LENTO: Unpredictable Latency-based continuous authEntication for Network inTensive IoT envirOnments

Started as a hyped technology a few years ago, IoT is now a reality providing sensing and computing capabilities from SCADA systems to households. At their core, IoT devices connect to the outside world to share sensed or computed data. However, the sensitivity and privacy of shared data has made access management a stringent need also for the IoT. In particular, continuous authentication could solve a few security issues, like session hijacking, via checking device legitimacy for each exchanged message and preventing attackers from pretending their actions came from authenticated devices. To date, device-to-device (D2D) continuous authentication still relies on tokens/certificates or devices' fingerprints such as battery levels or location. The cited solutions, while being not always implementable on resource constrained devices, provide low-entropy and thus sporting a non negligible probability of being guessable during impersonation attacks. In this paper, we overcome the above limitations with LENTO: unpredictable Latency-based continuous authEntication for Network inTensive IoT envirOnments. In addition to a thorough analysis, we also offer experimental validation of our proposal. We have deployed LENTO as an additional authentication module of the well-known NextCloud platform, and we have performed an extensive experimental campaign. Collected results confirm our working hypothesis. Network delays can be exploited as random seeds in continuous authentication protocols as they provide as much entropy as standard approaches. To the best of our knowledge, our approach is the first continuous authentication protocol relying purely on the network characteristics, regardless of the underneath computing base trustworthiness. Given the minimal overhead introduced by our solution, it provides continuous authentication even for those devices that cannot afford to run (defacto) standard protocols. As such, LENTO could be retrofitted, offering enhanced security to a plethora of nowadays unsecured devices.