring authentication scheme based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. To evaluate our approach we produced a new dataset consisting of more than 300 Bluetooth network traces collected from 20 Bluetooth-enabled smart-health and smart-home devices. In our evaluation, we found that devices can be correctly verified at a variety of granularities, achieving an F1-score of 0.86 or better in most cases.}, } @Article{sen:vibering-j, author = {Sougata Sen and David Kotz}, title = {VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}, journal = {Journal of Pervasive and Mobile Computing}, year = 2021, month = {December}, volume = 78, articleno = 101505, numpages = 16, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2021.101505}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-j/index.html}, abstract = {Many Internet of Things (IoT) devices are capable of sensing their environment, communicating with other devices, and actuating on their environment. Some of these IoT devices, herein known as ``smartThings'', collect meaningful information from raw data when they are in use and in physical contact with their user (e.g., a blood-glucose monitor); the smartThing's wireless connectivity allows it to transfer that data to its user's trusted device, such as a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. \par To address this problem, in this paper, we investigate the use of \emph{vibration}, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call \emph{VibeRing}. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques. Overall, we successfully exchange a secret between a smartRing and various smartThings, at least 85.9\% of the time. We show that \emph{VibeRing} can perform this exchange at 12.5 bits/second at a bit error rate of less than 2.5\%. We also show that \emph{VibeRing} is robust to the smartThing's constituent material as well as the holding style. Finally, we demonstrate that a nearby adversary cannot decode or modify the message exchanged between the trusted devices. }, } @Misc{gralla:inside-outside, author = {Paul Gralla}, title = {An inside vs. outside classification system for Wi-Fi IoT devices}, school = {Dartmouth Computer Science}, year = 2021, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/gralla-inside-outside/index.html}, note = {Undergraduate Thesis}, abstract = {We are entering an era in which Smart Devices are increasingly integrated into our daily lives. Everyday objects are gaining computational power to interact with their environments and communicate with each other and the world via the Internet. While the integration of such devices offers many potential benefits to their users, it also gives rise to a unique set of challenges. One of those challenges is to detect whether a device belongs to one's own ecosystem, or to a neighbor -- or represents an unexpected adversary. An important part of determining whether a device is friend or adversary is to detect whether a device's location is within the physical boundaries of one's space (e.g. office, classroom, home). In this thesis we propose a system that is able to decide with 82\% accuracy whether the location of an IoT device is inside or outside of a defined space based on a small number of transmitted Wi- Fi frames. The classification is achieved by leveraging a machine-learning classifier trained and tested on RSSI data of Wi-Fi transmissions recorded by three or more observers. In an initialization phase the classifier is trained by the user on Wi-Fi transmissions of a variety of locations, inside (and outside). The system can be built with off-the-shelf Wi-Fi observing devices that do not require any special hardware modifications. With the exception of the training period, the system can accurately classify the indoor/outdoor state of target devices without any cooperation from the user or from the target devices.}, } @Misc{pierson:closetalker-patent, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}, howpublished = {U.S. Patent 11,153,026}, year = 2021, month = {October}, day = 19, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, US amendment filed 2021-01-29; Issued 2021-10-19}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @Article{liang:jlighttouch, author = {Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Securely Connecting Wearables to Ambient Displays with User Intent}, journal = {IEEE Transactions on Dependable and Secure Computing}, year = 2020, month = {July}, volume = 17, number = 4, pages = {676--690}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/TDSC.2018.2840979}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-jlighttouch/index.html}, abstract = {Wearables are often small and have limited user interfaces, hence they often wirelessly interface with a personal smartphone or a personal computer to relay information from the wearable for display. In this paper, we envision a new method LightTouch by which a wearable can establish a secure connection to an ambient display, such as a television or computer monitor, based on the user's intention to connect to the display. Such connections must be secure to prevent impersonation attacks, must work with unmodified display hardware, and must be easy to establish. LightTouch uses standard RF methods for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting displays (98 percent success connection ratio), and secure against impersonation attacks.}, } @InProceedings{sen:vibering, author = {Sougata Sen and David Kotz}, title = {VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}, booktitle = {Proceedings of the International Conference on the Internet of Things (IoT)}, year = 2020, month = {October}, articleno = 13, numpages = 8, publisher = {ACM}, copyright = {ACM}, ISBN13 = 9781450387583, DOI = {10.1145/3410992.3410995}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering/index.html}, abstract = {With the rapid growth in the number of IoT devices that have wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a \emph{secret}, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this paper, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smart ring, to share a secret with a smart IoT device. This exchanged secret can be used to bootstrap a secure wireless channel over which the devices can communicate. We believe that in future IoT devices can use such a technique to seamlessly connect with authorized devices with minimal user interaction overhead. In this paper, we specifically investigate (a) the feasibility of using vibration generated by a custom wearable for communication, (b) the effect of various parameters on this communication channel, and (c) the possibility of information manipulation by an adversary or information leakage to an adversary. For this investigation, we conducted a controlled study as well as a user study with 12 participants. In the controlled study, we could successfully share messages through vibrations with a bit error rate of less than 2.5\%. Additionally, through the user study we demonstrate that it is possible to share messages with various types of objects accurately, quickly and securely as compared to several existing techniques. Overall, we find that in the best case we can exchange 85.9\% messages successfully with a smart device.}, } @Misc{pierson:wanda-patent, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Apparatus for Securely Configuring A Target Device and Associated Methods}, howpublished = {U.S. Patent 10,574,298}, year = 2020, month = {February}, day = 25, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent/index.html}, note = {Priority date 2015-06-23; Filed 2016-06-23; Issued 2020-02-25}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{liang:lighttouch-patent, author = {Xiaohui Liang and Tianlong Yun and Ron Peterson and David Kotz}, title = {Secure System For Coupling Wearable Devices To Computerized Devices with Displays}, howpublished = {U.S. Patent 10,581,606}, year = 2020, month = {March}, day = 3, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch-patent/index.html}, note = {Priority date 2014-08-18, Filed 2015-08-18; Issued 2020-03-03.}, abstract = {A system has a first electronic device with optical sensor, digital radio transceiver, and processor with firmware; this device is typically portable or wearable. The system also has a computerized device with a display, a second digital radio transceiver, and a second processor with firmware. The first and computerized devices are configured to set up a digital radio link when in radio range. The second processor uses a spot on the display to optically transmit a digital message including a secret such as an encryption key or subkey and/or an authentication code adapted for authenticating an encrypting the radio link. The first device receives the digital message via its optical sensor, and uses the digital message to validate and establish encryption on the radio link. In embodiments, the system determines a location of the first device on the display and positions the transmission spot at the determined location.}, } @InProceedings{mare:csaw19, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {Continuous Smartphone Authentication using Wristbands}, booktitle = {Proceedings of the Workshop on Usable Security (USEC)}, year = 2019, month = {February}, numpages = 12, publisher = {Internet Society}, copyright = {the authors}, DOI = {10.14722/usec.2019.23013}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-csaw19/index.html}, abstract = {Many users find current smartphone authentication methods (PINs, swipe patterns) to be burdensome, leading them to weaken or disable the authentication. Although some phones support methods to ease the burden (such as fingerprint readers), these methods require active participation by the user and do not verify the user's identity after the phone is unlocked. We propose CSAW, a continuous smartphone authentication method that leverages wristbands to verify that the phone is in the hands of its owner. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband's motion with the phone's motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). Through two user studies (N{$=$}27,11) we evaluated CSAW's accuracy, usability, and security. Our experimental evaluation demonstrates that CSAW was able to conduct initial authentication with over 99\% accuracy and continuous authentication with over 96.5\% accuracy.}, } @InProceedings{pierson:closetalker, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {CloseTalker: secure, short-range ad hoc wireless communication}, booktitle = {Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2019, month = {June}, pages = {340--352}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3307334.3326100}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker/index.html}, abstract = {Secure communication is difficult to arrange between devices that have not previously shared a secret. Previous solutions to the problem are susceptible to man-in-the-middle attacks, require additional hardware for out-of-band communication, or require an extensive public-key infrastructure. Furthermore, as the number of wireless devices explodes with the advent of the Internet of Things, it will be impractical to manually configure each device to communicate with its neighbors. \par Our system, CloseTalker, allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker does not require any specialized hardware or sensors in the devices, does not require complex algorithms or cryptography libraries, occurs only when intended by the user, and can transmit a short burst of data or an address and key that can be used to establish long-term or long-range communications at full bandwidth. \par In this paper we present a theoretical and practical evaluation of CloseTalker, which exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key.}, } @InProceedings{pierson:snap, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {Proximity Detection with Single-Antenna IoT Devices}, booktitle = {Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}, year = 2019, month = {October}, articleno = 21, numpages = 15, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3300061.3300120}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap/index.html}, abstract = {Providing secure communications between wireless devices that encounter each other on an ad-hoc basis is a challenge that has not yet been fully addressed. In these cases, close physical proximity among devices that have never shared a secret key is sometimes used as a basis of trust; devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. \par We present theoretical and practical evaluation of a method called SNAP -- SiNgle Antenna Proximity -- that allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our proximity detection technique leverages the repeating nature Wi-Fi's preamble and the behavior of a signal in a transmitting antenna's near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm.}, } @InProceedings{sen:vibering-poster, author = {Sougata Sen and Varun Mishra and David Kotz}, title = {Using vibrations from a SmartRing as an out-of-band channel for sharing secret keys}, booktitle = {Adjunct Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp)}, year = 2019, month = {September}, pages = {198--201}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/3341162.3343818}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-poster/index.html}, abstract = {With the rapid growth in the number of Internet of Things (IoT) devices with wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this work, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9\% messages successfully. Our technique demonstrates the possibility of sharing messages accurately, quickly and securely as compared to several existing techniques.}, } @Article{liu:vocalresonance, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {Vocal Resonance: Using Internal Body Voice for Wearable Authentication}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (UbiComp)}, year = 2018, month = {March}, volume = 2, number = 1, articleno = 19, numpages = 23, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3191751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-vocalresonance/index.html}, abstract = {We observe the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. For many devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. In this paper we propose the use of vocal resonance, that is, the sound of the person's voice as it travels through the person's body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. We explore two machine-learning approaches that analyze voice samples from a small throat-mounted microphone and allow the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone-enabled device is physically on the speaker's body. We collected data from 29 subjects, demonstrate the feasibility of a prototype, and show that our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification.}, } @Article{mare:saw, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {SAW: Wristband-based authentication for desktop computers}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (Ubicomp)}, year = 2018, month = {September}, volume = 2, number = 3, articleno = 125, numpages = 29, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3264935}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw/index.html}, abstract = {Token-based proximity authentication methods that authenticate users based on physical proximity are effortless, but lack explicit user intentionality, which may result in accidental logins. For example, a user may get logged in when she is near a computer or just passing by, even if she does not intend to use that computer. Lack of user intentionality in proximity-based methods makes them less suitable for multi-user shared computer environments, despite their desired usability benefits over passwords. \par We present an authentication method for desktops called Seamless Authentication using Wristbands (SAW), which addresses the lack of intentionality limitation of proximity-based methods. SAW uses a low-effort user input step for explicitly conveying user intentionality, while keeping the overall usability of the method better than password-based methods. In SAW, a user wears a wristband that acts as the user's identity token, and to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user's proximity and correlating the received keyboard or mouse inputs with the user's wrist movement, as measured by the wristband. In our feasibility user study (n{$=$}17), SAW proved quick to authenticate (within two seconds), with a low false-negative rate of 2.5\% and worst-case false-positive rate of 1.8\%. In our user perception study (n{$=$}16), a majority of the participants rated it as more usable than passwords.}, } @InProceedings{pierson:snap-poster, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {Poster: Proximity Detection with Single-Antenna IoT Devices}, booktitle = {Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}, year = 2018, month = {October}, pages = {663--665}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3241539.3267751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-poster/index.html}, abstract = {Close physical proximity among wireless devices that have never shared a secret key is sometimes used as a basis of trust. In these cases, devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. We investigate a method for a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our approach leverages the repeating nature Wi-Fi's preamble and the characteristics of a transmitting antenna's near field to detect proximity with high probability. Our method never falsely declares proximity at ranges longer than 14 cm.}, } @PhdThesis{pierson:thesis, author = {Timothy J. Pierson}, title = {Secure Short-range Communications}, school = {Dartmouth Computer Science}, year = 2018, month = {June}, copyright = {Timothy J. Peterson}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2018-845}, abstract = {Analysts predict billions of everyday objects will soon become ``smart'' after designers add wireless communication capabilities. Collectively known as the Internet of Things (IoT), these newly communication-enabled devices are envisioned to collect and share data among themselves, with new devices entering and exiting a particular environment frequently. People and the devices they wear or carry may soon encounter dozens, possibly hundreds, of devices each day. Many of these devices will be encountered for the first time. Additionally, some of the information the devices share may have privacy or security implications. Furthermore, many of these devices will have limited or non-existent user interfaces, making manual configuration cumbersome. This situation suggests that devices that have never met, nor shared a secret, but that are in the same physical area, must have a way to securely communicate that requires minimal manual intervention. In this dissertation we present novel approaches to solve these short-range communication issues. Our techniques are simple to use, secure, and consistent with user intent. We first present a technique called Wanda that uses radio strength as a communication channel to securely impart information onto nearby devices. We focus on using Wanda to introduce new devices into an environment, but Wanda could be used to impart any type of information onto wireless devices, regardless of device type or manufacturer. Next we describe SNAP, a method for a single-antenna wireless device to determine when it is in close physical proximity to another wireless device. Because radio waves are invisible, a user may believe transmissions are coming from a nearby device when in fact the transmissions are coming from a distant adversary attempting to trick the user into accepting a malicious payload. Our approach significantly raises the bar for an adversary attempting such a trick. Finally, we present a solution called JamFi that exploits MIMO antennas and the Inverse-Square Law to securely transfer data between nearby devices while denying more distant adversaries the ability to recover the data. We find JamFi is able to facilitate reliable and secure communication between two devices in close physical proximity, even though they have never met nor shared a key.}, } @Misc{molina-markham:patent9961547, author = {Andr{\'{e}}s D. Molina-Markham and Shrirang Mare and Ronald Peterson and David Kotz}, title = {Continuous seamless mobile device authentication using a separate electronic wearable apparatus}, howpublished = {U.S. Patent 9,961,547}, year = 2018, month = {May}, day = 1, URL = {https://www.cs.dartmouth.edu/~kotz/research/molina-markham-patent9961547/index.html}, note = {Priority date 2016-09-30, Filed 2016-09-30; Issued 2018-05-01}, abstract = {A technique performs a security operation. The technique includes receiving first activity data from a mobile device, the first activity data identifying activity by a user that is currently using the mobile device. The technique further includes receiving second activity data from an electronic wearable apparatus, the second activity data identifying physical activity by a wearer that is currently wearing the electronic wearable apparatus. The technique further includes, based on the first activity data received from the mobile device and the second activity data received from the electronic wearable apparatus, performing an assessment operation that provides an assessment result indicating whether the user that is currently using the mobile device and the wearer that is currently wearing the electronic wearable apparatus are the same person. With such a technique, authentication may be continuous but without burdening the user to repeatedly re-enter a password.}, } @InProceedings{liang:lighttouch, author = {Xiaohui Liang and Tianlong Yun and Ronald Peterson and David Kotz}, title = {LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent}, booktitle = {Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}, year = 2017, month = {May}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2017.8057210}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch/index.html}, abstract = {Wearables are small and have limited user interfaces, so they often wirelessly interface with a personal smartphone/computer to relay information from the wearable for display or other interactions. In this paper, we envision a new method, LightTouch, by which a wearable can establish a secure connection to an ambient display, such as a television or a computer monitor, while ensuring the user's intention to connect to the display. LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped via the visible-light communication (the brightness channel) from the display to the low-cost, low-power, ambient light sensor of a wearable. A screen `touch' gesture is adopted by users to ensure that the modulation of screen brightness can be securely captured by the ambient light sensor with minimized noise. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments and a preliminary user study we demonstrate that LightTouch is compatible with current display and wearable designs, is easy to use (about 6 seconds to connect), is reliable (up to 98\% success connection ratio), and is secure against attacks.}, } @InProceedings{liang:wearsys17, author = {Xiaohui Liang and David Kotz}, title = {AuthoRing: Wearable User-presence Authentication}, booktitle = {Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}, year = 2017, month = {June}, pages = {5--10}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089357}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-wearsys17/index.html}, abstract = {A common log-in process at computers involves the entry of username and password; log out depends on the user to remember to log out, or a timeout to expire the user session. Once logged in, user sessions may be vulnerable to imposter attacks in which an impostor steps up to the user's unattended computer and inherits the user's access privilege. We propose a ring-based authentication system called ``AuthoRing'', which restricts the imposter attackers from generating new inputs at the computer's mouse and keyboard. During the log-in process, an eligible AuthoRing user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer's AuthoRing system correlates hand-motion data received from the ring with the input data from the computer's window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user.}, } @InProceedings{liu:mobisys17, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {Poster: Vocal Resonance as a Passive Biometric}, booktitle = {Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2017, month = {June}, pages = 160, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081333.3089304}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-mobisys17/index.html}, abstract = {We present a novel, unobtrusive biometric measurement that can support user identification in wearable body-mounted devices: \emph{vocal resonance}, that is, the sound of the person's voice as it travels through the person's body.}, } @InProceedings{liu:wearsys17, author = {Rui Liu and Reza Rawassizadeh and David Kotz}, title = {Toward Accurate and Efficient Feature Selection for Speaker Recognition on Wearables}, booktitle = {Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}, year = 2017, month = {June}, pages = {41--46}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089352}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-wearsys17/index.html}, abstract = {Due to the user-interface limitations of wearable devices, voice-based interfaces are becoming more common; speaker recognition may then address the authentication requirements of wearable applications. Wearable devices have small form factor, limited energy budget and limited computational capacity. In this paper, we examine the challenge of computing speaker recognition on small wearable platforms, and specifically, reducing resource use (energy use, response time) by trimming the input through careful feature selections. For our experiments, we analyze four different feature-selection algorithms and three different feature sets for speaker identification and speaker verification. Our results show that Principal Component Analysis (PCA) with frequency-domain features had the highest accuracy, Pearson Correlation (PC) with time-domain features had the lowest energy use, and recursive feature elimination (RFE) with frequency-domain features had the least latency. Our results can guide developers to choose feature sets and configurations for speaker-authentication algorithms on wearable platforms.}, } @Misc{mare:patent9832206, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Ronald Peterson and David Kotz}, title = {System, Method and Authorization Device for Biometric Access Control to Digital Devices}, howpublished = {U.S. Patent 9,832,206; International Patent Application WO2014153528A2}, year = 2017, month = {November}, day = 28, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-patent9832206/index.html}, note = {Priority date 2013-03-21; Filed 2014-03-21; Issued 2017-11-28}, abstract = {A system and method for authenticating and continuously verifying authorized users of a digital device includes an authentication device attached to an arm or wrist of authorized users. The authentication device has an accelerometer, digital radio, a processor configured to provide identity information over the radio, and to transmit motion data. The motion data is received by the digital device and the identity transmitted is verified as an identity associated with an authorized user. Input at a touchscreen, touchpad, mouse, trackball, or keyboard of the digital device is detected, and correlated with the motion data. Access to the digital device is allowed if the detected input and the detected motion data correlate, and disallowed otherwise.}, } @PhdThesis{mare:thesis, author = {Shrirang Mare}, title = {Seamless Authentication for Ubiquitous Devices}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Shrirang Mare}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-793.}, abstract = {User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform -- an interruption in our workflow. In this dissertation, we study people's authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users. \par First, we present the findings of a user study we conducted to understand people's authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants' lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it. \par Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user's wristband and the user's phone) share their knowledge (e.g., about user's interaction with the phone) to verify the user's identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method's usability and security from the system and the user's perspective. Based on the evaluation, our authentication method shows promise for reducing users' authentication burden for desktops and smartphones.}, } @TechReport{wang:auth, author = {Bingyue Wang}, title = {Learning Device Usage in Context: A Continuous and Hierarchical Smartphone Authentication Scheme}, institution = {Dartmouth Computer Science}, year = 2016, month = {March}, number = {TR2016-790}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-auth/index.html}, abstract = {Popular smartphone authentication schemes, such as PIN-based or biometrics-based authentication methods, require only an initial login at the start of a usage session to authorize the user to use all the apps on the phone during the entire session. Those schemes fail to provide continuous protection of the smartphone after the initial login. They also fail to meet the hierarchy of security requirements for different apps under different contexts. In this study, we propose a continuous and hierarchical authentication scheme. We believe that a user's app-usage patterns depend on his location context. As such, our scheme relies on app-usage patterns in different location context to continuously establish the log probability density (LPD) of the authenticity of the current user. Based on different LPD thresholds corresponding to different security requirements, the current user either has a LPD higher than the threshold, which grants him continuous access to the phone or the app, or he has a LPD lower than the threshold, which locks him out of the phone or the app immediately. We test our scheme on 4,600 subjects from the Device Analyzer Dataset. We found that our scheme could correctly identify the authenticity of the majority of the subjects. However, app-usage patterns with or without location context yielded similar performances, indicating that user contexts did not contribute further information to establish user behavioral patterns. Based on our scheme, we propose a hypothetical Android app which would provide continuous and hierarchical authentication for the smartphone users.}, } @TechReport{cornelius:voice-tr, author = {Cory Cornelius and Zachary Marois and Jacob Sorber and Ron Peterson and Shrirang Mare and David Kotz}, title = {Vocal resonance as a biometric for pervasive wearable devices}, institution = {Dartmouth Computer Science}, year = 2014, month = {February}, number = {TR2014-747}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-voice-tr/index.html}, abstract = {We anticipate the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. In our vision, the user can simply wear the desired set of devices, and they ``just work''; no configuration is needed, and yet they discover each other, recognize that they are on the same body, configure a secure communications channel, and identify the user to which they are attached. This paper addresses a method to achieve the latter, that is, for a wearable device to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. We use vocal resonance, that is, the sound of the person's voice as it travels through the person's body. By collecting voice samples from a small wearable microphone, our method allows the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone device is physically on the speaker's body. We collected data from 25 subjects, demonstrate the feasibility of a prototype, and show that our method works with 77\% accuracy when a threshold is chosen a priori.}, } @InProceedings{cornelius:wearable, author = {Cory Cornelius and Ronald Peterson and Joseph Skinner and Ryan Halter and David Kotz}, title = {A wearable system that knows who wears it}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2014, month = {June}, pages = {55--67}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2594369}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-wearable/index.html}, abstract = {Body-area networks of pervasive wearable devices are increasingly used for health monitoring, personal assistance, entertainment, and home automation. In an ideal world, a user would simply wear their desired set of devices with no configuration necessary: the devices would discover each other, recognize that they are on the same person, construct a secure communications channel, and recognize the user to which they are attached. In this paper we address a portion of this vision by offering a wearable system that unobtrusively recognizes the person wearing it. Because it can recognize the user, our system can properly label sensor data or personalize interactions. \par Our recognition method uses bioimpedance, a measurement of how tissue responds when exposed to an electrical current. By collecting bioimpedance samples using a small wearable device we designed, our system can determine that (a)the wearer is indeed the expected person and (b) the device is physically on the wearer's body. Our recognition method works with 98\% balanced-accuracy under a cross-validation of a day's worth of bioimpedance samples from a cohort of 8 volunteer subjects. We also demonstrate that our system continues to recognize a subset of these subjects even several months later. Finally, we measure the energy requirements of our system as implemented on a Nexus S smart phone and custom-designed module for the Shimmer sensing platform.}, } @TechReport{mare:zebra-tr, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Cory Cornelius and Ronald Peterson and David Kotz}, title = {ZEBRA: Zero-Effort Bilateral Recurring Authentication (Companion report)}, institution = {Dartmouth Computer Science}, year = 2014, month = {May}, number = {TR2014-748}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-zebra-tr/index.html}, note = {This project has been renamed CSAW.}, abstract = {We describe and evaluate Zero-Effort Bilateral Recurring Authentication (ZEBRA) in our paper that appears in IEEE Symposium on Security and Privacy, May 2014. In this report we provide a more detailed comparative evaluation of ZEBRA against other related authentication schemes. The abstract of the paper follows. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85\% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90\% of users and identified all adversaries within 50 s.}, } @InProceedings{mare:zebra14, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Cory Cornelius and Ronald Peterson and David Kotz}, title = {ZEBRA: Zero-Effort Bilateral Recurring Authentication}, booktitle = {Proceedings of the IEEE Symposium on Security \& Privacy}, year = 2014, month = {May}, pages = {705--720}, publisher = {IEEE}, copyright = {the authors}, DOI = {10.1109/SP.2014.51}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-zebra14/index.html}, note = {This project has been renamed CSAW.}, abstract = {Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. \par To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85\% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90\% of users and identified all adversaries within 50 s.}, } @PhdThesis{cornelius:thesis, author = {Cory T. Cornelius}, title = {Usable Security for Wireless Body-Area Networks}, school = {Dartmouth College Computer Science}, year = 2013, month = {September}, copyright = {Cory T. Cornelius}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2013-741}, abstract = {We expect wireless body-area networks of pervasive wearable devices will enable \emph{in situ} health monitoring, personal assistance, entertainment personalization, and home automation. As these devices become ubiquitous, we also expect them to interoperate. That is, instead of closed, end-to-end body-worn sensing systems, we envision standardized sensors that wirelessly communicate their data to a device many people already carry today, the smart phone. However, this ubiquity of wireless sensors combined with the characteristics they sense present many security and privacy problems. \par In this thesis we describe solutions to two of these problems. First, we evaluate the use of bioimpedance for recognizing who is wearing these wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them \emph{just work}. \par These methods solve interesting problems in their own right, but it is the combination of these methods that shows their true power. Combined together they allow a network of wireless sensors to cooperate and determine whom they are sensing even though only one of the wireless sensors might be able to determine this fact. If all the wireless sensors know they are on the same body as each other and one of them knows which person it is on, then they can each exploit the transitive relationship to know that they must all be on that person's body. We show how these methods can work together in a prototype system. This ability to operate unobtrusively, collecting \emph{in situ} data and labeling it properly without interrupting the wearer's activities of daily life, will be vital to the success of these wireless sensors.}, } @InProceedings{cornelius:biometrics-poster, author = {Cory Cornelius and Zachary Marois and Jacob Sorber and Ron Peterson and Shrirang Mare and David Kotz}, title = {Passive Biometrics for Pervasive Wearable Devices (Poster paper)}, booktitle = {Proceedings of the Workshop on Mobile Computing Systems and Applications (HotMobile)}, year = 2012, month = {February}, numpages = 1, publisher = {ACM}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-biometrics-poster/index.html}, abstract = {Wearable devices -- like the FitBit, MOTOACTV, and Jawbone UP -- are increasingly becoming more pervasive whether for monitoring health and fitness, personal assistance, or home automation. While pervasive wearable devices have long been researched, we are now beginning to see the fruits of this research in the form of commercial offerings. Today, many of these commercial wearable devices are closed systems that do not interoperate with other devices a person might carry. We believe, however, these commercial offerings signal the coming of wireless body-area networks that will connect these pervasive wearable devices and leverage existing devices a user already owns (e.g., a smartphone). Such wireless body-area networks will allow devices to specialize and utilize the capabilities of other devices in the network. A sensor, for example, might harness the internet connectivity of a smartphone to store its data in the cloud. Utilized in this way, devices will become cheaper because they will only require the components necessary for their speciality, and they will also become more pervasive because they can easily be shared between users. \par In order for such a vision to be successful, these devices will need to seamlessly interoperate with no interaction required of the user. As difficult as it is for users to manage their wireless area networks, it will be even more difficult for a user to manage their wireless body-area network in a truly pervasive world. As such, we believe these wearable devices should form a wireless body-area network that is passive in nature. This means that these pervasive wearable devices will require no configuration, yet they will be able form a wireless body-area network by (1) discovering their peers, (2) recognizing they are attached to the same body, (3) securing their communications, and (4) identifying to whom they are attached. While we are interested in all aspects of these passive wireless body-area networks, we focus on the last requirement: identifying who is wearing a device.}, } @InProceedings{cornelius:impedance, author = {Cory Cornelius and Jacob Sorber and Ronald Peterson and Joe Skinner and Ryan Halter and David Kotz}, title = {Who wears me? Bioimpedance as a passive biometric}, booktitle = {Proceedings of the USENIX Workshop on Health Security and Privacy}, year = 2012, month = {August}, numpages = 10, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-impedance/index.html}, abstract = {Mobile and wearable systems for monitoring health are becoming common. If such an mHealth system knows the identity of its wearer, the system can properly label and store data collected by the system. Existing recognition schemes for such mobile applications and pervasive devices are not particularly usable -- they require \emph{active} engagement with the person (e.g., the input of passwords), or they are too easy to fool (e.g., they depend on the presence of a device that is easily stolen or lost). \par We present a wearable sensor to passively recognize people. Our sensor uses the unique electrical properties of a person's body to recognize their identity. More specifically, the sensor uses \emph{bioimpedance} -- a measure of how the body's tissues oppose a tiny applied alternating current -- and learns how a person's body uniquely responds to alternating current of different frequencies. In this paper we demonstrate the feasibility of our system by showing its effectiveness at accurately recognizing people in a household 90\% of the time.}, } @InProceedings{cornelius:healthsec10, author = {Cory Cornelius and David Kotz}, title = {On Usable Authentication for Wireless Body Area Networks}, booktitle = {Proceedings of the USENIX Workshop on Health Security (HealthSec)}, year = 2010, month = {August}, numpages = 2, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-healthsec10/index.html}, note = {Position paper}, abstract = {We examine a specific security problem in wireless body area networks (WBANs), what we call the \emph{one body authentication problem}. That is, how can we ensure that the wireless sensors in a WBAN are collecting data about one individual and not several individuals. We explore existing solutions to this problem and provide some analysis why these solutions are inadequate. Finally, we provide some direction towards a promising solution to the problem and how it can be used to create a usably secure WBAN.}, } @InProceedings{sriram:ecg, author = {Janani Sriram and Minho Shin and Tanzeem Choudhury and David Kotz}, title = {Activity-aware ECG-based patient authentication for remote health monitoring}, booktitle = {Proceedings of the International Conference on Multimodal Interfaces and Workshop on Machine Learning for Multi-modal Interaction (ICMI-MLMI)}, year = 2009, month = {November}, pages = {297--304}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1647314.1647378}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sriram-ecg/index.html}, abstract = {Mobile medical sensors promise to provide an efficient, accurate, and economic way to monitor patients' health outside the hospital. Patient authentication is a necessary security requirement in remote health monitoring scenarios. The monitoring system needs to make sure that the data is coming from the right person before any medical or financial decisions are made based on the data. Credential-based authentication methods (e.g., passwords, certificates) are not well-suited for remote healthcare as patients could hand over credentials to someone else. Furthermore, one-time authentication using credentials or trait-based biometrics (e.g., face, fingerprints, iris) do not cover the entire monitoring period and may lead to unauthorized post-authentication use. Recent studies have shown that the human electrocardiogram (ECG) exhibits unique patterns that can be used to discriminate individuals. However, perturbation of the ECG signal due to physical activity is a major obstacle in applying the technology in real-world situations. In this paper, we present a novel ECG and accelerometer-based system that can authenticate individuals in an ongoing manner under various activity conditions. We describe the probabilistic authentication system we have developed and present experimental results from 17 individuals.}, } @TechReport{masone:thesis-2002, author = {Christopher P. Masone}, title = {Role Definition Language (RDL): A Language to Describe Context-Aware Roles}, institution = {Dartmouth Computer Science}, year = 2002, month = {May}, number = {TR2002-426}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/masone-thesis-2002/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2002-426}, abstract = {As wireless networks become more prevalent, a widening array of computational resources becomes available to the mobile user. Since not all users should have unrestricted access to these resources, a method of access control must be devised. In a context-aware environment, context information can be used to supplement more conventional password-based access control systems. We believe the best way to achieve this is through the use of Context-Aware Role-Based Access Control, a model in which permissions are assigned to entities called roles, each principal is a member of one or more roles, and a role's membership is determined using context information. We designed and implemented RDL (Role-Definition Language), a simple, expressive and somewhat extensible programming language to facilitate the description of roles in terms of context information.}, }