Establishing and maintaining secure communications in the Internet of Things (IoT) is vital to protect smart devices. Zero-interaction pairing (ZIP) and zero-interaction authentication (ZIA) enable IoT devices to establish and maintain secure communications without user interaction by utilizing devices' ambient context, e.g., audio. For autonomous operation, ZIP and ZIA require the context to have enough entropy to resist attacks and complete in a timely manner. Despite the low-entropy context being the norm, like inside an unoccupied room, the research community has yet to come up with ZIP and ZIA schemes operating under such conditions. We propose HARDZIPA, a novel approach that turns commodity IoT actuators into injecting devices, generating high-entropy context. Here, we combine the capability of IoT actuators to impact the environment, e.g., emitting a sound, with a pseudorandom number generator (PRNG) featured by many actuators to craft hard-to-predict context stimuli. To demonstrate the feasibility of HARDZIPA, we implement it on off-the-shelf IoT actuators, i.e., smart speakers, lights, and humidifiers. We comprehensively evaluate HARDZIPA, collecting over 80 hours of various context data in real-world scenarios. Our results show that HARDZIPA is able to thwart advanced active attacks on ZIP and ZIA schemes, while doubling the amount of context entropy in many cases, which allows two times faster pairing and authentication.

翻译：物联网中建立和维护安全通信对于保护智能设备至关重要。零交互配对（ZIP）和零交互认证（ZIA）通过利用设备的周围环境（例如音频）实现物联网设备无需用户交互即可建立并维护安全通信。为了实现自主运行，ZIP和ZIA要求环境具有足够的熵以抵抗攻击并按时完成操作。尽管低熵环境是常态（例如空房间内），但研究界尚未提出可在这种条件下运行的ZIP和ZIA方案。我们提出HARDZIPA，一种将商用物联网执行器转变为注入设备以生成高熵环境的新方法。在此，我们将物联网执行器影响环境的能力（例如发出声音）与许多执行器配备的伪随机数生成器（PRNG）相结合，以制作难以预测的环境刺激。为证明HARDZIPA的可行性，我们在市售物联网执行器（即智能音箱、灯和加湿器）上实现了该方法。我们全面评估了HARDZIPA，在真实场景中收集了超过80小时的各种环境数据。结果表明，HARDZIPA能够抵御针对ZIP和ZIA方案的高级主动攻击，同时在许多情况下将环境熵量翻倍，从而将配对和认证速度提升两倍。