Cited By
View all- Geng QPeng YRajasekaran S(2023)Intelligent Hotel System Design Based on Internet of ThingsCyber Security Intelligence and Analytics10.1007/978-3-031-31775-0_51(495-503)Online publication date: 30-Apr-2023
Lux: Enabling Ephemeral Authorization for Display-Limited IoT Devices
Pages 15 - 27
Abstract
Smart speakers are increasingly appearing in homes, enterprises, and businesses including hotels. These systems serve as hubs for other IoT devices and deliver content from streaming media services. However, such an arrangement creates a number of security concerns. For instance, providing such devices with long-term secrets is problematic with regards to vulnerable devices and fails to capture the increasingly transient nature of the relationship between users and the devices (e.g., in hotel or airbnb settings, this device is not owned by the customer and may only be used for a single day). Moreover, the limited interfaces available to such speakers make entering such credentials in a safe manner difficult. We address these problems with Lux, a system to provide ephemeral, fine-grained authorization to smart speakers which can be automatically revoked when the user and hub are no longer in the same location. We develop protocols using the LED/light channel available to many smart speaker devices to help users properly identify the device with which they are communicating, and demonstrate through a formally validated protocol that such authorization takes only a few seconds in practice. Through this effort, we demonstrate that Lux can safely authorize devices to access user accounts while limiting any long-term exposure to compromise.
References
[1]
2017. Adobe demos "photoshop for audio," lets you edit speech as easily as text. https://arstechnica.com/information-technology/2016/11/adobe-voco-photoshop-for-audio-speech-editing/.
[2]
2017. LyreBird. https://github.com/logant/Lyrebird.
[3]
3DB Technologies. [n.d.]. Proximity based access control. http://www.3db-technologies.com/en/Home.1.html. Online; accessed 7 August 2018.
[4]
Carlisle Adams, Stephen Farrell, Tomi Kause, and Tero Mononen. 2005. Internet X. 509 public key infrastructure certificate management protocol (CMP). Technical Report.
[5]
Bruno Blanchet. 2018. ProVerif: Cryptographic protocol verifier in the formal model. http://www.proverif.ens.fr/.
[6]
Logan Blue, Hadi Abdullah, Luis Vargas, and Patrick Traynor. 2018. 2MA: Verifying Voice Commands via Two Microphone Authentication. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security. ACM, 89--100.
[7]
Stefan Brands and David Chaum. 1993. Distance-bounding protocols. In Workshop on the Theory and Application of of Cryptographic Techniques. Springer, 344--359.
[8]
L.L. Cam and G.L. Yang. 2000. Asymptotics in Statistics: Some Basic Concepts. Springer.
[9]
Cisco. 2014. Best Practices: Location-Aware WLAN Design Considerations. In Wi-Fi Location-Based Services 4.1 Design Guide, Cisco (Ed.). Cisco, Chapter 5, 5-1--5-70.
[10]
Mark D. Corner and Brain D. Noble. 2002. Zero-Interaction Authentication. In Proceedings of the 8th Annual International Conference on Mobile Computing and Networking (MobiCom '02). ACM, New York, NY, USA, 11.
[11]
Dani Deahl. 2018. Hilton is adding smart home features to its hotel rooms. https://www.theverge.com/2017/12/7/16748588/hilton-honors-smart-home-features-hotel-rooms.
[12]
Carl Ellison and Bruce Schneier. 2000. Ten risks of PKI: What you're not being told about public key infrastructure. Comput Secur J 16, 1 (2000), 1--7.
[13]
Marcos Faundez-Zanuy. 2004. On the vulnerability of biometric security systems. IEEE Aerospace and Electronic Systems Magazine 19, 6 (2004), 3--8.
[14]
Aurélien Francillon, Boris Danev, and Srdjan Capkun. 2011. Relay attacks on passive keyless entry and start systems in modern cars. In Proceedings of the Network and Distributed System Security Symposium (NDSS). Eidgenössische Technische Hochschule Zürich, Department of Computer Science.
[15]
Lishoy Francis, Gerhard Hancke, Keith Mayes, and Konstantinos Markantonakis. 2010. Practical NFC peer-to-peer relay attack using mobile phones. In International Workshop on Radio Frequency Identification: Security and Privacy Issues. Springer, 35--49.
[16]
Slava Galperin, Stefan Santesson, Michael Myers, Ambarish Malpani, and Carlisle Adams. 2013. X. 509 Internet public key infrastructure online certificate status protocol-OCSP. (2013).
[17]
Paolo Gasti and Kasper B Rasmussen. 2012. On the security of password manager database formats. In European Symposium on Research in Computer Security. Springer, 770--787.
[18]
Google. 2018. Set up your Google Home device. https://support.google.com/googlehome/answer/7029485.
[19]
Volvo Car Group. 2018. Volvo Cars to embed Google Assistant, Google Play Store and Google Maps in next-generation infotainment system. https://www.media.volvocars.com/global/en-gb/media/pressreleases/228639.
[20]
Tzipora Halevi, Di Ma, Nitesh Saxena, and Tuo Xiang. 2012. Secure Proximity Detection for NFC Devices Based on Ambient Sensor Data.
[21]
Richard W Hamming. 1950. Error detecting and error correcting codes. Bell System technical journal 29, 2 (1950), 147--160.
[22]
Gerhard P Hancke and Markus G Kuhn. 2005. An RFID distance bounding protocol. In Security and Privacy for Emerging Areas in Communications Networks, 2005. SecureComm 2005. First International Conference on. IEEE, 67--73.
[23]
Dick Hardt. 2012. The OAuth 2.0 authorization framework. Technical Report.
[24]
Russell Housley, Warwick Ford, William Polk, and David Solo. 1998. Internet X. 509 public key infrastructure certificate and CRL profile. Technical Report.
[25]
Russell Housley, William Polk, Warwick Ford, and David Solo. 2002. Internet X. 509 public key infrastructure certificate and certificate revocation list (CRL) profile. Technical Report.
[26]
Hui Hu and Na Wei. 2009. A study of GPS jamming and anti-jamming. In Power Electronics and Intelligent Transportation System (PEITS), 2009 2nd International Conference on, Vol. 1. IEEE, 388--391.
[27]
Otto Huhta, Prakash Shrestha, Swapnil Udar, Mika Juuti, Nitesh Saxena, and N Asokan. 2015. Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks. arXiv preprint arXiv:1505.05779 (2015).
[28]
Laymon Scott Humphries and Huey-Jiun Ngo. 2007. Method and system for tracked device location and route adherence via geofencing. US Patent 7, 164, 986.
[29]
Google Inc. 2018. Android Socket Documentation. https://developer.android.com/reference/java/net/SocketOptions.html.
[30]
Kamol Kaemarungsi and Prashant Krishnamurthy. 2004. Properties of indoor received signal strength for WLAN location fingerprinting. In Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004. The First Annual International Conference on. IEEE, 14--23.
[31]
Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound. In USENIX Security Symposium. 483--498.
[32]
Z. Kfir and A. Wool. 2005. Picking Virtual Pockets using Relay Attacks on Contactless Smartcard. In First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).
[33]
Md Sakib Nizam Khan, Samuel Marchal, Sonja Buchegger, and N Asokan. 2018. chownIoT: enhancing IoT privacy by automated handling of ownership change. In IFIP International Summer School on Privacy and Identity Management. 205--221.
[34]
John Koetsier. 2018. Smart Speaker Penetration Just Exploded 50% In 3 Short Months; Amazon & Google Are Winning. Forbes online.
[35]
John Krumm and Ken Hinckley. 2004. The nearme wireless proximity server. In International Conference on Ubiquitous Computing. Springer, 283--300.
[36]
Leslie Lamport. 1981. Password authentication with insecure communication. Commun. ACM 24, 11 (1981), 770--772.
[37]
Albert Levi, Erhan Çetintaş, Murat Aydos, Cetin Kaya Koç, and M Ufuk Çağlayan. 2004. Relay attacks on bluetooth authentication and solutions. In International Symposium on Computer and Information Sciences. Springer, 278--288.
[38]
Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. 2014. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers. In USENIX Security Symposium. 465--479.
[39]
Chun-Li Lin, Hung-Min Sun, and Tzonelih Hwang. 2001. Attacks and solutions on strong-password authentication. IEICE transactions on communications 84, 9 (2001), 2622--2627.
[40]
LogMeIn. 2018. LastPass. https://www.lastpass.com/business-password-manager.
[41]
Suhas Mathur, Robert Miller, Alexander Varshavsky, Wade Trappe, and Narayan Mandayam. 2011. Proximate: proximity-based secure pairing using ambient wireless signals. In Proceedings of the 9th international conference on Mobile systems, applications, and services. ACM, 211--224.
[42]
MATRIX. 2018. Matrix Voice: Voice Development Board For Everyone. https://www.matrix.one/products/voice.
[43]
Markus Miettinen, N Asokan, Thien Duc Nguyen, Ahmad-Reza Sadeghi, and Majid Sobhani. 2014. Context-based zero-interaction pairing and key evolution for advanced personal devices. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, 880--891.
[44]
Pratap Misra and Per Enge. 2006. Global Positioning System: signals, measurements and performance second edition. Massachusetts: Ganga-Jamuna Press (2006).
[45]
Dibya Mukhopadhyay, Maliheh Shirvanian, and Nitesh Saxena. 2015. All Your Voices are Belong to Us: Stealing Voices to Fool Humans and Machines. 20th European Symposium on Research in Computer Security.
[46]
Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, and John C Mitchell. 2005. Stronger Password Authentication Using Browser Extensions. In USENIX Security Symposium. Baltimore, MD, USA, 17--32.
[47]
Manjula Sandirigama, Akihiro Shimizu, and Matu-Tarow Noda. 2000. Simple and secure password authentication protocol (SAS). IEICE Transactions on Communications 83, 6 (2000), 1363--1365.
[48]
Jim Schaad, Burt Kaliski, and Russell Housley. 2005. Additional algorithms and identifiers for RSA cryptography for use in the internet X. 509 public key infrastructure certificate and certificate revocation list (CRL) profile. Technical Report.
[49]
Babins Shrestha, Maliheh Shirvanian, Prakash Shrestha, and Nitesh Saxena. 2016. The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.
[50]
Dave Singelee and Bart Preneel. 2005. Location verification using secure distance bounding protocols. In IEEE International Conference on Mobile Adhoc and Sensor Systems Conference. IEEE, 1--7.
[51]
Mitra Sorrells. 2018. MSC Cruises puts voice-enabled assistants in every cabin of new ship. https://www.phocuswire.com/MSC-Cruises-voice-assistants.
[52]
Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, and Srdjan Capkun. 2011. On the requirements for successful GPS spoofing attacks. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 75--86.
[53]
Nils O Tippenhauer, Kasper B Rasmussen, Christina Pöpper, and Srdjan Capkun. 2012. iPhone and iPod location spoofing: Attacks on public WLAN-based positioning systems. Technical report/ETH Zürich, Department of Computer Science 599 (2012).
[54]
Hien Thi Thu Truong, Xiang Gao, Babins Shrestha, Nitesh Saxena, N Asokan, and Petteri Nurmi. 2014. Comparing and fusing different sensor modalities for relay attack resistance in zero-interaction authentication. In Pervasive Computing and Communications (PerCom), 2014 IEEE International Conference on. IEEE, 163--171.
[55]
Steven Tuecke, Von Welch, Doug Engert, Laura Pearlman, and Mary Thompson. 2004. Internet X. 509 public key infrastructure (PKI) proxy certificate profile. Technical Report.
[56]
Tavish Vaidya, Yuankai Zhang, Micah Sherr, and Clay Shields. 2015. Cocaine Noodles: Exploiting the Gap Between Human and Machine Speech Recognition. 11th USENIX Workshop on Offensive Technologies (2015).
[57]
Alex Varshavsky, Adin Scannell, Anthony LaMarca, and Eyal De Lara. 2007. Amigo: Proximity-based authentication of mobile devices. In International Conference on Ubiquitous Computing. Springer, 253--270.
Index Terms
- Lux: Enabling Ephemeral Authorization for Display-Limited IoT Devices
Recommendations
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A flexible role-based delegation model using characteristics of permissions
DEXA'05: Proceedings of the 16th international conference on Database and Expert Systems ApplicationsRole-Based Access Control(RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls.[7] RBAC ensures that only authorized users are given access to protected data or ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Comments
Information & Contributors
Information
Published In
May 2021
288 pages
ISBN:9781450383547
DOI:10.1145/3450268
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 May 2021
Check for updates
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
IoTDI '21
Sponsor:
IoTDI '21: International Conference on Internet-of-Things Design and Implementation
May 18 - 21, 2021
VA, Charlottesvle, USA
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 430Total Downloads
- Downloads (Last 12 months)286
- Downloads (Last 6 weeks)73
Reflects downloads up to 10 Nov 2024
Other Metrics
Citations
Cited By
View all- Geng QPeng YRajasekaran S(2023)Intelligent Hotel System Design Based on Internet of ThingsCyber Security Intelligence and Analytics10.1007/978-3-031-31775-0_51(495-503)Online publication date: 30-Apr-2023
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in