Shake Well Before Use: Authentication Based on
Accelerometer Data
Rene Mayrhofer and Hans Gellersen
Lancaster University, Computing Department, South Drive, Lancaster LA1 4WA, UK
{rene,hwg}@comp.lancs.ac.uk
Abstract. Small, mobile devices without user interfaces, such as Blue-
tooth headsets, often need to communicate securely over wireless net-
works. Active attacks can only be prevented by authenticating wireless
communication, which is problematic when devices do not have any a
priori information about each other. We introduce a new method for
device-to-device authentication by shaking devices together. This paper
describes two protocols for combining cryptographic authentication tech-
niques with known methods of accelerometer data analysis to the effect
of generating authenticated, secret keys. The protocols differ in their de-
sign, one being more conservative from a security point of view, while
the other allows more dynamic interactions. Three experiments are used
to optimize and validate our proposed authentication method.
1 Introduction
Applications envisioned for ubiquitous computing build upon spontaneous inter-
action of devices, such that a device can make serendipitous use of the services
provided by peer devices that may not be known a priori. In many scenarios,
it will be desirable to verify and secure spontaneous interactions in order to as-
certain that devices become paired as intended and protected against attacks
on their wireless link. In a managed network environment, device-to-device au-
thentication would be based on prior knowledge of each other or access to a
trusted third party, but neither can be assumed to be available in wireless ad
hoc networks for ubiquitous computing. As a consequence, secure device pairing
requires the user to be in the loop, for example to enter a shared secret such
as a PIN code into both devices. A challenge is to find mechanisms for users to
pair devices that are not only secure but also scale well for use in ubiquitous
computing. Specific challenges are that devices will, in many cases, be too small
to reasonably include key pads and displays, and that required user attention
must be minimal to be acceptable for spontaneous and short-lived interactions.
Pairing of a mobile phone with a headset for interaction over a wireless chan-
nel is a familiar example: we would like to achieve such interaction in a spon-
taneous manner (i.e. not requiring pre-configuration of phone and headset for
each other) but also ensure that it is secure. The wireless communication chan-
nel between the devices is susceptible to attacks ranging from eavesdropping to
A. LaMarca et al. (Eds.): Pervasive 2007, LNCS 4480, pp. 144–161, 2007.
c
Springer-Verlag Berlin Heidelberg 2007
Shake Well Before Use: Authentication Based on Accelerometer Data 145
man-in-the-middle (MITM). If an attacker were successful in establishing them-
selves between, in this case, phone and headset, during the pairing process, then
they would obtain complete control over all phone calls. To safeguard against
such attacks, a so-called out-of-band channel is used during pairing in order to
authenticate communication over the primary channel. The out-of-band channel
must be limited such that it is user-controllable that only the intended devices
can communicate over it for the purposes of authentication. Note that authen-
tication and the subsequent pairing can be anonymous or “ephemeral” [1], i.e.
based on information only shared over the out-of-band-channel rather than ac-
tual device identities.
In this paper we contribute a method for device-to-device authentication that
is based on shared movement patterns which a user can simply generate by
shaking devices together. Using embedded accelerometers, devices can recognize
correlation of their movement and use movement patterns for authentication.
From a user perspective, jointly shaking is a simple technique for associating
devices [2]. In our method, it simultaneously serves as out-of-band mechanism.
Shaking has a number of characteristics on which we can build for our purposes:
– It is intuitive. People are familiar with shaking objects as manual interaction
that does not require learning, for instance from shaking of medicine, or
musical instruments. This means that shaking is unobtrusive in the sense
that it does not require the user’s full attention while being performed.
– It is vigorous. While there are many motion patterns that could be per-
formed with two devices, shaking tends to produce the highest continuous
acceleration values. While bouncing will produce larger accelerations, they
only occur as short spikes. Shaking provides acceleration larger than most
activities – and can thus be detected by simple thresholding – for as long as
necessary to pair devices (and as long as the user will not get tired).
– It is varying. As we will show below in our first experiment (in section 7.1),
the activity of shaking can be surprisingly different for different people. We
do not use shaking patterns as identification, but still benefit from large
differences in acceleration values, because this generates high entropy from
an attacker’s point of view.
It is important to note that users do not have to follow a particular pattern of
shaking but that they can shake as they like; we do not attempt to identify people
by their shaking patterns, but use it as a source of shared device movement.
We contribute two protocols that combine cryptographic primitives with ac-
celerometer data analysis to establish secure wireless channels by creating au-
thenticated secret keys. The two protocols achieve this aim differently: the first
is based on Diffie-Hellman key agreement and authentication of this key, uses a
conservative and better known design, provides better security and allows more
flexibility in comparing accelerometer time series; the second generates crypto-
graphic key material directly out of accelerometer data streams, is computation-
ally less expensive and thus easier to implement on resource limited devices, and
allows more dynamic interactions and group authentication.
146 R. Mayrhofer and H. Gellersen
Both protocols use standard techniques of sensor data processing and time
series analysis: sampling, alignment, and feature extraction. After extracting
appropriate features, our cryptographic protocols ensure that authentication is
only possible if both devices have access to the same feature values. Specifi-
cally, they protect against MITM attacks on the wireless communication chan-
nel by using additional information gathered from the extracted features. This
approach is general, so that other sensors than accelerometers can be used with
similar methods, apart from changes in domain-specific heuristics. Sensor-based
authentication offers potential benefits to small, mobile devices that communi-
cate wirelessly and do not have traditional user interfaces. Examples are mobile
phones, smarts cards, key fobs, and generally accessories like headsets, watches,
or glasses.
2 Related Work
First concepts on secure device pairing suggested direct electrical contact [3],
while other suggestions to implement an out-of-band channel include a “physical
interlock” and the “Harmony” protocol [4], ultrasound [5], visual markers and
cameras [6], audio messages [7], the GSM short message service (SMS) [8], key
comparison, distance bounding and integrity codes [9], or manual input [10,1].
The DH-DB protocol proposed in [9] might also be applicable to an interac-
tive challenge-response scheme based on sensor data such as accelerometer data.
These approaches, with the exception of using camera phones, have in common
that they scale poorly from a user point of view. That is, they tend to be ob-
trusive and require the user’s attention. In our approach, we implement a low
bandwidth private channel over similar accelerometer readings, and use it for
authenticating a device pairing.
The idea of shaking two (or multiple) devices together to pair them has first
been described as “Smart-Its Friends” [2]. We use the same interaction technique
but extend it to include secure authentication. Castelluccia and Mutaf presented
a protocol for pairing CPU-constrained wireless devices under the assumption
of anonymous broadcast channels [11]. To achieve this property of source indis-
tinguishability, they argue that devices engaging in this authentication protocol
should be shaken and rotated randomly around each other. This shaking serves
to prevent signal strength analysis, but is, in contrast to our work, not used
directly as input to the authentication protocol. Hinckley presented an imple-
mentation of “synchronous gestures” [12] as a means of user interaction. By
correlating accelerometer time series on devices connected via WLAN, bumping
them together or tilting them can be detected and used as user input. Bumping
is one possible user interaction for starting the pairing process, i.e. a trigger
for our authentication method. Another closely related work was presented by
Lester et al. [13] and describes how to determine if two devices are carried by
the same person.
Shake Well Before Use: Authentication Based on Accelerometer Data 147
3 Design of the Acceleration-Based Pairing Method
Figure 1 shows our architecture for authenticating device pairings with shaking
patterns. Both protocols make use of the same three pre-processing tasks 1 to 3.
They are executed locally on each device and result in “active” time series seg-
ments of equidistant samples. Our two protocols differ in tasks 4 and 5, which
can both be interactive, i.e. communicate with the remote device to which the
pairing is in process.
For protocol 1, tasks 4.1 and 5.1 are actually executed in parallel: after gen-
erating a secret key with standard Diffie-Hellman (DH) key agreement (which is
the first phase of task 5.1), the devices exchange their time series segments via an
interlock protocol. Then they compare their locally generated segment with the
one received from the remote device to check if they are similar enough. If they
pass this check, the second phase of task 5.1 derives the secret session key that
will be used for consecutive secure communication. This design is conservative
from a security point of view and, due to the non-interactive feature extraction
and comparison, allows the devices to use different means of verification. The
disadvantage of splitting task 5.1 into two phases is potentially a larger delay for
authentication, and the disadvantage of using DH is higher computational load.
Protocol 2 executes its tasks 4.2 and 5.2 in order: discrete (in contrast to
the real-valued samples) feature vectors are extracted in task 4.2, which act as
input to the interactive key agreement in task 5.2. This is an iterative process.
In each time step, feature vectors generated by 4.2 are checked for matches in
task 5.2. After sufficient iterations, a secret shared key can be generated out of
the collected matching feature vectors in task 5.2. This design has the advantages
of more dynamic key agreement, with devices being able to “tune into” other
device’s key streams, and of being less computationally expensive. On the other
hand, it does not provide forward secrecy and protection against offline attacks
as protocol 1 does, and is more unconventional and thus less well studied from
a security point of view.
For both protocols, there is a trade-off between usability and security that can
be exploited by applications and users depending on their requirements. Tasks 4
and 5 are described in more detail in sections 5 and 6, respectively.
sensor data
acquisition
temporal
alignment
spatial
alignment
local processing
feature
extraction
key
generation
interactive
authenticate
d
shared
secret key
remote device
key
generation
feature
extraction
task 1 task 2 task 3
task 4.2 task 5.2
task 4.1 task 5.1
Fig. 1. Architecture for both authentication protocols
148 R. Mayrhofer and H. Gellersen
4 Pre-processing of Accelerometer Data
The three pre-processing tasks, executed as consecutive steps, are used to sample
and segment the sensor data so that feature extraction can build on normalized
time series.
Task 1: Sensor data acquisition. This first task is conceptually straight forward,
but requires careful implementation. Sensor data is assumed to be available in
the form of time series of acceleration values in all three dimensions, sampled at
equidistant time steps. These must be taken locally and not be communicated
wirelessly — for security purposes, it is critical not to leak any of this raw data,
which can be difficult considering the possibility of powerful side-channel attacks
(see e.g. [14]). Our practical experience shows a sample rate between 100 and
600 Hz to be appropriate.
Task 2: Temporal alignment. As the two devices sample accelerometer time
series independently in task 1, we require temporal synchronization for compar-
ison. We assume that devices are equipped with sufficiently accurate real-time
clocks, so that differences in sampling rates and drift will not be issues. This
reduces temporal alignment from an arbitrarily complex problem to triggering
the authentication procedure and to synchronizing the starting points for time
series comparison.
Triggering can be explicit by direct user input, e.g. pressing an “authenticate
now” button on both devices within a short time frame or bumping both devices
against the table or each other, or implicit, simply by starting to shake both
devices. We prefer the second protocol due to its ease of use, although it is more
difficult to implement. Synchronization can be at a sample level, i.e. within less
than half the sample width, or at an event level, i.e. based on the onset of detected
(explicit or implicit) events with the respective device. We use the latter, because
it does not require time synchronization between the devices — shaking events
can be detected locally at each device without communication, which is beneficial
from a security point of view.
For both triggering and synchronization, we detect motion and align those
parts of the time series where shaking is detected, which we call active segments,
by their start times. Segments are considered active when the variance of a sliding
window exceeds a threshold. Practical experiments show good results at a sample
rate between f = [128; 512] Hz with a sliding window of v = f/2 samples, i.e.
1/2 second, and a variance threshold around T
σ
= 750.
Task 3: Spatial alignment. Shaking is inherently a three-dimensional movement.
In addition to the need to capture all three dimensions, the alignment between the
two devices is unknown. This means that the three dimensions recorded by the two
devices will not be aligned, which is a hard problem in itself. Lukowicz et al. de-
scribe how to calibrate three-dimensional accelerometers without user interaction
during stable periods [15]. However, since we are interested in the active phases and
