Abstract:Internet of Things (IoT) devices are becoming increasingly commonplace in numerous public and semi-private settings. Currently, most such devices lack mechanisms to facilitate their discovery by casual (nearby) users who are not owners or operators. However, these users are potentially being sensed, and/or actuated upon, by these devices, without their knowledge or consent. This naturally triggers privacy, security, and safety issues.
To address this problem, some recent work explored device transparency in the IoT ecosystem. The intuitive approach is for each device to periodically and securely broadcast (announce) its presence and capabilities to all nearby users. While effective, when no new users are present, this push-based approach generates a substantial amount of unnecessary network traffic and needlessly interferes with normal device operation.
In this work, we construct DB-PAISA which addresses these issues via a pull-based method, whereby devices reveal their presence and capabilities only upon explicit user request. Each device guarantees a secure timely response (even if fully compromised by malware) based on a small active Root-of-Trust (RoT). DB-PAISA requires no hardware modifications and is suitable for a range of current IoT devices. To demonstrate its feasibility and practicality, we built a fully functional and publicly available prototype. It is implemented atop a commodity MCU (NXP LCP55S69) and operates in tandem with a smartphone-based app. Using this prototype, we evaluate energy consumption and other performance factors.
What problem does this paper attempt to address?
### What problems does this paper attempt to solve?
This paper aims to solve the problem of the lack of transparency of Internet of Things (IoT) devices in public and semi - private environments, especially the privacy, security and safety issues caused by these devices sensing or operating on users without their knowledge or consent.
Specifically, most current IoT devices lack mechanisms for nearby non - owner or operator users to discover their existence and functions. This leads to the following problems:
1. **Privacy issues**: Users may be monitored or controlled by IoT devices without their knowledge, for example, sensitive information is collected through cameras, voice assistants or motion detectors.
2. **Security issues**: IoT devices may have software vulnerabilities and are vulnerable to attacks, resulting in data leakage, false data reporting, malicious operations or the device being zombified.
3. **Safety risks**: Some IoT devices perform critical tasks, such as door - lock operations, triggering alarms or controlling smart home appliances. If these devices are maliciously exploited, they may pose safety hazards.
To solve these problems, some recent studies have explored privacy - agile IoT ecosystems based on manufacturer compliance. However, these methods have the following shortcomings:
- **PAISA**: It adopts a push - based model, that is, IoT devices regularly broadcast their existence and functions. This will generate a large amount of unnecessary network traffic when there are no new users and interfere with the normal operation of the devices.
- **DIAL**: It requires each device to be physically attached with an NFC tag, and users need to manually touch the NFC tag to obtain device information, which is impractical for most scenarios.
Therefore, this paper proposes a new solution - DB - PAISA, which adopts a pull - based model, that is, the device reveals its existence and functions only when the user makes an explicit request. This way reduces unnecessary network traffic and avoids interference with the normal operation of the devices.
### Main contributions of DB - PAISA
1. **Low bandwidth overhead and no interference**: DB - PAISA does not generate and broadcast device announcements when there are no new users, thus reducing the network load and interference with normal device functions.
2. **Performance comparison**: This paper compares the overheads of the push - based model of PAISA and the pull - based model of DB - PAISA in terms of bandwidth, energy consumption and running time.
3. **Prototype implementation**: A complete DB - PAISA prototype is constructed, including:
- An IoT device with ARM TrustZone - M and Bluetooth extended advertising.
- An Android application for requesting, scanning, processing and displaying IoT device information. This implementation is publicly available.
In this way, DB - PAISA provides a more efficient and safer IoT device discovery mechanism, especially in public and semi - private environments.