research-article

In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes

Authors:

Aniketh Girish,

Daniel J. Dubois,

Danny Yuxing Huang,

David Choffnes,

Narseo Vallina-RodriguezAuthors Info & Claims

IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

Pages 437 - 456

https://doi.org/10.1145/3618257.3624830

Published: 24 October 2023 Publication History

Abstract

The network communication between Internet of Things (IoT) devices on the same local network has significant implications for platform and device interoperability, security, privacy, and correctness. Yet, the analysis of local home Wi-Fi network traffic and its associated security and privacy threats have been largely ignored by prior literature, which typically focuses on studying the communication between IoT devices and cloud end-points, or detecting vulnerable IoT devices exposed to the Internet. In this paper, we present a comprehensive and empirical measurement study to shed light on the local communication within a smart home deployment and its threats. We use a unique combination of passive network traffic captures, protocol honeypots, dynamic mobile app analysis, and crowdsourced IoT data from participants to identify and analyze a wide range of device activities on the local network. We then analyze these datasets to characterize local network protocols, security and privacy threats associated with them. Our analysis reveals vulnerable devices, insecure use of network protocols, and sensitive data exposure by IoT devices. We provide evidence of how this information is exfiltrated to remote servers by mobile apps and third-party SDKs, potentially for household fingerprinting, surveillance and cross-device tracking. We make our datasets and analysis publicly available to support further research in this area.

Supplemental Material

MP4 File

Presentation video

Download
197.31 MB

References

[1]

2018. Breaking Smart Speakers We are Listening to You. https://www.youtube.com/watch?v=3sLC0XaqvMg. Accessed on May 26, 2023.

[2]

2019. CVE-2019--11766. Available from MITRE, CVE-ID CVE-2019--11766. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11766

[3]

2020. ETSI EN 303 645 V2.1.1. Cyber Security for Consumer Internet of Things: Baseline Requirements. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf.

[4]

2020. Google Issue Tracker: Allow binding privileged ports or creating raw sockets. https://issuetracker.google.com/issues/156966374. Accessed on May 21, 2023.

[5]

2020. umlaut insightCoreSDK Data Privacy Policy. https://web.archive.org/web/20220514011406/https://tacs.c0nnectthed0ts.com/policy1/data_privacy.html. Accessed on May 26 2023.

[6]

2021. IRB Approval with Protocol. https://inspector.engineering.nyu.edu/irb. Accessed on Sept 11, 2023.

[7]

2021. This sneaky malware will cause headaches even after it is deleted from your PC. https://web.archive.org/web/20210126173325/http://www.zdnet.com/article/this-sneaky-malware-will-cause\-headaches-evenafter-it-is-deleted-from-your-pc/. Accessed on May 11, 2023.

[8]

2022. EU Cyber Resilience Act. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act. Accessed on Sept 21, 2023.

[9]

2023. Frequently Asked Questions. https://github.com/nyu-mlab/iot-inspectorclient/ wiki/Frequently-Asked-Questions. Accessed on Sept 11, 2023.

[10]

2023. If an app would like to connect to devices on your local network. https://support.apple.com/en-us/HT211870. Accessed on Sept 11, 2023.

[11]

2023. USA National Cybersecurity Strategy. https://www.whitehouse.gov/wpcontent/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf. Accessed on Sept 21, 2023.

[12]

[n. d.]. Analytics and attribution system for mobile apps and websites. https://tracker.my.com. Accessed on May 11, 2023.

[13]

[n. d.]. Android API Permission Research. https://evolving-android.cpsc.ucalgary.ca/index.html. Accessed on May 11, 2023.

[14]

[n. d.]. AppCensus. https://www.appcensus.io/. Accessed on May 21, 2023.

[15]

[n. d.]. AppDynamics. https://www.appdynamics.com/. Accessed on May 11, 2023.

[16]

[n. d.]. Frida.re. https://frida.re. Accessed on May 11, 2023.

[17]

[n. d.]. Google Playstore. https://play.google.com/store. Accessed on May 11, 2023.

[18]

[n. d.]. HomeKit by Apple. https://www.apple.com/ios/home/. Accessed on May 11, 2023.

[19]

[n. d.]. If an app would like to connect to devices on your local network. https://developer.android.com/guide/topics/connectivity/wifi-permissions. Accessed on Sept 11, 2023.

[20]

[n. d.]. LIFX. https://www.lifx.com. Accessed on May 21, 2023.

[21]

[n. d.]. Lucky Time - Win Rewards Every Day. https://play.google.com/store/apps/details?id=com.luckyapp.winner. Accessed on May 26 2023.

[22]

[n. d.]. Matter standard. https://csa-iot.org/all-solutions/matter/. Accessed on May 11, 2023.

[23]

[n. d.]. MonIoTr Lab. https://moniotrlab.khoury.northeastern.edu.

[24]

[n. d.]. Multi-room Music and Alexa Home Theater. https://www.amazon.com/alexa-multi-room-audio/b?ie=UTF8&node=21480962011. Accessed on May 11, 2023.

[25]

[n. d.]. Nmap: The network mapper. https://nmap.org/. Accessed on May 21, 2023.

[26]

[n. d.]. OWASP Mobile Application Security. https://mas.owasp.org.

[27]

[n. d.]. TinyTuya. https://pypi.org/project/tinytuya/. Accessed on May 21, 2023.

[28]

[n. d.]. TP-Link WiFi SmartPlug Client and Wireshark Dissector. https://github.com/softScheck/tplink-smartplug. Accessed on May 11, 2023.

[29]

[n. d.]. WIGLE. https://www.wigle.net/. Accessed on May 21, 2023.

[30]

[n. d.]. The world's most popular network protocol analyzer. https://www.wireshark.org. Accessed on May 21, 2023.

[31]

Razaghpanah Abbas, Nithyanand Rishab, Vallina-Rodriguez Narseo, Sundaresan Srikanth, Allman Mark, Kreibich Christian, and Gill Phillipa. 2018. Apps, Trackers, Privacy, and Regulators A Global Study of the Mobile Tracking Ecosystem. Proceedings of the Network and Distributed System Security Symposium (NDSS).

[32]

Shivaun Albright, Paul J. Leach, Ye Gu, Yaron Y. Goland, and Ting Cai. 1999. Simple Service Discovery Protocol/1.0. Internet-Draft draft-cai-ssdp-v1-03. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-cai-ssdp-v1/03/ Work in Progress.

[33]

Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR). 468--471.

Digital Library

[34]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. Sok: Security evaluation of home-based IoT deployments. In 2019 IEEE symposium on security and privacy (sp). IEEE, 1362--1380.

[35]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17).

[36]

Apple, Inc. [n. d.]. com.apple.developer.networking.multicast. Developer Documentation. https://developer.apple.com/documentation/bundleresources/information_property_list/nslocalnetworkusagedescription.

[37]

Apple, Inc. 2021. Get the name of the Wi-Fi network to which the device is currently associated. Developer Forums. https://developer.apple.com/forums/thread/679038.

[38]

Apple, Inc. Accessed on Sept 21, 2023. com.apple.developer.networking.multicast. Developer Documentation. https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_multicast.

[39]

Noah Apthorpe, Danny Yuxing Huang, Dillon Reisman, Arvind Narayanan, and Nick Feamster. 2019. Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping. Proceedings on Privacy Enhancing Technologies (PoPETs) (2019).

[40]

Leonardo Babun, Z. Berkay Celik, Patrick D. McDaniel, and A. Selcuk Uluagac. 2021. Real-time Analysis of Privacy-(un)aware IoT Applications. Proceedings on Privacy Enhancing Technologies (PoPETs).

[41]

Justin Brookman, Phoebe Rouge, Aaron Alva, and Christina Yeung. 2017. Cross-Device Tracking: Measurement and Disclosures. Proceedings on Privacy Enhancing Technologies (PoPETs) 2017, 2 (2017), 133--148.

[42]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, Xiaofeng Wang, W. Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Network and Distributed System Security Symposium.

[43]

Stuart Cheshire and Marc Krochmal. 2013. Multicast DNS. RFC 6762. https://doi.org/10.17487/RFC6762

Digital Library

[44]

CNN. [n. d.]. CNN Breaking US & World News. https://play.google.com/store/apps/details?id=com.cnn.mobile.android.phone. Accessed on May 11, 2023.

[45]

Michelle Cotton, Leo Vegoda, Ron Bonica, and Brian Haberman. 2013. Special-Purpose IP Address Registries. RFC 6890. https://doi.org/10.17487/RFC6890

Digital Library

[46]

Mathieu Cunche, Mohamed Ali Kaafar, and Roksana Boreli. 2012. I know who you will meet this evening! linking wireless devices using wi-fi probe requests. In 2012 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM). IEEE, 1--9.

[47]

Luca Deri, Maurizio Martinelli, Tomasz Bujlow, and Alfredo Cardigliano. 2014. nDPI: Open-source high-speed deep packet inspection. In IWCMC.

[48]

Android Developers. [n. d.]. UI/Application Exerciser Monkey. https://developer. android.com/studio/test/other-testing-tools/monkey. Accessed on May 11, 2023.

[49]

Ralph Droms. 1997. Dynamic Host Configuration Protocol. RFC 2131. https://doi.org/10.17487/RFC2131

Digital Library

[50]

Jide S Edu, Xavier Ferrer-Aran, Jose M Such, and Guillermo Suarez-Tangi. 2021. SkillVet: Automated Traceability Analysis of Amazon Alexa Skills. http://arxiv.org/abs/2103.02637

[51]

EFF. [n. d.]. Cover your Tracks. https://coveryourtracks.eff.org/. Accessed on May 22, 2023.

[52]

Stephen Farrell, Farzaneh Badiei, Bruce Schneier, and Steven M. Bellovin. 2023. Reflections on Ten Years Past The Snowden Revelations. Internet-Draft draftfarrell-tenyearsafter-00. Internet Engineering Task Force. https://datatracker. ietf.org/doc/draft-farrell-tenyearsafter/00/ Work in Progress.

[53]

AFeal, Julien Gamba, Juan Tapiador, Primal Wijesekera, Joel Reardon, Serge Egelman, and Narseo Vallina-Rodriguez. 2021. Don't accept candy from strangers: An analysis of third-party mobile sdks. Data Protection and Privacy, Volume 13: Data Protection and Artificial Intelligence 13 (2021), 1.

[54]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Securisty analysis of emerging smart home application. In IEEE Symposium on Security and Privacy (S&P).

[55]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security analysis of emerging smart home application.

[56]

Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. 2016. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In 25th USENIX Security Symposium (USENIX Security 16).

[57]

Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, and Atul Prakash. 2017. Security Implications of Permission Models in Smart-Home Application Frameworks. In IEEE Symposium on Security and Privacy (S&P).

[58]

Dimitris Geneiatakis, Ioannis Kounelis, Ricardo Neisse, Igor Nai-Fovino, Gary Steri, and Gianmarco Baldini. 2017. Security and privacy issues for an IoT based smart home. In 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[59]

Google. 2005. Using a test query to determine whether a network device suffers from a software bug or design flaw. https://patents.google.com/patent/EP1867141B1/en. Accessed on Sept 11, 2023.

[60]

Google. 2006. Best practices for unique identifiers. https://developer.android.com/training/articles/user-data-ids.

[61]

Google. 2022. NsdManager. Android Developers. https://developer.android.com/reference/android/net/nsd/NsdManager.

[62]

Google. 2022. Runtime Permissions. Android Developers. https://source.android.com/docs/core/permissions/runtime_perms.

[63]

Google. 2023. WifiInfo. Android Developers. https://developer.android.com/reference/android/net/wifi/WifiInfo.

[64]

Google. [n. d.]. Matter. Comissionable and Operational Discovery. https://developers.home.google.com/matter/primer/commissionable-andoperational-discovery. Accessed on May 26, 2023.

[65]

Zhixiu Guo, Zijin Lin, Pan Li, and Kai Chen. 2020. SkillExplorer: Understanding the Behavior of Skills in Large Scale. In Proceedings of the USENIX Security Symposium.

[66]

Muhammad A. Hakim, Hidayet Aksu, A. Selcuk Uluagac, and Kemal Akkaya. 2018. U-PoT: A Honeypot Framework for UPnP-Based IoT Devices. In 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC).

[67]

Andrew Halterman. 2019. Storming the Kasa? Security analysis of TP-Link Kasa smart home devices. (2019).

[68]

Tianrui Hu, Daniel J. Dubois, and David Choffnes. 2023. BehavIoT: Measuring Smart Home IoT Behavior Using Network-Inferred Behavior Models. In Proceedings of the Internet Measurement Conference (IMC).

Digital Library

[69]

Danny Yuxing Huang, Noah Apthorpe, Frank Li, Gunes Acar, and Nick Feamster. 2020. Iot inspector: Crowdsourcing labeled network traffic from smart home devices at scale. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 4, 2 (2020), 1--21.

Digital Library

[70]

Philips Hue. [n. d.]. How to develop for Hue? https://developers.meethue.com/develop/get-started-2/. Accessed on Sept 11, 2023.

[71]

Etrality Internet Speed Test. [n. d.]. Simple Speedcheck. https://play.google.com/store/apps/details?id=org.speedspot.speedspotspeedtest. Accessed on May 11, 2023.

[72]

IoTivity. [n. d.]. IoTivity. http://iotivity.org. Accessed on May 26, 2023.

[73]

ioXt. [n. d.]. The ioXt Security Pledge. https://www.ioxtalliance.org/the-pledge. Accessed on May 11, 2023.

[74]

Umar Iqbal, Pouneh N Bahrami, Rahmadi Trimananda, Hao Cui, Alexander Gamero-Garrido, Daniel J. Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, and Zubair Shafiq. 2023. Tracking, Profiling, and Ad Targeting in the Alexa Echo Smart Speaker Ecosystem. In Proceedings of the Internet Measurement Conference (IMC).

Digital Library

[75]

Golam Kayas, Mahmud Hossain, Jamie Payton, and S. M. Riazul Islam. 2020. An Overview of UPnP-based IoT Security: Threats, Vulnerabilities, and Prospective Solutions. In 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON).

[76]

Aleksandra Korolova and Vinod Sharma. 2018. Cross-app tracking via nearby bluetooth low energy devices. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. 43--52.

Digital Library

[77]

Deepak Kumar, Kelly Shen, Benton Case, Deepali Garg, Galina Alperovich, Dmitry Kuznetsov, Rajarshi Gupta, and Zakir Durumeric. 2019. All Things Considered: An Analysis of IoT Devices on Home Networks. In USENIX Security Symposium. 1169--1185.

[78]

Bastian Könings, Christoph Bachmaier, Florian Schaub, and Michael Weber. 2013. Device Names in the Wild: Investigating Privacy Risks of Zero Configuration Networking. In 2013 IEEE 14th International Conference on Mobile Data Management.

[79]

Paul J. Leach, Rich Salz, and Michael H. Mealling. 2005. A Universally Unique IDentifier (UUID) URN Namespace. RFC 4122. https://doi.org/10.17487/RFC4122

Digital Library

[80]

Anna Maria Mandalari, Daniel J Dubois, Roman Kolcun, Muhammad Talha Paracha, Hamed Haddadi, and David Choffnes. 2021. Blocking without breaking: Identification and mitigation of non-essential iot traffic. Proceedings on Privacy Enhancing Technologies 2021, 4 (2021), 369--388.

[81]

Anna Maria Mandalari, Hamed Haddadi, Daniel J. Dubois, and David Choffnes. 2023. Protected or Porous: A Comparative Analysis of Threat Detection Capability of IoT Safeguards. In Proc. of the 44th IEEE Symposium on Security and Privacy (Oakland 2023).

[82]

Iljitsch van Beijnum Marcelo Bagnulo, Philip Matthews. 2011. Stateful NAT64: Network address and protocol translation from IPv6 clients to IPv4 servers. https://www.rfc-editor.org/rfc/rfc6146.

[83]

Joseph Menn. 2022. Mysterious company with government ties plays key internet role. The Washington Post. https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/.

[84]

Lionel Metongnon and Ramin Sadre. 2018. Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements (WTMC '18).

Digital Library

[85]

MITRE. 2016. CVE-2016-2183 Detail - NVD. https://nvd.nist.gov/vuln/detail/CVE-2016-2183. Accessed on May 11, 2023.

[86]

MITRE. 2020. CVE-2020-0454. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20200454. Accessed on May 11, 2023.

[87]

MITRE. 2020. CVE-2020-11022 Detail - NVD. https://nvd.nist.gov/vuln/detail/CVE-202011022. Accessed on May 11, 2023.

[88]

MITRE. 2021. CVE-2021--11023 Detail - NVD. https://nvd.nist.gov/vuln/detail/CVE-2020-11023. Accessed on May 11, 2023.

[89]

Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal, and Arvind Narayanan. 2019.Watching YouWatch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices. In Conference on Computer and Communications Security (CCS).

[90]

Yuhong Nan, Luyi Xing Xueqiang Wang, Ruoyu Wu Xiaojing Liao, Yifan Zhang Jianliang Wu, and XiaoFeng Wang. 2023. Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps. In USENIX Security.

[91]

Dr. Thomas Narten, Tatsuya Jinmei, and Dr. Susan Thomson. 2007. IPv6 Stateless Address Autoconfiguration. RFC 4862. https://doi.org/10.17487/RFC4862

Digital Library

[92]

Nessus. 2003. SheerDNS 1.0.1 Multiple Vulnerabilities. https://www.tenable.com/plugins/nessus/11535. Accessed on May 26, 2023.

[93]

Nessus. 2004. DNS Server Cache Snooping Remote Information Disclosure. https://www.tenable.com/plugins/nessus/12217. Accessed on May 26, 2023.

[94]

Nessus. 2005. Exposure Management Meets Tenable Security Center. https://www.tenable.com. Accessed on May 26, 2023.

[95]

TJ OConnor, Dylan Jessee, and Daniel Campos. 2021. Through the Spyglass: Towards IoT Companion App Man-in-the-Middle Attacks. In Cyber Security Experimentation and Test Workshop (CSET).

[96]

National Institute of Standards and Technology (NIST). 2021. DRAFT Baseline Security Criteria for Consumer IoT Devices. https://www.nist.gov/system/files/documents/2021/08/31/IoT%20White%20Paper%20-%20Final%202021-08-31.pdf. Accessed on May 11, 2023.

[97]

O'Flynn. 2016. A LIGHTBULB WORM? https://www.blackhat.com/docs/us-16/materials/us-16-OFlynn-A-Lightbulb-Worm-wp.pdf. Accessed on May 11, 2023.

[98]

ONVIF. [n. d.]. Home - ONVIF. https://www.onvif.org/. Accessed on May 11, 2023.

[99]

Zoltán Pallagi. [n. d.]. Network Scanner, Device Finder. https://play.google.com/ store/apps/details?id=com.pzolee.networkscanner&hl=en&gl=US. Accessed on May 11, 2023.

[100]

Muhammad Talha Paracha, Daniel J. Dubois, Narseo Vallina-Rodriguez, and David R. Choffnes. 2021. IoTLS: Understanding TLS Usage in Consumer IoT Devices. In Proceedings of the Internet Measurement Conference (IMC).

[101]

Vesa Pehkonen and Juha Koivisto. 2010. Secure Universal Plug and Play network. (2010). https://doi.org/10.1109/ISIAS.2010.5604189

[102]

Joel Reardon. 2022. The Curious Case of Coulus Coelib. The AppCensus Blog. https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/.

[103]

Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 2019. 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System. Proceedings of the USENIX Security Symposium.

[104]

Nilo Redini, Andrea Continella, Dipanjan Das, Giulio De Pasquale, Noah Spahn, Aravind Machiry, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2021. DIANE: Identifying Fuzzing Triggers in Apps to Generate Underconstrained Inputs for IoT Devices. In IEEE Symposium on Security and Privacy (S&P).

[105]

Jingjing Ren, Daniel J Dubois, David Choffnes, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi. 2019. Information exposure from consumer iot devices: A multidimensional, network-informed measurement approach. In Proceedings of the Internet Measurement Conference (IMC). 267--279.

Digital Library

[106]

Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman, et al. 2018. "Won't somebody think of the children?" examining COPPA compliance at scale. In Proceedings on Privacy Enhancing Technologies (PoPETs).

[107]

First Row. [n. d.]. Network Scanner. https://play.google.com/store/apps/details? id=com.myprog.netscan&hl=en&gl=US. Accessed on May 11, 2023.

[108]

Said Jawad Saidi, Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi, Daniel J. Dubois, David R. Choffnes, Georgios Smaragdakis, and Anja Feldmann. 2020. A Haystack Full of Needles: Scalable Detection of IoT Devices in the Wild. In Proceedings of the Internet Measurement Conference (IMC).

Digital Library

[109]

Henning Schulzrinne, Stephen L. Casner, Ron Frederick, and Van Jacobson. 2003. RTP: A Transport Protocol for Real-Time Applications. RFC 3550. https://doi.org/10.17487/RFC3550

Digital Library

[110]

Zach Shelby, Klaus Hartke, and Carsten Bormann. 2014. The Constrained Application Protocol (CoAP). RFC 7252. https://doi.org/10.17487/RFC7252

Digital Library

[111]

W. A. Simpson, Dr. Thomas Narten, Erik Nordmark, and Hesham Soliman. 2007. Neighbor Discovery for IP version 6 (IPv6). https://datatracker.ietf.org/doc/rfc4861/. Accessed on May 11, 2023.

[112]

Spotify. [n. d.]. ZeroConf API. https://developer.spotify.com/documentation/commercial-hardware/implementation/guides/zeroconf. Accessed on May 21, 2023.

[113]

Statista. 2022. Smart Home - United States: Statista Market Forecast. https://www.statista.com/outlook/dmo/smart-home/united-states. Accessed on May 11, 2023.

[114]

Milan Stute, David Kreitschmann, and Matthias Hollick. 2018. One billion apples' secret sauce: Recipe for the apple wireless direct link Ad hoc protocol. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. 529--543.

Digital Library

[115]

Rahmadi Trimananda, Janus Varmarken, Athina Markopoulou, and Brian Demsky. 2020. Packet-level signatures for smart home devices. In Network and Distributed Systems Security (NDSS) Symposium, Vol. 2020.

[116]

Janus Varmarken, Hieu Le, Anastasia Shuba, Athina Markopoulou, and Zubair Shafiq. 2020. The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking. Proceedings on Privacy Enhancing Technologies (PoPETs).

[117]

Wall Street Journal. 2022. Google Bans Apps With Hidden Data-Harvesting Software. https://www.wsj.com/articles/apps-with-hidden-data-harvestingsoftware-are-banned-by-google-11649261181. Accessed on May 11, 2023.

[118]

Xueqiang Wang, Yuqiong Sum, Susanta Nada, and XiaoFeng Wang. 2019. Looking from the Mirror: Evaluating IoT Device Security through Mobile Companion Apps. In Proceedings of the USENIX Security Symposium.

[119]

Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms. In Proceedings of the USENIX Security Symposium.

[120]

Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms. In 28th USENIX Security Symposium (USENIX Security 19).

Cited By

Liu XWang HLi C(2024)A Review of Endogenous Security ResearchElectronics10.3390/electronics1311218513:11(2185)Online publication date: 3-Jun-2024
https://doi.org/10.3390/electronics13112185
Lazzaro SDe Angelis VMandalari ABuccafurri F(2024)Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices2024 IEEE International Conference on Pervasive Computing and Communications (PerCom)10.1109/PerCom59722.2024.10494466(114-124)Online publication date: 11-Mar-2024
https://doi.org/10.1109/PerCom59722.2024.10494466
Tay SZhang NAlJanah S(2024)A Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-Based AuthorizationIEEE Access10.1109/ACCESS.2024.335944212(18103-18121)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3359442
Show More Cited By

Index Terms

In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes
1. Networks
  1. Network services
    1. Network monitoring
  2. Network types
    1. Home networks
2. Security and privacy

Recommendations

Emerging Security Threats and Countermeasures in IoT
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

IoT (Internet of Things) diversifies the future Internet, and has drawn much attention. As more and more gadgets (i.e. Things) connected to the Internet, the huge amount of data exchanged has reached an unprecedented level. As sensitive and private ...
Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Taxonomy and analysis of security protocols for Internet of Things
Abstract
The Internet of Things (IoT) is a system of physical as well as virtual objects (each with networking capabilities incorporated) that are interconnected to exchange and collect information locally or remotely over the Internet. Since ...
Highlights
- We first discuss essential security requirements that are needed to secure IoT environment. We also discuss the threat model and various attacks related to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

October 2023

746 pages

ISBN:9798400703829

DOI:10.1145/3618257

General Chairs:
Marie-José Montpetit
McGill University, Canada
,
Aris Leivadeas
École de Technologie Supérieure, Canada
,
Program Chairs:
Steve Uhlig
Queen Mary University of London, United Kingdom
,
Mobin Javed
Lahore University of Management Sciences, Pakistan

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2023

Check for updates

Author Tags

Qualifiers

Research-article

Data Availability

Presentation video https://dl.acm.org/doi/10.1145/3618257.3624830#IMC-IoT-LAN-final-final.mp4

Funding Sources

European Union
NSF
Ministerio de Ciencia e Innovación
Comunidad de Madrid

Conference

IMC '23

Sponsor:

SIGCOMM

IMC '23: ACM Internet Measurement Conference

October 24 - 26, 2023

Montreal QC, Canada

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
1,363
Total Downloads

Downloads (Last 12 months)1,363
Downloads (Last 6 weeks)34

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu XWang HLi C(2024)A Review of Endogenous Security ResearchElectronics10.3390/electronics1311218513:11(2185)Online publication date: 3-Jun-2024
https://doi.org/10.3390/electronics13112185
Lazzaro SDe Angelis VMandalari ABuccafurri F(2024)Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices2024 IEEE International Conference on Pervasive Computing and Communications (PerCom)10.1109/PerCom59722.2024.10494466(114-124)Online publication date: 11-Mar-2024
https://doi.org/10.1109/PerCom59722.2024.10494466
Tay SZhang NAlJanah S(2024)A Problem Analysis of Smart Home Automation: Toward Secure and Usable Communication-Based AuthorizationIEEE Access10.1109/ACCESS.2024.335944212(18103-18121)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3359442
Hu TDubois DChoffnes DMontpetit MLeivadeas AUhlig SJaved M(2023)BehavIoT: Measuring Smart Home IoT Behavior Using Network-Inferred Behavior ModelsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624829(421-436)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624829

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents