My Retrospective Survey of IoT Security and Privacy Landscape as a Researcher

For the past 5-10 years, I have been looking into IoT security and privacy in my research. This short article serves as an retrospective look into the journey of understanding IoT security and privacy issues and improving the security and privacy aspects of the IoT devices.?

Inherent Security Vulnerabilities in IoT Devices?

IoT devices, especially the simpler ones, have been known to have security issues: they are vulnerable to attacks, e.g., malware attacks [1], vulnerabilities in the applications [2]. In my own research, I found vulnerabilities in many aspects of the IoT devices: these devices may lack basic security measures, such as authentication, encryption, and access control. As a result, they are potentially prone to malware and simple access attempts.

To address these issues, the research community has proposed a few techniques that may be used to improve the security aspects of IoT devices. First, network-based techniques have been proposed, either by introducing SDN-based technique to regulate the traffic and improve the network security [3], or by extracting security properties from IoT applications and instantiate security properties (e.g., firewalls, sandboxes, etc.) [4]. SDN-based techniques separate data and control planes (see Figure 1): security measures can be properly enforced through the control plane. Figure 1 shows how each device may have a different role (e.g., admin, guest, etc.) and how the controller regulates the flow of traffic between the devices. In certain situations, however, this may not be lightweight enough for low-power IoT devices: simple firewalls and sandboxes may be more appropriate to segregate IoT network traffic and isolate the devices and applications.

The firewall and sandbox-based solutions are explored in my own research work, Vigilia [4]. Figure 2 shows an application of an irrigation application that is run on Vigilia. Vigilia extracts the security properties from the application components to install firewall rules and instantiate sandboxes. In short, firewall rules and sandboxes are placed to enforce access control in every component. For example, the moisture sensor device driver can only communicate with its designated moisture sensors and it should not be allowed to communicate with other devices and application components. However, while this is simpler than having an SDN controller, the firewall rules and sandboxes are not updated dynamically over time.?

Takeaways?

IoT devices have inherent vulnerabilities because many vendors neglect properly implementing basic security measures. Thus, the research community suggests that we shift the responsibility for security to the network, either with something like an SDN-based approach or simple firewalls/sandboxes. While SDN-based approaches are more adaptive and can be managed more easily, it is not as lightweight as simple firewalls/sandboxes. Going forward, solutions that are both lightweight and adaptive may be favorable.?

Security and Privacy Issues in IoT Network Traffic?

In addition to the inherent vulnerabilities in the devices, the research community has also investigated the network traffic of IoT devices. Primarily, the vulnerabilities in the devices contribute to various security and privacy issues in network traffic. One non-trivial issue that has both security and privacy flavors is information leakage through the metadata of the network traffic of IoT devices.

A huge amount of research has been dedicated to investigating IoT network traffic. The research community has investigated using many traffic features [5], or targeting selected features [6][7][8]. For example, the authors of [5] combined close to 200 traffic features and reported 90% accuracy. On the other hand, HomeSnitch [7] and PingPong [8] used the statistics and metadata of the client-server communication packets, either aggregately in HomeSnitch or individually in PingPong (i.e., individual packet lengths and directions in sequences of packets, see Figure 3). Orthogonally, Homonit [5] investigated traffic features of low-power device protocols, e.g., Zigbee/Z-Wave (see Figure 4). In general, this body of work has confirmed that one can analyze the features of the network traffic to understand the activity (i.e., events) of IoT devices, such as when the devices turn on or off. This understanding has both security and privacy implications. On the security side, understanding the device activity may give an opportunity to attackers to find more vulnerabilities to exploit as they understand better how the device operates. On the privacy side, the attackers can simply observe the network traffic to understand the device activity to infer the activity of the users [5]. One concerning thing is that this technique even works on home security devices, such as Ring smart home security system. This technique allows us to infer whether the security system is turned on or off [8]: this is a huge security and privacy risk to homeowners.

The research community has also investigated using similar techniques to understand the activity of more complex systems, such as smart TV [9] and smart speaker [10] applications. In addition, some early effort has also been performed in VR devices [11][12]. However, in addition to the issues that we have discussed, more complex devices also present more privacy risks as these devices perform data collection on their users, similar to what happens with mobile devices and their applications.?

Takeaways?

IoT devices, including more complex devices like smart TV, smart speaker, and VR devices, have security and privacy implications in network traffic due to its inherent characteristic that most devices have simple traffic profiles. Attackers can infer information about their activity by analyzing the content of the traffic or its metadata if the traffic is encrypted, and use the inferred information for malicious purposes.??

What’s Next??

Compared to general purpose computing devices, IoT devices are also network-connecting computing devices, but they are simpler and have limited functionality. The latter fact has created a tendency for vendors to neglect deploying basic security and privacy measures appropriately. One recommendation is to establish common protocols for IoT device security and privacy, e.g., the Matter protocol [13]. This can be enforced through regulations to ensure that the common protocol is deployed correctly and appropriately by every vendor. In addition, networking and connectivity devices through which the IoT network traffic flows can also support the effort to provide security and privacy measures by, for example, detecting the presence of IoT network traffic and implementing additional measures, such as performed in HanGuard [3] and Vigilia [4].?Thus, IoT device vendors should work hand in hand with regulators and networking and connectivity device vendors. Even if several IoT devices did not follow the standards and regulations in deploying the common protocol appropriately, the burden for providing security and privacy could still be picked up by the network devices (i.e., networking and connectivity device vendors).?

References?

[1] Antonakakis, Manos, et al. "Understanding the mirai botnet." 26th USENIX security symposium (USENIX Security 17). 2017.?

[2] Fernandes, Earlence, Jaeyeon Jung, and Atul Prakash. "Security analysis of emerging smart home applications." 2016 IEEE symposium on security and privacy (SP). IEEE, 2016.?

[3] Demetriou, Soteris, et al. "HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps." Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2017.?

[4] Trimananda, Rahmadi, et al. "Vigilia: Securing smart home edge computing." 2018 IEEE/ACM Symposium on Edge Computing (SEC). IEEE, 2018.?

[5] Acar, Abbas, et al. "Peek-a-boo: I see your smart home activities, even encrypted!." Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2020.?

[6] Zhang, Wei, et al. "Homonit: Monitoring smart home apps from encrypted traffic." Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018.?

[7] OConnor, T. J., et al. "HomeSnitch: Behavior transparency and control for smart home IoT devices." Proceedings of the 12th conference on security and privacy in wireless and mobile networks. 2019.?

[8] Trimananda, Rahmadi, et al. "Packet-level signatures for smart home devices." Network and Distributed Systems Security (NDSS) Symposium. Vol. 2020. 2020.?

[9] Varmarken, Janus, et al. "FingerprinTV: Fingerprinting Smart TV Apps." Proceedings on Privacy Enhancing Technologies 2022.3 (2022).?

[10] Kennedy, Sean, et al. "I can hear your alexa: Voice command fingerprinting on smart home speakers." 2019 IEEE Conference on Communications and Network Security (CNS). IEEE, 2019.?

[11] Trimananda, Rahmadi, et al. "{OVRseen}: Auditing network traffic and privacy policies in oculus {VR}." 31st USENIX security symposium (USENIX security 22). 2022.?

[12] Lecci, Mattia, et al. "An open framework for analyzing and modeling XR network traffic." IEEE Access 9 (2021): 129782-129795.?

[13] The Matter Protocol. https://csa-iot.org/all-solutions/matter/??