Abbas Acar
ABSTRACT
A myriad of IoT devices such as bulbs, switches, speakers in a smart home environment allow users to easily control the physical world around them and facilitate their living styles through the sensors already embedded in these devices. Sensor data contains a lot of sensitive information about the user and devices. However, an attacker inside or near a smart home environment can potentially exploit the innate wireless medium used by these devices to exfiltrate sensitive information from the encrypted payload (i.e., sensor data) about the users and their activities, invading user privacy. With this in mind, in this work, we introduce a novel multi-stage privacy attack against user privacy in a smart environment. It is realized utilizing state-of-the-art machine-learning approaches for detecting and identifying the types of IoT devices, their states, and ongoing user activities in a cascading style by only passively sniffing the network traffic from smart home devices and sensors. The attack effectively works on both encrypted and unencrypted communications. We evaluate the efficiency of the attack with real measurements from an extensive set of popular off-the-shelf smart home IoT devices utilizing a set of diverse network protocols like WiFi, ZigBee, and BLE. Our results show that an adversary passively sniffing the traffic can achieve very high accuracy (above 90%) in identifying the state and actions of targeted smart home devices and their users. To protect against this privacy leakage, we also propose a countermeasure based on generating spoofed traffic to hide the device states and demonstrate that it provides better protection than existing solutions.
- A. Acar, H. Aksu, A. S. Uluagac, and K. Akkaya. 2020. A Usable and Robust Continuous Authentication Framework using Wearables. IEEE Transactions on Mobile Computing (2020), 1--1. Google Scholar
Cross Ref
- IoT Analytics. 2017. State of the Smart Home Market. https://iot-analytics.com/wp/wp-content/uploads/2017/12/StateofSmartHomeMarket2017-vf.pdf.Google Scholar
- Noah Apthorpe, Danny Yuxing Huang, Dillon Reisman, Arvind Narayanan, and Nick Feamster. 2019. Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping. In Proceedings on Privacy Enhancing Technologies. 128--148.Google ScholarCross Ref
- Noah Apthorpe, Dillon Reisman, and Nick Feamster. 2017. A smart home is no castle: Privacy vulnerabilities of encrypted IoT traffic. arXiv preprint arXiv:1705.06805 (2017).Google Scholar
- Noah Apthorpe, Dillon Reisman, Srikanth Sundaresan, Arvind Narayanan, and Nick Feamster. 2017. Spying on the smart home: Privacy attacks and defenses on encrypted iot traffic. arXiv preprint arXiv:1708.05044 (2017).Google Scholar
- Leonardo Babun, Amit Kumar Sikder, Abbas Acar, and A Selcuk Uluagac. 2018. Iotdots: A digital forensics framework for smart environments. arXiv preprint arXiv:1809.00745 (2018).Google Scholar
- Bruhadeshwar Bezawada, Maalvika Bachani, Jordan Peterson, Hossein Shirazi, Indrakshi Ray, and Indrajit Ray. 2018. IoTSense: Behavioral Fingerprinting of IoT Devices. arXiv preprint arXiv:1804.03852 (2018).Google Scholar
- Trevor Bihl, Michael Temple, and Kenneth Bauer. 2017. An Optimization Framework for Generalized Relevance Learning Vector Quantization with Application to Z-Wave Device Fingerprinting. In Proceedings of the 50th Hawaii International Conference on System Sciences.Google ScholarCross Ref
- Simon Birnbach, Simon Eberz, and Ivan Martinovic. 2019. Peeves: Physical Event Verification in Smart Homes (CCS '19). ACM, New York, NY, USA, 1455--1467. Google ScholarDigital Library
- Xiang Cai, Xin Cheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 605--616.Google ScholarDigital Library
- Z. Berkay Celik, Leonardo Babun, Amit K. Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluagac. 2018. Sensitive Information Tracking in Commodity IoT. In USENIX Security Symposium. Baltimore, MD.Google Scholar
- Maximilian Christ, Nils Braun, and Julius Neuffer. 2018. tsfresh. https://github.com/blue-yonder/tsfresh.Google Scholar
- M. Conti, L. V. Mancini, R. Spolaor, and N. V. Verde. 2016. Analyzing Android Encrypted Network Traffic to Identify User Actions. IEEE Transactions on Information Forensics and Security 11, 1 (Jan 2016), 114--125. Google ScholarCross Ref
- Bogdan Copos, Karl Levitt, Matt Bishop, and Jeff Rowe. 2016. Is Anybody Home? Inferring Activity From Smart Home Network Traffic. In Security and Privacy Workshops (SPW), 2016 IEEE. IEEE, 245--251.Google Scholar
- Asish Kumar Dalai and Sanjay Kumar Jena. 2017. WDTF: A Technique for Wireless Device Type Fingerprinting. Wireless Personal Communications 97, 2 (2017), 1911--1928.Google ScholarDigital Library
- Aveek K Das, Parth H Pathak, Chen-Nee Chuah, and Prasant Mohapatra. 2016. Uncovering privacy leakage in ble network traffic of wearable fitness trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications. ACM, 99--104.Google ScholarDigital Library
- Christian de Looper. 2017. The 12 best smart home devices you need to live like the Jetsons. http://www.businessinsider.com/best-smart-home.Google Scholar
- Shuaike Dong, Zhou Li, Di Tang, Jiongyi Chen, Menghan Sun, and Kehuan Zhang. 2019. Your Smart Home Can't Keep a Secret: Towards Automated Fingerprinting of IoT Traffic with Neural Networks. arXiv preprint arXiv.1909.00104 (2019).Google Scholar
- Kevin P Dyer, Scott E Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-boo, i still see you: Why efficient traffic analysis countermeasures fail. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 332--346.Google ScholarDigital Library
- Kassem Fawaz and et al. 2016. Protecting Privacy of BLE Device Users.. In USENIX Security Symposium.Google Scholar
- David Formby and et al. 2016. Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems.. In NDSS.Google Scholar
- Jun Han, Albert Jin Chung, Manal Kumar Sinha, Madhumitha Harishankar, Shijia Pan, Hae Young Noh, Pei Zhang, and Patrick Tague. 2018. Do you feel what I hear? Enabling autonomous IoT device pairing using different sensor types. In Do You Feel What I Hear? Enabling Autonomous IoT Device Pairing using Different Sensor Types. IEEE, 0.Google Scholar
- Mordor Intelligence. 2018. IoT Sensor Market Size-Segmented by Type (Pressure Sensor, Temperature Sensor, Proximity Sensor), End-user Industry (Healthcare, Automotive, Consumer Electronics), and Region - Growth, Trends, and Forecast (2018 - 2023). https://www.mordorintelligence.com/industry-reports/iot-sensor-market.Google Scholar
- Pierre-Marie Junges, Jérôme François, and Olivier Festor. 2019. Passive Inference of User Actions through IoT Gateway Encrypted Traffic Analysis. In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, 7--12.Google Scholar
- Huaxin Li, Zheyu Xu, Haojin Zhu, Di Ma, Shuai Li, and Kai Xing. 2016. Demographics inference through Wi-Fi network traffic analysis. In Computer Communications, IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on. IEEE, 1--9.Google ScholarCross Ref
- Marc Liberatore and Brian Neil Levine. 2006. Inferring the source of encrypted HTTP connections. In Proceedings of the 13th ACM conference on Computer and communications security. ACM, 255--263.Google ScholarDigital Library
- Yair Meidan, Michael Bohadana, Asaf Shabtai, Martin Ochoa, Nils Ole Tippenhauer, Juan Davis Guarnizo, and Yuval Elovici. 2017. Detection of Unauthorized IoT Devices Using Machine Learning Techniques. arXiv preprint arXiv:1709.04647 (2017).Google Scholar
- Markus Miettinen, Samuel Marchal, Ibbad Hafeez, N Asokan, Ahmad-Reza Sadeghi, and Sasu Tarkoma. 2017. IoT Sentinel: Automated device-type identification for security enforcement in IoT. In Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference on. IEEE, 2177--2184.Google Scholar
- AKM Iqtidar Newaz, Amit Kumar Sikder, Mohammad Ashiqur Rahman, and A Selcuk Uluagac. 2019. Healthguard: A machine learning-based security framework for smart healthcare systems. In 2019 Sixth International Conference on Social Networks Analysis, Management and Security (SNAMS). IEEE, 389--396.Google Scholar
- Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, Minh Hoang Dang, N Asokan, and Ahmad-Reza Sadeghi. 2018. D\" IoT: A Crowdsourced Self-learning Approach for Detecting Compromised IoT Devices. arXiv preprint arXiv:1804.07474 (2018).Google Scholar
- TJ OConnor, William Enck, and Bradley Reaves. 2019. Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 140--150.Google Scholar
- TJ OConnor, Reham Mohamed, Markus Miettinen, William Enck, Bradley Reaves, and Ahmad-Reza Sadeghi. 2019. HomeSnitch: behavior transparency and control for smart home IoT devices. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. ACM, 128--138.Google ScholarDigital Library
- S. V. Radhakrishnan, A. S. Uluagac, and R. Beyah. 2015. GTID: A Technique for Physical Device and Device Type Fingerprinting. IEEE Transactions on Dependable and Secure Computing 12, 5 (2015), 519--532.Google ScholarDigital Library
- Jingjing Ren, Daniel J Dubois, David Choffnes, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi. 2019. Information exposure from consumer iot devices: A multidimensional, network-informed measurement approach. In Proceedings of the Internet Measurement Conference. ACM, 267--279.Google ScholarDigital Library
- Ola Salman, Imad H Elhajj, Ali Chehab, and Ayman Kayssi. 2019. A machine learning based framework for IoT device identification and abnormal traffic detection. Transactions on Emerging Telecommunications Technologies (2019), e3743.Google Scholar
- Mustafizur R Shahid, Gregory Blanc, Zonghua Zhang, and Hervé Debar. 2018. IoT devices recognition through network traffic analysis. In 2018 IEEE International Conference on Big Data (Big Data). IEEE, 5187--5192.Google ScholarCross Ref
- Amit Kumar Sikder, Abbas Acar, Hidayet Aksu, A Selcuk Uluagac, Kemal Akkaya, and Mauro Conti. 2018. IoT-enabled smart lighting systems for smart cities. In Computing and Communication Workshop and Conference (CCWC), 2018 IEEE 8th Annual. IEEE, 639--645.Google ScholarCross Ref
- Amit Kumar Sikder, Hidayet Aksu, and A Selcuk Uluagac. 2017. 6thsense: A context-aware sensor-based attack detector for smart devices. In USENIX Security.Google Scholar
- Amit Kumar Sikder, Hidayet Aksu, and A Selcuk Uluagac. 2019. A context-aware framework for detecting sensor-based threats on smart devices. IEEE Transactions on Mobile Computing (2019).Google Scholar
- Amit Kumar Sikder, Leonardo Babun, Hidayet Aksu, and A Selcuk Uluagac. 2019. Aegis: a context-aware security framework for smart home systems. In Proceedings of the 35th Annual Computer Security Applications Conference. 28--41.Google ScholarDigital Library
- Amit Kumar Sikder, Leonardo Babun, Z Berkay Celik, Abbas Acar, Hidayet Aksu, Patrick McDaniel, Engin Kirda, and A Selcuk Uluagac. 2019. Multi-User Multi-Device-Aware Access Control System for Smart Home. arXiv preprint arXiv:1911.10186 (2019).Google Scholar
- Amit Kumar Sikder, Giuseppe Petracca, Hidayet Aksu, Trent Jaeger, and A Selcuk Uluagac. 2018. A Survey on Sensor-based Threats to Internet-of-Things (IoT) Devices and Applications. arXiv preprint arXiv:1802.02041 (2018).Google Scholar
- Vijay Srinivasan, John Stankovic, and Kamin Whitehouse. 2008. Protecting your daily in-home activity information from a wireless snooping attack. In Proceedings of the 10th international conference on Ubiquitous computing. ACM, 202--211.Google ScholarDigital Library
- Tim Stöber, Mario Frank, Jens Schmitt, and Ivan Martinovic. 2013. Who do you sync you are?: smartphone fingerprinting via application behaviour. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks. ACM, 7--12.Google ScholarDigital Library
- Qixiang Sun, Daniel R Simon, Yi-Min Wang, Wilf Russell, Venkata N Padmanabhan, and Lili Qiu. 2002. Statistical identification of encrypted web browsing traffic. In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on. IEEE, 19--30.Google ScholarDigital Library
- Thomas SÃÿderholm. 2017. EU GDPR: Privacy for connected medical devices. https://blog.nordicsemi.com/getconnected/eu-gdpr-privacy-for-connected-medical-devices.Google Scholar
- Rahmadi Trimananda, Janus Varmarken, Athina Markopoulou, and Brian Demsky. 2019. PingPong: Packet-Level Signatures for Smart Home Device Events. arXiv preprint arXiv:1907.11797 (2019).Google Scholar
- Petr Velan, Milan Čermák, Pavel Čeleda, and Martin Drašar. 2015. A survey of methods for encrypted traffic classification and analysis. International Journal of Network Management 25, 5 (2015), 355--374.Google ScholarDigital Library
- Charles V Wright, Fabian Monrose, and Gerald M Masson. 2006. On inferring application protocol behaviors in encrypted network traffic. Journal of Machine Learning Research 7, Dec (2006), 2745--2769.Google Scholar
Index Terms
- Peek-a-boo: i see your smart home activities, even encrypted!
Recommendations
Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail
SP '12: Proceedings of the 2012 IEEE Symposium on Security and PrivacyWe consider the setting of HTTP traffic over encrypted tunnels, as used to conceal the identity of websites visited by a user. It is well known that traffic analysis (TA) attacks can accurately identify the website a user visits despite the use of ...
Web-enabled smart home using wireless node infrastructure
MoMM '11: Proceedings of the 9th International Conference on Advances in Mobile Computing and MultimediaThis paper presents a framework for a smart home which uses wireless nodes infrastructure. The framework is developed based on the aims to build a smart home that can be implemented easily without the hassle of major alteration to current condition of ...
Wearable Sensing Framework for Human Activity Monitoring
WearSys '15: Proceedings of the 2015 workshop on Wearable Systems and ApplicationsWearable computation is getting integrated into our daily life day by day. In this work, we propose a generic framework to continuously monitor users' daily activities. The framework proposes light computation tasks on the wearable device to reduce the ...
Comments