Floragasse 7 – 5th floor, 1040 Vienna

USENIX Conference 2021

August 11, 2021 - August 13, 2021
All day

Katharina Pfeffer (SBA Research) will present our new paper at USENIX 2021 this year!

On the Usability of Authenticity Checks for Hardware Security Tokens

by Katharina PfefferAlexandra MaiAdrian DabrowskiMatthias GusenbauerPhilipp SchindlerEdgar WeipplMichael Franz, and Katharina Krombholz 

Abstract

The final responsibility to verify whether a newly purchased hardware security token (HST) is authentic and unmodified lies with the end user. However, recently reported attacks on such tokens suggest that users cannot take the security guarantees of their HSTs for granted, even despite widely deployed authenticity checks. We present the first comprehensive market review evaluating the effectiveness and usability of authenticity checks for the most commonly used HSTs. Furthermore, we conducted a survey (n=194) to examine users’ perceptions and usage of these checks.

We found that due to a lack of transparency and information, users often do not carry out -or even are not aware of- essential checks but rely on less meaningful methods. Moreover, our results confirm that currently deployed authenticity checks suffer from improperly perceived effectiveness and cannot mitigate all variants of distribution attacks. Furthermore, some authenticity concepts of different manufacturers contradict each other. In order to address these challenges, we suggest (i) a combination of conventional and novel authenticity checks, and (ii) a user-centered, transparent design.

Speaker

About the conference

The 30th USENIX Security Symposium will be held as a virtual event on August 11–13, 2021. USENIX Security brings together researchers, practitioners, system administrators, system programmers, and others to share and explore the latest advances in the security and privacy of computer systems and networks.