Informing the Design of Privacy-Empowering Tools for the Connected Home

Connected devices in the home represent a potentially grave new privacy threat due to their unfettered access to the most personal spaces in people's lives. Prior work has shown that despite concerns about such devices, people often lack sufficient awareness, understanding, or means of taking effective action. To explore the potential for new tools that support such needs directly we developed Aretha, a privacy assistant technology probe that combines a network disaggregator, personal tutor, and firewall, to empower end-users with both the knowledge and mechanisms to control disclosures from their homes. We deployed Aretha in three households over six weeks, with the aim of understanding how this combination of capabilities might enable users to gain awareness of data disclosures by their devices, form educated privacy preferences, and to block unwanted data flows. The probe, with its novel affordances-and its limitations-prompted users to co-adapt, finding new control mechanisms and suggesting new approaches to address the challenge of regaining privacy in the connected home.Comment: 10 pages, 2 figures. To appear in the Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI '20

Online Identification of Last-Mile Throughput Bottlenecks on Home Routers

Supervisors: Renata Teixeira (Inria) , Promethee Spathis (UPMC)Advisors: Anna-Kaisa Pietilainen (Inria) , Srikanth Sundaresan (Samsara Networks/ICSI), Nick Feamster (Princeton University)International audienceWe develop a system that runs online on commodity home routers to locate last-mile throughput bottlenecks to the home wireless network or the access ISP. Pinpointing whether the home wireless or the access ISP bottlenecks Internet through-put is valuable for home users who want to better troubleshoot their Internet experience; for access ISPs that receive numerous calls from frustrated home customers; and for informing the debate on regulating the residential broadband market. Developing such a system is challenging because commodity home routers have limited resources. The main contribution of this thesis is to develop a last-mile throughput bottleneck detection algorithm that relies solely on lightweight metrics available in commodity home routers. Our evaluation shows that our system accurately locates last-mile bottlenecks on commodity home routers with little performance degradation

Cooperative Energy-efficient Management of Federated WiFi Networks

The proliferation of overlapping, always-on IEEE 802.11 access points (APs) in urban areas, can cause inefficient bandwidth usage and energy waste. Cooperation among APs could address these problems by allowing underused devices to hand over their wireless stations to nearby APs and temporarily switch off, while avoiding to overload a BSS and thus offloading congested APs. The federated house model provides an appealing backdrop to implement cooperation among APs. In this paper, we outline a distributed framework that assumes the presence of a multipurpose gateway with AP capabilities in every household. Our framework allows cooperation through the monitoring of local wireless resources and the triggering of offloading requests toward other federated gateways. Our simulation results show that, in realistic residential settings, the proposed framework yields an energy saving between 45 and 86 percent under typical usage patterns, while avoiding congestion and meeting user expectations in terms of throughput. Furthermore, we show the feasibility and the benefits of our framework with a real test-bed deployed on commodity hardware

Tracking the Evolution and Diversity in Network Usage of Smartphones

ABSTRACT We analyze the evolution of smartphone usage from a dataset obtained from three, 15-day-long, user-side, measurements with over 1500 recruited smartphone users in the Greater Tokyo area from 2013 to 2015. This dataset shows users across a diverse range of networks; cellular access (3G to LTE), WiFi access (2.4 to 5GHz), deployment of more public WiFi access points (APs), as they use diverse applications such as video, file synchronization, and major software updates. Our analysis shows that smartphone users select appropriate network interfaces taking into account the deployment of emerging technologies, their bandwidth demand, and their economic constraints. Thus, users show diversity in both how much traffic they send, as well as on what networks they send it. We show that users are gradually but steadily adopting WiFi at home, in offices, and public spaces over these three years. The majority of light users have been shifting their traffic to WiFi. Heavy hitters acquire more bandwidth via WiFi, especially at home. The percentage of users explicitly turning off their WiFi interface during the day decreases from 50% to 40%. Our results highlight that the offloading environment has been improved during the three years, with more than 40% of WiFi users connecting to multiple WiFi APs in one day. WiFi offload at offices is still limited in our dataset due to a few accessible APs, but WiFi APs in public spaces have been an alternative to cellular access for users who request not only simple connectivity but also bandwidth-consuming applications such as video streaming and software updates. Categories and Subject Descriptors General Terms Measurement Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Understanding Home Networks with Lightweight Privacy-Preserving Passive Measurement

Homes are involved in a significant fraction of Internet traffic. However, meaningful and comprehensive information on the structure and use of home networks is still hard to obtain. The two main challenges in collecting such information are the lack of measurement infrastructure in the home network environment and individuals’ concerns about information privacy. To tackle these challenges, the dissertation introduces Home Network Flow Logger (HNFL) to bring lightweight privacy-preserving passive measurement to home networks. The core of HNFL is a Linux kernel module that runs on resource-constrained commodity home routers to collect network traffic data from raw packets. Unlike prior passive measurement tools, HNFL is shown to work without harming either data accuracy or router performance. This dissertation also includes a months-long field study to collect passive measurement data from home network gateways where network traffic is not mixed by NAT (Network Address Translation) in a non-intrusive way. The comprehensive data collected from over fifty households are analyzed to learn the characteristics of home networks such as number and distribution of connected devices, traffic distribution among internal devices, network availability, downlink/uplink bandwidth, data usage patterns, and application traffic distribution

Measuring Home Networks with HomeNet Profiler

Abstract This paper designs HomeNet Profiler, a software that runs on any computer connected inside a home network, to collect a wide range of measurements about home networks including the set of devices, the set of services (with UPnP and Zeroconf), and the characteristics of the WiFi environment. To attract a larger number of users, HomeNet Profiler runs one-shot measurements upon user demand. We evaluate this design choice against periodic measurements taken from six home networks. Data collected from these six homes and with HomeNet Profiler in more than 1,600 homes in France shed light on the diversity of devices that connect to home networks and of the WiFi neighborhood across home networks.

On the Edge of Secure Connectivity via Software-Defined Networking

Securing communication in computer networks has been an essential feature ever since the Internet, as we know it today, was started. One of the best known and most common methods for secure communication is to use a Virtual Private Network (VPN) solution, mainly operating with an IP security (IPsec) protocol suite originally published in 1995 (RFC1825). It is clear that the Internet, and networks in general, have changed dramatically since then. In particular, the onset of the Cloud and the Internet-of-Things (IoT) have placed new demands on secure networking. Even though the IPsec suite has been updated over the years, it is starting to reach the limits of its capabilities in its present form. Recent advances in networking have thrown up Software-Defined Networking (SDN), which decouples the control and data planes, and thus centralizes the network control. SDN provides arbitrary network topologies and elastic packet forwarding that have enabled useful innovations at the network level. This thesis studies SDN-powered VPN networking and explains the benefits of this combination. Even though the main context is the Cloud, the approaches described here are also valid for non-Cloud operation and are thus suitable for a variety of other use cases for both SMEs and large corporations. In addition to IPsec, open source TLS-based VPN (e.g. OpenVPN) solutions are often used to establish secure tunnels. Research shows that a full-mesh VPN network between multiple sites can be provided using OpenVPN and it can be utilized by SDN to create a seamless, resilient layer-2 overlay for multiple purposes, including the Cloud. However, such a VPN tunnel suffers from resiliency problems and cannot meet the increasing availability requirements. The network setup proposed here is similar to Software-Defined WAN (SD-WAN) solutions and is extremely useful for applications with strict requirements for resiliency and security, even if best-effort ISP is used. IPsec is still preferred over OpenVPN for some use cases, especially by smaller enterprises. Therefore, this research also examines the possibilities for high availability, load balancing, and faster operational speeds for IPsec. We present a novel approach involving the separation of the Internet Key Exchange (IKE) and the Encapsulation Security Payload (ESP) in SDN fashion to operate from separate devices. This allows central management for the IKE while several separate ESP devices can concentrate on the heavy processing. Initially, our research relied on software solutions for ESP processing. Despite the ingenuity of the architectural concept, and although it provided high availability and good load balancing, there was no anti-replay protection. Since anti-replay protection is vital for secure communication, another approach was required. It thus became clear that the ideal solution for such large IPsec tunneling would be to have a pool of fast ESP devices, but to confine the IKE operation to a single centralized device. This would obviate the need for load balancing but still allow high availability via the device pool. The focus of this research thus turned to the study of pure hardware solutions on an FPGA, and their feasibility and production readiness for application in the Cloud context. Our research shows that FPGA works fluently in an SDN network as a standalone IPsec accelerator for ESP packets. The proposed architecture has 10 Gbps throughput, yet the latency is less than 10 µs, meaning that this architecture is especially efficient for data center use and offers increased performance and latency requirements. The high demands of the network packet processing can be met using several different approaches, so this approach is not just limited to the topics presented in this thesis. Global network traffic is growing all the time, so the development of more efficient methods and devices is inevitable. The increasing number of IoT devices will result in a lot of network traffic utilising the Cloud infrastructures in the near future. Based on the latest research, once SDN and hardware acceleration have become fully integrated into the Cloud, the future for secure networking looks promising. SDN technology will open up a wide range of new possibilities for data forwarding, while hardware acceleration will satisfy the increased performance requirements. Although it still remains to be seen whether SDN can answer all the requirements for performance, high availability and resiliency, this thesis shows that it is a very competent technology, even though we have explored only a minor fraction of its capabilities