Ravisha Rohilla,Janvi Panwar

DOI: https://doi.org/10.5121/csit.2024.141508

2024-08-27

Abstract:The proliferation of Internet of Things (IoT) devices has raised significant concerns regarding their security vulnerabilities. This paper explores the security risks associated with smart light systems, focusing on covert communication channels. Drawing upon previous re-search highlighting vulnerabilities in communication protocols and en-cryption flaws, the study investigates the potential for exploiting smart light systems for covert data transmission. Specifically, the paper repli-cates and analyzes an attack method introduced by Ronen and Shamir, which utilizes the Philips Hue White lighting system to create a covert channel through visible light communication (VLC). Experimental re-sults demonstrate the feasibility of transmitting data covertly through subtle variations in brightness levels, leveraging the inherent functional-ity of smart light bulbs. Despite limit. ations imposed by device constraints and communication protocols, the study underscores the need for heightened awareness and security measures in IoT environment. Ultimately, the findings emphasize the importance of implementing robust security practices and exercising caution when deploying networked IoT devices in sensitive environment.

Cryptography and Security,Emerging Technologies

Yan Long,Qinhong Jiang,Chen Yan,Tobias Alam,Xiaoyu Ji,Wenyuan Xu,Kevin Fu

DOI: https://doi.org/10.14722/ndss.2024.24552

2024-01-01

Abstract:IoT devices and other embedded systems are increasingly equipped with cameras that can sense critical information in private spaces.The data security of these cameras, however, has hardly been scrutinized from the hardware design perspective.Our paper presents the first attempt to analyze the attack surface of physical-channel eavesdropping on embedded cameras.We characterize EM Eye-a vulnerability in the digital image data transmission interface that allows adversaries to reconstruct high-quality image streams from the cameras' unintentional electromagnetic emissions, even from over 2 meters away in many cases.Our evaluations of 4 popular IoT camera development platforms and 12 commercial off-the-shelf devices with cameras show that EM Eye poses threats to a wide range of devices, from smartphones to dash cams and home security cameras.By exploiting this vulnerability, adversaries may be able to visually spy on private activities in an enclosed room from the other side of a wall.We provide root cause analysis and modeling that enable system defenders to identify and simulate mitigation against this vulnerability, such as improving embedded cameras' data transmission protocols with minimum costs.We further discuss EM Eye's relationship with known computer display eavesdropping attacks to reveal the gaps that need to be addressed to protect the data confidentiality of sensing systems.

Kaibo Wang,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1007/978-3-031-28990-3_9

2023-01-01

Abstract:As deep learning-based computer vision is widely used in IoT devices, it is especially critical to ensure its security. Among the attacks against deep neural networks, adversarial attacks are a stealthy means of attack, which can mislead model decisions during the testing phase. Therefore, the exploration of adversarial attacks can help to understand the vulnerability of models in advance and make targeted defense. Existing unrestricted adversarial attacks beyond the $$\ell _p$$ norm often require additional models to be both adversarial and imperceptible, which leads to a high computational cost and task-specific design. Inspired by the observation that models exhibit unexpected vulnerability to changes in illumination, we develop Adversarial Illumination Attack (AIA), an unrestricted adversarial attack that imposes large but imperceptible alterations to the image. The core of the attack lies in simulating adversarial illumination through Planckian jitter, of which the effectiveness comes from a causal chain where the attacker misleads the model by manipulating the confusion factor. We propose an efficient approach to generate adversarial samples without additional models by image gradient regularization. We validate the effectiveness of adversarial illumination in the face of black-box models, data preprocessing, and adversarially trained models through extensive experiments. Experiment results confirm that AIA can be both a lightweight unrestricted attack and a plug-in to boost the effectiveness of other attacks.

Shane S. Clark,Hossen A. Mustafa,Benjamin Ransford,Jacob Sorber,Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.1007/978-3-642-40203-6_39

2013-01-01

Abstract:Computers plugged into power outlets leak identifiable information by drawing variable amounts of power when performing different tasks. This work examines the extent to which this side channel leaks private information about web browsing to an observer taking measurements at the power outlet. Using direct measurements of AC power consumption with an instrumented outlet, we construct a classifier that correctly identifies unlabeled power traces of webpage activity from a set of 51 candidates with 99% precision and 99% recall. The classifier rejects samples of 441 pages outside the corpus with a false-positive rate of less than 2%. It is also robust to a number of variations in webpage loading conditions, including encryption. When trained on power traces from two computers loading the same webpage, the classifier correctly labels further traces of that webpage from either computer. We identify several reasons for this consistently recognizable power consumption, including system calls, and propose countermeasures to limit the leakage of private information. Characterizing the AC power side channel may help lead to practical countermeasures that protect user privacy from an untrustworthy power infrastructure. © 2013 Springer-Verlag.

Abbas Acar,Hossein Fereidooni,Tigist Abera,Amit Kumar Sikder,Markus Miettinen,Hidayet Aksu,Mauro Conti,Ahmad-Reza Sadeghi,Selcuk Uluagac

DOI: https://doi.org/10.1145/3395351.3399421

2020-05-14

Abstract:A myriad of IoT devices such as bulbs, switches, speakers in a smart home environment allow users to easily control the physical world around them and facilitate their living styles through the sensors already embedded in these devices. Sensor data contains a lot of sensitive information about the user and devices. However, an attacker inside or near a smart home environment can potentially exploit the innate wireless medium used by these devices to exfiltrate sensitive information from the encrypted payload (i.e., sensor data) about the users and their activities, invading user privacy. With this in mind,in this work, we introduce a novel multi-stage privacy attack against user privacy in a smart environment. It is realized utilizing state-of-the-art machine-learning approaches for detecting and identifying the types of IoT devices, their states, and ongoing user activities in a cascading style by only passively sniffing the network traffic from smart home devices and sensors. The attack effectively works on both encrypted and unencrypted communications. We evaluate the efficiency of the attack with real measurements from an extensive set of popular off-the-shelf smart home IoT devices utilizing a set of diverse network protocols like WiFi, ZigBee, and BLE. Our results show that an adversary passively sniffing the traffic can achieve very high accuracy (above 90%) in identifying the state and actions of targeted smart home devices and their users. To protect against this privacy leakage, we also propose a countermeasure based on generating spoofed traffic to hide the device states and demonstrate that it provides better protection than existing solutions.

Cryptography and Security

Zhijian Xu,Guoming Zhang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1177/09574565211001563

2021-01-01

Noise & Vibration Worldwide

Abstract:The in-car voice controllable system has become an almost standard feature in smart cars. Prior work shows that the voice controllable system is vulnerable to light commands attack which uses the laser as the medium to inject voice commands. In this article, we first reproduced the light commands attack on acoustic isolated in-car voice controllable system under several scenarios with a lightweight solution. We validate the feasibility of injecting the malicious voice command through a window into the microphone by modulating a laser beam. Then, we tested a variety of mainstream countermeasures such as placing sunscreen film on the glass panel to see whether it can protect the microphone from being attacked. Surprisingly, we find that the lower light transmittance of sunscreen film is the lower the success rate of the attack. Experiment results also show that when the transmittance rate of sun film is 50% which is the darkest sunscreen film that can be applied, the attacking success rate decreased by up to 0.4. We also explore the impact of attack angle by changing the incidence angle of the laser beam and the results demonstrate that light commands is sensitive to attack angle and the successful angle range is ± 15°. Finally, we propose a series of hardware-based protection schemes against light commands attacks.

Joe Loughry,David A. Umphress

DOI: https://doi.org/10.1145/545186.545189

2023-07-14

Abstract:A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Physical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of "Optical TEMPEST" attack.

Cryptography and Security,Signal Processing

Andrew Kwong,Wenyuan Xu,Kevin Fu

DOI: https://doi.org/10.1109/sp.2019.00008

2019-01-01

Abstract:Security conscious individuals may take considerable measures to disable sensors in order to protect their privacy. However, they often overlook the cyberphysical attack surface exposed by devices that were never designed to be sensors in the first place. Our research demonstrates that the mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech. These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive. This proof of concept attack sheds light on the possibility of invasion of privacy even in absence of traditional sensors. We also present defense mechanisms, such as the use of ultrasonic aliasing, that can mitigate acoustic eavesdropping by synthesized microphones in hard disk drives.

Philipp Morgner,Stephan Mattejat,Zinaida Benenson

DOI: https://doi.org/10.48550/arXiv.1608.03732

2016-08-12

Cryptography and Security

Abstract:ZigBee Light Link (ZLL) is the low-power mesh network standard used by connected lighting systems, such as Philips Hue, Osram Lightify, and GE Link. These lighting systems are intended for residential use but also deployed in hotels, restaurants, and industrial buildings. In this paper, we investigate the current state of security in ZLL-based connected lighting systems. We extend the scope of known attacks by describing novel attack procedures to show that the ZLL standard is insecure by design. Using our penetration testing framework, we are able to take full control over all three systems mentioned above. Besides novel attack procedures, we also extend the intended wireless range of max. 2 meters for configuring a ZLL device to over 30 meters, thus making ZLL-based systems susceptible to war driving. We conclude with a discussion about the security needs of connected lighting systems and derive several lessons for Internet of Things security that can be learned from the insecure design of ZLL-based connected lighting systems.

Mordechai Guri,Boris Zadov,Andrey Daidakulov,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1706.01140

2017-06-05

Abstract:In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED.

Cryptography and Security

Takeshi Sugawara,Benjamin Cyr,Sara Rampazzi,Daniel Genkin,Kevin Fu

DOI: https://doi.org/10.48550/arXiv.2006.11946

2020-06-22

Abstract:We propose a new class of signal injection attacks on microphones by physically converting light to sound. We show how an attacker can inject arbitrary audio signals to a target microphone by aiming an amplitude-modulated light at the microphone's aperture. We then proceed to show how this effect leads to a remote voice-command injection attack on voice-controllable systems. Examining various products that use Amazon's Alexa, Apple's Siri, Facebook's Portal, and Google Assistant, we show how to use light to obtain control over these devices at distances up to 110 meters and from two separate buildings. Next, we show that user authentication on these devices is often lacking, allowing the attacker to use light-injected voice commands to unlock the target's smartlock-protected front doors, open garage doors, shop on e-commerce websites at the target's expense, or even unlock and start various vehicles connected to the target's Google account (e.g., Tesla and Ford). Finally, we conclude with possible software and hardware defenses against our attacks.

Cryptography and Security

Ahmed Mohamed Hussain,Gabriele Oligeri,Thiemo Voigt

DOI: https://doi.org/10.1007/978-3-030-68884-4_10

2021-01-01

Abstract:We present a new machine learning-based attack that exploits network patterns to detect the presence of smart IoT devices and running services in the WiFi radio spectrum. We perform an extensive measurement campaign of data collection, and we build up a model describing the traffic patterns characterizing three popular IoT smart home devices, i.e., Google Nest Mini, Amazon Echo, and Amazon Echo Dot. We prove that it is possible to detect and identify with overwhelming probability their presence and the services running by the aforementioned devices in a crowded WiFi scenario. This work proves that standard encryption techniques alone are not sufficient to protect the privacy of the end-user, since the network traffic itself exposes the presence of both the device and the associated service. While more work is required to prevent non-trusted third parties to detect and identify the user’s devices, we introduce Eclipse, a technique to mitigate these types of attacks, which reshapes the traffic making the identification of the devices and the associated services similar to the random classification baseline.

Narmeen Shafqat,Daniel J. Dubois,David Choffnes,Aaron Schulman,Dinesh Bharadia,Aanjhan Ranganathan

DOI: https://doi.org/10.48550/arXiv.2107.10830

2021-11-27

Abstract:Zigbee is an energy-efficient wireless IoT protocol that is increasingly being deployed in smart home settings. In this work, we analyze the privacy guarantees of Zigbee protocol. Specifically, we present ZLeaks, a tool that passively identifies in-home devices or events from the encrypted Zigbee traffic by 1) inferring a single application layer (APL) command in the event's traffic, and 2) exploiting the device's periodic reporting pattern and interval. This enables an attacker to infer user's habits or determine if the smart home is vulnerable to unauthorized entry. We evaluated ZLeaks' efficacy on 19 unique Zigbee devices across several categories and 5 popular smart hubs in three different scenarios; controlled RF shield, living smart-home IoT lab, and third-party Zigbee captures. We were able to i) identify unknown events and devices (without a-priori device signatures) using command inference approach with 83.6% accuracy, ii) automatically extract device's reporting signatures, iii) determine known devices using the reporting signatures with 99.8% accuracy, and iv) identify APL commands in a public capture with 91.2% accuracy. In short, we highlight the trade-off between designing a low-power, low-cost wireless network and achieving privacy guarantees. We have also released ZLeaks tool for the benefit of the research community.

Cryptography and Security

Mordechai Guri

DOI: https://doi.org/10.1109/COMPSAC61105.2024.00134

2024-09-08

Abstract:Air-gapped systems are disconnected from the Internet and other networks because they contain or process sensitive data. However, it is known that attackers can use computer speakers to leak data via sound to circumvent the air-gap defense. To cope with this threat, when highly sensitive data is involved, the prohibition of loudspeakers or audio hardware might be enforced. This measure is known as an `audio gap'. In this paper, we present PIXHELL, a new type of covert channel attack allowing hackers to leak information via noise generated by the pixels on the screen. No audio hardware or loudspeakers is required. Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz. The malicious code exploits the sound generated by coils and capacitors to control the frequencies emanating from the screen. Acoustic signals can encode and transmit sensitive information. We present the adversarial attack model, cover related work, and provide technical background. We discuss bitmap generation and correlated acoustic signals and provide implementation details on the modulation and demodulation process. We evaluated the covert channel on various screens and tested it with different types of information. We also discuss \textit{evasion and stealth} using low-brightness patterns that appear like black, turned-off screens. Finally, we propose a set of countermeasures. Our test shows that with a PIXHELL attack, textual and binary data can be exfiltrated from air-gapped, audio-gapped computers at a distance of 2m via sound modulated from LCD screens.

Cryptography and Security

Noah Apthorpe,Dillon Reisman,Srikanth Sundaresan,Arvind Narayanan,Nick Feamster

DOI: https://doi.org/10.48550/arXiv.1708.05044

2017-08-16

Cryptography and Security

Abstract:The growing market for smart home IoT devices promises new conveniences for consumers while presenting new challenges for preserving privacy within the home. Many smart home devices have always-on sensors that capture users' offline activities in their living spaces and transmit information about these activities on the Internet. In this paper, we demonstrate that an ISP or other network observer can infer privacy sensitive in-home activities by analyzing Internet traffic from smart homes containing commercially-available IoT devices even when the devices use encryption. We evaluate several strategies for mitigating the privacy risks associated with smart home device traffic, including blocking, tunneling, and rate-shaping. Our experiments show that traffic shaping can effectively and practically mitigate many privacy risks associated with smart home IoT devices. We find that 40KB/s extra bandwidth usage is enough to protect user activities from a passive network adversary. This bandwidth cost is well within the Internet speed limits and data caps for many smart homes.

Noah Apthorpe,Dillon Reisman,Nick Feamster

DOI: https://doi.org/10.48550/arXiv.1705.06805

2017-05-18

Cryptography and Security

Abstract:The increasing popularity of specialized Internet-connected devices and appliances, dubbed the Internet-of-Things (IoT), promises both new conveniences and new privacy concerns. Unlike traditional web browsers, many IoT devices have always-on sensors that constantly monitor fine-grained details of users' physical environments and influence the devices' network communications. Passive network observers, such as Internet service providers, could potentially analyze IoT network traffic to infer sensitive details about users. Here, we examine four IoT smart home devices (a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo switch, and an Amazon Echo) and find that their network traffic rates can reveal potentially sensitive user interactions even when the traffic is encrypted. These results indicate that a technological solution is needed to protect IoT device owner privacy, and that IoT-specific concerns must be considered in the ongoing policy debate around ISP data collection and usage.

Jieun Lee,JaeHoon Yoo,Jiho Lee,Yura Choi,Seong Ki Yoo,JaeSeung Song

DOI: https://doi.org/10.1109/mnet.2024.3382969

IF: 10.294

2024-01-01

IEEE Network

Abstract:Since 2008, the Korean government has instituted network separation technology, which physically isolates external internet networks from internal networks, aiming to thwart cyber-attacks. Consequently, the domestic financial sector was largely unaffected during global crises (2017 WannaCry ransomware outbreak and the 2021 Log4j vulnerability incident). However, there exist certain vulnerabilities owing to the presumption of their relative safety against cyber intrusions and the integration of cloud and Internet of Things (IoT) technologies in the current smart revolution. The existing network separation measures only mitigate one facet of potential cyber threats, rendering a comprehensive defense elusive. The rise of “air-gap” attacks, which exploit the isolated space between closed and external networks to illicitly transfer data and the existing research primarily substantiating the potential for data breaches from closed networks to their external counterparts are problems yet to be addressed. Thus, our study proposed a tangible optical air-gap attack methodology, harnessing readily available optical mediums within closed networks. Intricate measurement metrics that consider vital factors of the transmission environment were proposed. Moreover, acknowledging the proliferating integration of IoT devices, such as smart bulbs, to facilitate automation within closed networks, this study demonstrated the viability of optical air-gap attacks using these devices.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Kirsten Crager,Anindya Maiti,Murtuza Jadliwala,Jibo He

DOI: https://doi.org/10.14722/eurousec.2017.23013

2017-01-01

Abstract:Smart phones and wearable devices have replaced personal computers and desktops as the primary platform for accessing online applications and services.However, these mobile devices bring forth new and additional forms of security and privacy risks, which were non-existent in traditional personal computers.For instance, several recent research efforts have shown that motion sensors such as accelerometer and gyroscope on-board these mobile and wearable devices can be maliciously used to infer private information from users' keystrokes (e.g., PINs and passwords).The problem is that, unlike traditional security and privacy risks that are typically associated with personal computers, most users may not be aware of these novel risks associated with mobile devices.An adversary may use this lack of user-awareness to target specific user-demographics for successfully carrying out such attacks.There has been some progress in the direction of protection mechanisms against such attacks, however, without user-awareness these protection mechanisms are unlikely to be used effectively (if at all).In order to further understand these issues, we conduct a structured and comprehensive user-study involving users from diverse demographic backgrounds to investigate userawareness and perceptions related to mobile motion sensor based privacy risks, and how these vary across different demographics.By means of our study, we also gain insight on users' expectations from defense mechanisms that can protect against such attacks.Results of our study can be used to increase awareness (about such risks) among the less-aware user demographies, and in designing effective and usable protection mechanisms as per user-expectations.

Yang Liu,Gregory W Wornell,William T Freeman,Frédo Durand,Gregory W. Wornell,William T. Freeman

DOI: https://doi.org/10.1126/sciadv.adj3608

IF: 13.6

2024-01-11

Science Advances

Abstract:Embedded sensors in smart devices pose privacy risks, often unintentionally leaking user information. We investigate how combining an ambient light sensor with a device display can capture an image of touch interaction without a camera. By displaying a known video sequence, we use the light sensor to capture reflected light intensity variations partially blocked by the touching hand, formulating an inverse problem similar to single-pixel imaging. Because of the sensors' heavy quantization and low sensitivity, we propose an inversion algorithm involving an l p -norm dequantizer and a deep denoiser as natural image priors, to reconstruct images from the screen's perspective. We demonstrate touch interactions and eavesdropping hand gestures on an off-the-shelf Android tablet. Despite limitations in resolution and speed, we aim to raise awareness of potential security/privacy threats induced by the combination of passive and active components in smart devices and promote the development of ways to mitigate them.

multidisciplinary sciences

Mordechai Guri,Dima Bykhovsky,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1709.05742

2017-09-18

Abstract:Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light. In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.

Cryptography and Security