TY - GEN
T1 - Delay Wreaks Havoc on Your Smart Home
T2 - 43rd IEEE Symposium on Security and Privacy, SP 2022
AU - Chi, Haotian
AU - Fu, Chenglong
AU - Zeng, Qiang
AU - Du, Xiaojiang
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - With the proliferation of Internet of Things (IoT) devices and platforms, it becomes a trend that IoT devices associated with different IoT platforms coexist in a smart home, demonstrating the following characteristics. First, a smart home may use more than one platform to support its devices and automation. Second, IoT devices of a home may transmit messages over different paths. By selectively delaying IoT messages, our study finds that two issues, inconsistency and disorder, can be exacerbated by attackers significantly. We then explore how these issues can be exploited and present seven types of exploitation, collectively referred to as Delay-based Automation Interference (DAI) attacks. DAI attacks cause home automation to yield incorrect interaction results, placing the IoT devices and smart home in insecure, unsafe, or unexpected states. It is worth highlighting that DAI attacks do not depend on any IoT implementation vulnerabilities or leaked keys/tokens, and they do not trigger alarms at any layers of the IoT protocol stack. To demonstrate and evaluate the new attacks, we set up two real-world testbeds, where commercial IoT devices and apps are deployed. The week-long experiments from both testbeds show that an attacker has adequate opportunities to launch DAI attacks that cause security or safety issues.
AB - With the proliferation of Internet of Things (IoT) devices and platforms, it becomes a trend that IoT devices associated with different IoT platforms coexist in a smart home, demonstrating the following characteristics. First, a smart home may use more than one platform to support its devices and automation. Second, IoT devices of a home may transmit messages over different paths. By selectively delaying IoT messages, our study finds that two issues, inconsistency and disorder, can be exacerbated by attackers significantly. We then explore how these issues can be exploited and present seven types of exploitation, collectively referred to as Delay-based Automation Interference (DAI) attacks. DAI attacks cause home automation to yield incorrect interaction results, placing the IoT devices and smart home in insecure, unsafe, or unexpected states. It is worth highlighting that DAI attacks do not depend on any IoT implementation vulnerabilities or leaked keys/tokens, and they do not trigger alarms at any layers of the IoT protocol stack. To demonstrate and evaluate the new attacks, we set up two real-world testbeds, where commercial IoT devices and apps are deployed. The week-long experiments from both testbeds show that an attacker has adequate opportunities to launch DAI attacks that cause security or safety issues.
UR - http://www.scopus.com/inward/record.url?scp=85135894745&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85135894745&partnerID=8YFLogxK
U2 - 10.1109/SP46214.2022.9833620
DO - 10.1109/SP46214.2022.9833620
M3 - Conference contribution
AN - SCOPUS:85135894745
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 285
EP - 302
BT - Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
Y2 - 23 May 2022 through 26 May 2022
ER -