Course:LIBR559A/Apthorpe, N., Reisman, D., & Feamster, N. (2017)

From UBC Wiki

Citation

Apthorpe, N., Reisman, D., & Feamster, N. (2017). A smart home is no castle: Privacy vulnerabilities of encrypted IoT traffic.

Annotation

This paper discusses how the network traffic of smart home/Internet of Things (IOT) devices can inadvertently broadcast sensitive information about their users. It looks at four devices:

  • Sense Sleep Monitor
  • Nest Security Camera
  • WeMo Switch
  • Amazon Echo

The authors created a “smart home” in a laboratory environment using the above devices and then performed traffic analysis by capturing packets mid-stream between the devices and their respective servers to see what information could be gleaned.

The authors note that although the traffic was encrypted for data end to end, the patterns of packet transmission themselves revealed potentially sensitive data. This included owned technology (the device names themselves were often embedded into the packets), network infrastructure (what devices were connected together and in what modality), user behavior (whether the user was awake or asleep, whether or not the user was home, what kinds of interactions the users were having with their technology), and environmental factors in the home (whether or not movement is detected).

Other information that could be gleaned from traffic analysis (although not mentioned in the paper) is a user’s wealth. IoT devices are often very expensive, and a potential adversary might make the determination whether or not to exploit a target based on their perceived wealth.

The limits of the paper include the fact that the researchers only looked at web traffic, specifically over WiFi/http protocols and only performed traffic analysis. Some IoT devices, such as Philips Hue lightbulbs, communicate using PAN/Zigbee protocols, which could be exploited to determine a house’s layout and give a finer resolution of where a person is located within their home.

Given the ever-increasing prevalence of IoT devices in people’s homes, research like this is invaluable to raising awareness of compromises to privacy that go hand in hand with usage of internet-connected devices. It should also be used by device manufacturers to help safeguard against privacy breaches.


Page Author: Peter Musser

Retrieved from "https://wiki.ubc.ca/index.php?title=Course:LIBR559A/Apthorpe,_N.,_Reisman,_D.,_%26_Feamster,_N._(2017)&oldid=457532"