1,778 research outputs found
Peek-a-Boo: I see your smart home activities, even encrypted!
A myriad of IoT devices such as bulbs, switches, speakers in a smart home
environment allow users to easily control the physical world around them and
facilitate their living styles through the sensors already embedded in these
devices. Sensor data contains a lot of sensitive information about the user and
devices. However, an attacker inside or near a smart home environment can
potentially exploit the innate wireless medium used by these devices to
exfiltrate sensitive information from the encrypted payload (i.e., sensor data)
about the users and their activities, invading user privacy. With this in
mind,in this work, we introduce a novel multi-stage privacy attack against user
privacy in a smart environment. It is realized utilizing state-of-the-art
machine-learning approaches for detecting and identifying the types of IoT
devices, their states, and ongoing user activities in a cascading style by only
passively sniffing the network traffic from smart home devices and sensors. The
attack effectively works on both encrypted and unencrypted communications. We
evaluate the efficiency of the attack with real measurements from an extensive
set of popular off-the-shelf smart home IoT devices utilizing a set of diverse
network protocols like WiFi, ZigBee, and BLE. Our results show that an
adversary passively sniffing the traffic can achieve very high accuracy (above
90%) in identifying the state and actions of targeted smart home devices and
their users. To protect against this privacy leakage, we also propose a
countermeasure based on generating spoofed traffic to hide the device states
and demonstrate that it provides better protection than existing solutions.Comment: Update (May 13, 2020): This is the author's version of the work. It
is posted here for your personal use. Not for redistribution. The definitive
Version of Record was published in the 13th ACM Conference on Security and
Privacy in Wireless and Mobile Networks (WiSec '20), July 8-10, 2020, Linz
(Virtual Event), Austria, https://doi.org/10.1145/3395351.339942
Securing Cyber-Physical Social Interactions on Wrist-worn Devices
Since ancient Greece, handshaking has been commonly practiced between two people as a friendly gesture to express trust and respect, or form a mutual agreement. In this article, we show that such physical contact can be used to bootstrap secure cyber contact between the smart devices worn by users. The key observation is that during handshaking, although belonged to two different users, the two hands involved in the shaking events are often rigidly connected, and therefore exhibit very similar motion patterns. We propose a novel key generation system, which harvests motion data during user handshaking from the wrist-worn smart devices such as smartwatches or fitness bands, and exploits the matching motion patterns to generate symmetric keys on both parties. The generated keys can be then used to establish a secure communication channel for exchanging data between devices. This provides a much more natural and user-friendly alternative for many applications, e.g., exchanging/sharing contact details, friending on social networks, or even making payments, since it doesn’t involve extra bespoke hardware, nor require the users to perform pre-defined gestures. We implement the proposed key generation system on off-the-shelf smartwatches, and extensive evaluation shows that it can reliably generate 128-bit symmetric keys just after around 1s of handshaking (with success rate >99%), and is resilient to different types of attacks including impersonate mimicking attacks, impersonate passive attacks, or eavesdropping attacks. Specifically, for real-time impersonate mimicking attacks, in our experiments, the Equal Error Rate (EER) is only 1.6% on average. We also show that the proposed key generation system can be extremely lightweight and is able to run in-situ on the resource-constrained smartwatches without incurring excessive resource consumption
CryptoKnight:generating and modelling compiled cryptographic primitives
Cryptovirological augmentations present an immediate, incomparable threat. Over the last decade, the substantial proliferation of crypto-ransomware has had widespread consequences for consumers and organisations alike. Established preventive measures perform well, however, the problem has not ceased. Reverse engineering potentially malicious software is a cumbersome task due to platform eccentricities and obfuscated transmutation mechanisms, hence requiring smarter, more efficient detection strategies. The following manuscript presents a novel approach for the classification of cryptographic primitives in compiled binary executables using deep learning. The model blueprint, a Dynamic Convolutional Neural Network (DCNN), is fittingly configured to learn from variable-length control flow diagnostics output from a dynamic trace. To rival the size and variability of equivalent datasets, and to adequately train our model without risking adverse exposure, a methodology for the procedural generation of synthetic cryptographic binaries is defined, using core primitives from OpenSSL with multivariate obfuscation, to draw a vastly scalable distribution. The library, CryptoKnight, rendered an algorithmic pool of AES, RC4, Blowfish, MD5 and RSA to synthesise combinable variants which automatically fed into its core model. Converging at 96% accuracy, CryptoKnight was successfully able to classify the sample pool with minimal loss and correctly identified the algorithm in a real-world crypto-ransomware applicatio
An IoT Endpoint System-on-Chip for Secure and Energy-Efficient Near-Sensor Analytics
Near-sensor data analytics is a promising direction for IoT endpoints, as it
minimizes energy spent on communication and reduces network load - but it also
poses security concerns, as valuable data is stored or sent over the network at
various stages of the analytics pipeline. Using encryption to protect sensitive
data at the boundary of the on-chip analytics engine is a way to address data
security issues. To cope with the combined workload of analytics and encryption
in a tight power envelope, we propose Fulmine, a System-on-Chip based on a
tightly-coupled multi-core cluster augmented with specialized blocks for
compute-intensive data processing and encryption functions, supporting software
programmability for regular computing tasks. The Fulmine SoC, fabricated in
65nm technology, consumes less than 20mW on average at 0.8V achieving an
efficiency of up to 70pJ/B in encryption, 50pJ/px in convolution, or up to
25MIPS/mW in software. As a strong argument for real-life flexible application
of our platform, we show experimental results for three secure analytics use
cases: secure autonomous aerial surveillance with a state-of-the-art deep CNN
consuming 3.16pJ per equivalent RISC op; local CNN-based face detection with
secured remote recognition in 5.74pJ/op; and seizure detection with encrypted
data collection from EEG within 12.7pJ/op.Comment: 15 pages, 12 figures, accepted for publication to the IEEE
Transactions on Circuits and Systems - I: Regular Paper
- …