A haystack full of needles: scalable detection of IoT devices in the wild

Consumer Internet of Things (IoT) devices are extremely popular, providing users with rich and diverse functionalities, from voice assistants to home appliances. These functionalities often come with significant privacy and security risks, with notable recent large scale coordinated global attacks disrupting large service providers. Thus, an important first step to address these risks is to know what IoT devices are where in a network. While some limited solutions exist, a key question is whether device discovery can be done by Internet service providers that only see sampled flow statistics. In particular, it is challenging for an ISP to efficiently and effectively track and trace activity from IoT devices deployed by its millions of subscribers --all with sampled network data. In this paper, we develop and evaluate a scalable methodology to accurately detect and monitor IoT devices at subscriber lines with limited, highly sampled data in-the-wild. Our findings indicate that millions of IoT devices are detectable and identifiable within hours, both at a major ISP as well as an IXP, using passive, sparsely sampled network flow headers. Our methodology is able to detect devices from more than 77% of the studied IoT manufacturers, including popular devices such as smart speakers. While our methodology is effective for providing network analytics, it also highlights significant privacy consequences

On the Long-term Evolution of the Two-Tier Gnutella Overlay

Abstract — Peer-to-Peer (P2P) file sharing applications have witnessed a dramatic increase in popularity during the past few years. To accommodate the rapid growth in user population, developers introduced new features in their client software, in particular a two-tier overlay topology. The effect of the twotier overlay topology in a widely-deployed P2P system primarily depends on the availability and coherency of its implementations among participating clients throughout the system. This paper sheds some light on the long-term evolution of such a two-tier overlay topology in the Gnutella network during a 15-month period over which the system quadrupled in size, exceeding three million concurrent peers. Our results show two interesting phenomena including: (i) During this period, the twotier overlay has repeatedly begun to lose its balance. However, proper modifications in major client software coupled with the rapid upgrade rate of users, has enabled the developers to maintain the overlay’s desired properties. (ii) Despite its random connectivity, the Gnutella overlay exhibits a strong bias towards intra-continent connectivity, especially in continents with smaller user populations, that has not changed as the system scaled. I