Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things

The always-on, always-connected nature of smart home devices complicates Internet-of-Things (IoT) security and privacy. Unlike traditional hosts, IoT devices constantly send sensor, state, and heartbeat data to cloud-based servers. These data channels require reliable, routine communication, which is often at odds with an IoT device's storage and power constraints. Although recent efforts such as pervasive encryption have addressed protecting data intransit, there remains little insight into designing mechanisms for protecting integrity and availability for always-connected devices. This paper seeks to better understand smart home device security by studying the vendor design decisions surrounding IoT telemetry messaging protocols, specifically, the behaviors taken when an IoT device loses connectivity. To understand this, we hypothesize and evaluate sensor blinding and state confusion attacks, measuring their effectiveness against an array of smart home IoT device types. Our analysis uncovers pervasive failure in designing telemetry that reports data to the cloud, and buffering that fails to properly cache undelivered data. We uncover that 22 of 24 studied devices suffer from critical design flaws that (1) enable attacks to transparently disrupt the reporting of device status alerts or (2) prevent the uploading of content integral to the device's core functionality. We conclude by considering the implications of these findings and offer directions for future defense. While the state of the art is rife with implementation flaws, there are several countermeasures IoT vendors could take to reduce their exposure to attacks of this nature.

[1]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[2]  Frank Piessens,et al.  Advanced Wi-Fi attacks using commodity hardware , 2014, ACSAC.

[3]  Ahmad-Reza Sadeghi,et al.  IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT , 2016, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[4]  Frank Piessens,et al.  Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 , 2017, CCS.

[5]  Frank Piessens,et al.  Release the Kraken: New KRACKs in the 802.11 Standard , 2018, CCS.

[6]  Nick Feamster,et al.  Cleartext Data Transmissions in Consumer IoT Medical Devices , 2017, IoT S&P@CCS.

[7]  Raheem A. Beyah,et al.  Sensory channel threats to Cyber Physical Systems: A wake-up call , 2014, 2014 IEEE Conference on Communications and Network Security.

[8]  Ivan Martinovic,et al.  Short paper: reactive jamming in wireless networks: how realistic is the threat? , 2011, WiSec '11.

[9]  Mathieu Cunche,et al.  Detecting smartphone state changes through a Bluetooth based timing attack , 2018, WISEC.

[10]  David K. Y. Yau,et al.  Signal Jamming Attacks Against Communication-Based Train Control: Attack Impact and Countermeasure , 2018, WISEC.

[11]  H. Vincent Poor,et al.  BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid , 2018, USENIX Security Symposium.

[12]  Srdjan Capkun,et al.  Enabling trusted scheduling in embedded systems , 2012, ACSAC '12.

[13]  Ian Molloy,et al.  IDIoT: Securing the Internet of Things like it's 1994 , 2017, ArXiv.

[14]  Kevin Wu,et al.  Do You See What I See?Detecting Hidden Streaming Cameras Through Similarity of Simultaneous Observation , 2019, 2019 IEEE International Conference on Pervasive Computing and Communications (PerCom.

[15]  Trent Jaeger,et al.  A Survey on Sensor-based Threats to Internet-of-Things (IoT) Devices and Applications , 2018, ArXiv.

[16]  Hiroto Yasuura,et al.  Smart sensors at the IoT frontier , 2018 .

[17]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[18]  Nick Feamster,et al.  Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping , 2018, Proc. Priv. Enhancing Technol..

[19]  Nils Ole Tippenhauer,et al.  IoTScanner: Detecting Privacy Threats in IoT Neighborhoods , 2017, IoTPTS@AsiaCCS.

[20]  Johannes Obermaier,et al.  Analyzing the Security and Privacy of Cloud-based Video Surveillance Systems , 2016, IoTPTS@AsiaCCS.

[21]  Todd E. Humphreys,et al.  Unmanned Aircraft Capture and Control Via GPS Spoofing , 2014, J. Field Robotics.

[22]  Mauro Conti,et al.  Peek-a-boo: i see your smart home activities, even encrypted! , 2018, WISEC.

[23]  Roberto Di Pietro,et al.  Strength of Crowd (SOC)—Defeating a Reactive Jammer in IoT with Decoy Messages , 2018, Sensors.

[24]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[25]  Peiyuan Zong,et al.  Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going to Be , 2017, ArXiv.

[26]  Frank Piessens,et al.  Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys , 2016, USENIX Security Symposium.

[27]  Yiheng Feng,et al.  Exposing Congestion Attack on Emerging Connected Vehicle based Traffic Signal Control , 2018, NDSS.

[28]  Amit Kumar Sikder,et al.  6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices , 2017, USENIX Security Symposium.

[29]  Sushil Jajodia,et al.  Secure Data Aggregation in Wireless Sensor Networks: Filtering out the Attacker's Impact , 2014, IEEE Transactions on Information Forensics and Security.

[30]  Nick Feamster,et al.  Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic , 2017, ArXiv.

[31]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[32]  Mohammad Malekzadeh,et al.  Replacement AutoEncoder: A Privacy-Preserving Algorithm for Sensory Data Analysis , 2017, 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI).

[33]  Anca Mariana Molnos,et al.  SWARD: A Secure WAke-up RaDio against Denial-of-Service on IoT devices , 2018, WISEC.

[34]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[35]  Indrajit Ray,et al.  Behavioral Fingerprinting of IoT Devices , 2018, ASHES@CCS.