// Research

Internet-of-Things

Zero-involvement pairing and authentication for the Internet of Things.

What we work on

A typical home, office, or factory floor now has dozens of small networked devices, speakers, sensors, locks, lights, gateways. Most have no keyboard, no screen, no good way to ask the user for a password. Traditional pairing flows (type the PIN on both devices, scan a QR code, log in to an app) don’t scale and erode security in practice.

The lab develops zero-involvement pairing and authentication (ZIPA): co-located devices independently observe the same physical environment, extract a shared key from it, and authenticate one another without any human action. We design new entropy sources, study the information-theoretic limits of context-based key extraction, and build threat models that capture real-world attacks against these systems.

01

Harvest

Devices passively sample a co-located physical signal, power-line noise, audio, EM, motion.

02

Distill

An online randomness distiller converts the noisy signal into a high-quality cryptographic key.

03

Reconcile

Lightweight reconciliation handles small disagreements without leaking the key over a public channel.

Selected systems

• VoltKey, continuous shared-key generation from local power-line noise. Deployable as a USB-power add-on.
• Moonshine, online randomness distiller that nearly doubles NIST-test key quality from environmental sources.
• SyncBleed → TREVOR, first realistic attack on ZIPA’s synchronization channel, plus a sync-free defense.
• DESTION’24 attack, first successful signal-injection attack on a popular ZIPA algorithm.

Publications in this area

• 

  Not-so-Secret Authentication: The SyncBleed Attacks and Defenses for Zero-Involvement Authentication Systems

  Isaac Ahlgren, Rushikesh Shirsat, Omar Achkar, George K. Thiruvathukal, Kyu In Lee, Neil Klingensmith

  IEEE International Conference on Cyber Security and Resilience (CSR) · 2025

  PDF DOI
• 

  A Signal Injection Attack Against Zero Involvement Pairing and Authentication for the Internet of Things

  Isaac Ahlgren, Jack West, Kyuin Lee, George K. Thiruvathukal, Neil Klingensmith

  ACM/IEEE Workshop on Design Automation for CPS and IoT (DESTION) · 2024

  PDF DOI
• 

  Secure, Usable and Practical Authentication for the Internet of Things

  Kyuin Lee

  PhD Dissertation, University of Wisconsin-Madison · 2022

  PDF DOI
• 

  AeroKey: Using Ambient Electromagnetic Radiation for Secure and Usable Wireless Device Authentication

  Kyuin Lee, Yucheng Yang, Omkar Prabhune, Aishwarya Lekshmi Chithra, Jack West, Kassem Fawaz, Neil Klingensmith, Suman Banerjee, Younghyun Kim

  Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) · 2022

  PDF DOI
• 

  Moonshine: An Online Randomness Distiller for Zero-Involvement Authentication

  Jack West, Kyuin Lee, Suman Banerjee, Younghyun Kim, George K. Thiruvathukal, Neil Klingensmith

  ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN) · 2021

  PDF DOI
• 

  Balancing Security and Usability of Zero-interaction Pairing and Authentication for the Internet-of-Things

  Kyuin Lee, Younghyun Kim

  ACM Workshop on CPS & IoT Security and Privacy (CPSIoTSec) · 2021

  PDF DOI
• 

  VoltKey: Continuous Secret Key Generation Based on Power Line Noise for Zero-Involvement Pairing and Authentication

  Kyuin Lee, Neil Klingensmith, Suman Banerjee, Younghyun Kim

  Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) · 2019

  PDF DOI

← All research