957 research outputs found
Recommended from our members
Side channel attacks on smart home systems: A short overview
This paper provides an overview on side-channel attacks with emphasis on vulnerabilities in the smart home. Smart homes are enabled by the latest developments in sensors, communication technologies, internet protocols, and cloud services. The goal of a smart home is to have smart household devices collaborate without involvement of residents to deliver the variety of services needed for a higher quality of life. However, security and privacy challenges of smart homes have to be overcome in order to fully realize the smart home. Side channel attacks assume data is always leaking, and leakage of data from a smart home reveals sensitive information. This paper starts by reviewing side-channel attack categories, then it gives an overview on recent attack studies on different layers of a smart home and their malicious goals
Peek-a-Boo: I see your smart home activities, even encrypted!
A myriad of IoT devices such as bulbs, switches, speakers in a smart home
environment allow users to easily control the physical world around them and
facilitate their living styles through the sensors already embedded in these
devices. Sensor data contains a lot of sensitive information about the user and
devices. However, an attacker inside or near a smart home environment can
potentially exploit the innate wireless medium used by these devices to
exfiltrate sensitive information from the encrypted payload (i.e., sensor data)
about the users and their activities, invading user privacy. With this in
mind,in this work, we introduce a novel multi-stage privacy attack against user
privacy in a smart environment. It is realized utilizing state-of-the-art
machine-learning approaches for detecting and identifying the types of IoT
devices, their states, and ongoing user activities in a cascading style by only
passively sniffing the network traffic from smart home devices and sensors. The
attack effectively works on both encrypted and unencrypted communications. We
evaluate the efficiency of the attack with real measurements from an extensive
set of popular off-the-shelf smart home IoT devices utilizing a set of diverse
network protocols like WiFi, ZigBee, and BLE. Our results show that an
adversary passively sniffing the traffic can achieve very high accuracy (above
90%) in identifying the state and actions of targeted smart home devices and
their users. To protect against this privacy leakage, we also propose a
countermeasure based on generating spoofed traffic to hide the device states
and demonstrate that it provides better protection than existing solutions.Comment: Update (May 13, 2020): This is the author's version of the work. It
is posted here for your personal use. Not for redistribution. The definitive
Version of Record was published in the 13th ACM Conference on Security and
Privacy in Wireless and Mobile Networks (WiSec '20), July 8-10, 2020, Linz
(Virtual Event), Austria, https://doi.org/10.1145/3395351.339942
Cleartext Data Transmissions in Consumer IoT Medical Devices
This paper introduces a method to capture network traffic from medical IoT
devices and automatically detect cleartext information that may reveal
sensitive medical conditions and behaviors. The research follows a three-step
approach involving traffic collection, cleartext detection, and metadata
analysis. We analyze four popular consumer medical IoT devices, including one
smart medical device that leaks sensitive health information in cleartext. We
also present a traffic capture and analysis system that seamlessly integrates
with a home network and offers a user-friendly interface for consumers to
monitor and visualize data transmissions of IoT devices in their homes.Comment: 6 pages, 5 figure
Your Privilege Gives Your Privacy Away: An Analysis of a Home Security Camera Service
Once considered a luxury, Home Security Cameras
(HSCs) are now commonplace and constitute a growing part
of the wider online video ecosystem. This paper argues that
their expanding coverage and close integration with daily life
may result in not only unique behavioral patterns, but also
key privacy concerns. This motivates us to perform a detailed
measurement study of a major HSC provider, covering 15.4M
streams and 211K users. Our study takes two perspectives:
(i) we explore the per-user behaviour, identifying core clusters of
users; and (ii) we build on this analysis to extract and predict
privacy-compromising insight. Key observations include a highly
asymmetrical traffic distribution, distinct usage patterns, wasted
resources and fixed viewing locations. Furthermore, we identify
three privacy risks and explore them in detail. We find that paid
users are more likely to be exposed to attacks due to their heavier
usage patterns. We conclude by proposing simple mitigations that
can alleviate these risk
A systematic review of crime facilitated by the consumer Internet of Things
The nature of crime is changing — estimates suggest that at least half of all crime is now committed online. Once everyday objects (e.g. televisions, baby monitors, door locks) that are now internet connected, collectively referred to as the Internet of Things (IoT), have the
potential to transform society, but this increase in connectivity may generate new crime opportunities. Here, we conducted a systematic review to inform understanding of these risks. We identify a number of high-level mechanisms through which offenders may exploit the consumer IoT including profiling, physical access control and the control of device audio/visual outputs. The types of crimes identified that could be facilitated by the IoT were wide ranging and included burglary, stalking, and sex crimes through to state level crimes including political subjugation. Our review suggests that the IoT presents substantial new opportunities for offending and intervention is needed now to prevent an IoT crime harvest
Synergy: An Energy Monitoring and Visualization System
The key to becoming a more sustainable society is first learning to take responsibility for the role we play in energy consumption. Real-time energy usage gives energy consumers a sense of responsibility over what they can do to accomplish a much larger goal for the planet, and practically speaking, what they can do to lower the cost to their wallets. Synergy is an energy monitoring and visualization system that enables users to gather information about the energy consumption in a building – small or large – and display that data for the user in real-time. The gathered energy usage data is processed on the edge before being stored in the cloud. The two main benefits of edge processing are issuing electricity hazard warnings immediately and preserving user privacy. In addition to being a scalable solution that intended for use in individual households, commercial offices and city power grids, Synergy is open-source so that it can be implemented more widely. This paper contains a system overview as well as initial finding based on the data collected by Synergy before assessing the impact the system can have on society
IoTBeholder: A Privacy Snooping Attack on User Habitual Behaviors from Smart Home Wi-Fi Traffic
With the deployment of a growing number of smart home IoT devices, privacy leakage has become a growing concern. Prior work on privacy-invasive device localization, classification, and activity identification have proven the existence of various privacy leakage risks in smart home environments. However, they only demonstrate limited threats in real world due to many impractical assumptions, such as having privileged access to the user's home network. In this paper, we identify a new end-to-end attack surface using IoTBeholder, a system that performs device localization, classification, and user activity identification. IoTBeholder can be easily run and replicated on commercial off-the-shelf (COTS) devices such as mobile phones or personal computers, enabling attackers to infer user's habitual behaviors from smart home Wi-Fi traffic alone. We set up a testbed with 23 IoT devices for evaluation in the real world. The result shows that IoTBeholder has good device classification and device activity identification performance. In addition, IoTBeholder can infer the users' habitual behaviors and automation rules with high accuracy and interpretability. It can even accurately predict the users' future actions, highlighting a significant threat to user privacy that IoT vendors and users should highly concern
Characterising Usage Patterns and Privacy Risks of a Home Security Camera Service
Home security cameras (HSCs) are becoming increasingly important in protecting people's household property and caring for family members. As an emerging type of home IoT devices, HSCs are distinct from traditional IoT devices in that they are often installed in intimate places, detecting movements constantly. Such close integration with users' daily life may result in distinct user behavioral patterns and privacy concerns. To explore this, we perform a detailed measurement study based on a large-scale service log dataset from a major HSC service provider. Our analysis reveals unique usage patterns of HSCs, including significant wasted uploads, asymmetrical upload and download traffic, skewed user engagement, and limited watching locations. We further identify three types of privacy risks in current HSC services using both passive logs and active measurements. These risks can be exploited by attackers, through observing only the traffic rates of HSCs, to infer the working state of cameras and even the daily activity routine in places where the camera is installed. Moreover, we find the premium users who pay an extra fee are especially vulnerable to such privacy inferences. We propose countermeasures from the perspectives of susceptible users and HSC providers to mitigate the risks
- …