Saturday, October 28, 2023

 

New research reveals alarming privacy and security threats in Smart Homes


A group of researchers from several international universities and research centres analyze the local network interactions of IoT devices and mobile apps, and demonstrate that a variety of security and privacy threats exist

Reports and Proceedings

IMDEA NETWORKS INSTITUTE



An international team of researchers, led by IMDEA Networks and Northeastern University in collaboration with NYU Tandon School of Engineering, Universidad Carlos III de Madrid, IMDEA Software, University of Calgary, and the International Computer Science Institute, has unveiled groundbreaking findings on the security and privacy challenges posed by the ever-growing prevalence of opaque and technically complex Internet of Things (IoT) devices in smart homes.

Smart Homes: Trusted and Secure Environments?

Smart homes are becoming increasingly interconnected, comprising an array of consumer-oriented IoT devices ranging from smartphones and smart TVs to virtual assistants and CCTV cameras. These devices have cameras, microphones, and other ways of sensing what is happening in our most private spaces—our homes. An important question is, can we trust that these devices in our homes are safely handling and protecting the sensitive data they have access to?

“When we think of what happens between the walls of our homes, we think of it as a trusted, private place. In reality, we find that smart devices in our homes are piercing that veil of trust and privacy—in ways that allow nearly any company to learn what devices are in your home, to know when you are home, and learn where your home is. These behaviours are generally not disclosed to consumers, and there is a need for better protections in the home,” said David Choffnes, Associate Professor of Computer Science and Executive Director of the Cybersecurity and Privacy Institute at Northeastern University.

The research team’s extensive study, titled “In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes,” was presented this week at the ACM Internet Measurement Conference (ACM IMC’23) in Montreal (Canada). The paper delves for the first time into the intricacies of local network interactions between 93 IoT devices and mobile apps, revealing a plethora of previously undisclosed security and privacy concerns with actual real-world implications.

While most users typically view local networks as a trusted and safe environment, the study’s findings illuminate new threats associated with the inadvertent exposure of sensitive data by IoT devices within local networks using standard protocols such as UPnP or mDNS. These threats include the exposure of unique device names, UUIDs, and even household geolocation data, all of which can be harvested by companies involved in surveillance capitalism without user awareness.

According to Vijay Prakash, PhD student from NYU Tandon who co-authored the paper, “analysing the data collected by IoT Inspector, we found evidence of IoT devices inadvertently exposing at least one PII (Personally Identifiable Information), like unique hardware address (MAC), UUID, or unique device names, in thousands of real world smart homes. Any single PII is useful for identifying a household, but combining all three of them together makes a house very unique and easily identifiable. For comparison, if a person is fingerprinted using the simplest browser fingerprinting technique, they are as unique as one in 1.500 people. If a smart home with all three types of identifiers is fingerprinted, it is as unique as one in 1.12 million smart homes.”

These local network protocols can be employed as side-channels to access data that is supposedly protected by several mobile app permissions such as household locations. “A side channel is a sneaky way of indirectly accessing sensitive data. For example, Android app developers are supposed to request and obtain users’ consent to access data like geolocation. However, we have shown that certain spyware apps and advertising companies do abuse local network protocols to silently access such sensitive information without any user awareness. All they have to do is kindly asking for it to other IoT devices deployed in the local network using standard protocols like UPnP.”, said Narseo Vallina-Rodriguez, Associate Research Professor of IMDEA Networks and co-founder of AppCensus.

“Our study shows that the local network protocols used by IoT devices are not sufficiently protected and expose sensitive information about the home and the use we make of the devices. This information is being collected in an opaque way and makes it easier to create profiles of our habits or socioeconomic level,” adds Juan Tapiador, professor at UC3M.

The Wider Implications

The impact of this research extends far beyond academia. The findings underscore the imperative for manufacturers, software developers, IoT and mobile platform operators, and policymakers to take action to enhance the privacy and security guarantees of smart home devices and households. The research team responsibly disclosed these issues to vulnerable IoT device vendors and to Google’s Android Security Team, already triggering security improvements in some of these products.


Apple’s Safari browser is still vulnerable to Spectre attacks



Reports and Proceedings

RUHR-UNIVERSITY BOCHUM

Yuval Yarom 

IMAGE: 

YUVAL YAROM FROM THE FACULTY OF COMPUTER SCIENCE AT RUHR UNIVERSIY BOCHUM

view more 

CREDIT: RUB, MARQUARD




Modern processors come with a fundamental vulnerability in their hardware architecture that allows attackers to hijack sensitive data. This insight emerged from the so-called Spectre attack reported in 2018. A great number of devices and operating systems was affected. In response, manufacturers developed countermeasures – Apple was one of them. Still, researchers showed even in 2023 that Mac and iOS systems are not yet adequately protected against this type of attack. A team from Ruhr University Bochum (Germany), Georgia Tech and the University of Michigan showed that they could exploit the hardware vulnerability to gain access to passwords, emails and location data via the Safari browser. Apple has released first software updates that aim at fixing the vulnerability and continues to work on further updates. On the website ileakage.com, the researchers report about the vulnerability, available updates and how they can be enabled.

The project was conducted jointly by Professor Yuval Yarom from the Cluster of Excellence “Cyber Security in the Age of Large-Scale Adversaries” (CASA) in Bochum, Jason Kim and Associate Professor Daniel Genkin from Georgia Tech and Stephan van Schaik from the University of Michigan. They will present their findings at the Conference on Computer and Communications Security (CCS), which will take place in Copenhagen from 26 to 30 November 2023.

Gaining access to passwords and email accounts

In order to execute the new attack called “iLeakage”, attackers must first direct users to a website that they control. “Users can’t tell that they’ve landed on such a page,” explains Yuval Yarom from the Faculty of Computer Science at Ruhr University Bochum. His advice: “As always, the rule is that you should only click on trustworthy sites.”

If a user visits the attacker’s website, the attacker can open the user’s email app in a new window and read the contents of the inbox. Or they can open other websites, for example the login page of the user’s bank. “We also showed that the attacker could automatically use the login data stored in the password manager LastPass if the auto-fill option is enabled,” says Yuval Yarom. This is how even supposedly securely stored passwords could be hacked.

Security gap in hardware architecture

The security gap results from the operating principle of modern processors (CPUs). When a CPU receives a series of instructions, it doesn’t execute them one after another, but runs them simultaneously. Sometimes, instructions  that require certain conditions to be met are initiated even if it’s not yet clear whether these conditions do apply. This speculative approach speeds up the system. The CPU estimates which condition is likely to apply and starts the process that is probably required. If it turns out that the precondition hasn’t been met, the CPU discards the process and restarts it. However, discarded processes leave traces in the system, and this is precisely where the vulnerability lies. Attackers can extract sensitive memory data from such changes in the system.

Vendors have integrated countermeasures into their browsers as protection against this form of side-channel attack. In Safari, for example, each web page accessed by the user is supposed to be run in a separate process. However, the researchers showed that they could bypass the defence and open a second web page in the same process. This would allow attackers to intercept information that should in fact be unattainable.

Modern processors come with a fundamental vulnerability in their hardware architecture that allows attackers to hijack sensitive data. This insight emerged from the so-called Spectre attack reported in 2018. A great number of devices and operating systems was affected. In response, manufacturers developed countermeasures – Apple was one of them. Still, researchers showed even in 2023 that Mac and iOS systems are not yet adequately protected against this type of attack. A team from Ruhr University Bochum (Germany), Georgia Tech and the University of Michigan showed that they could exploit the hardware vulnerability to gain access to passwords, emails and location data via the Safari browser. Apple has released first software updates that aim at fixing the vulnerability and continues to work on further updates. On the website ileakage.com, the researchers report about the vulnerability, available updates and how they can be enabled.

The project was conducted jointly by Professor Yuval Yarom from the Cluster of Excellence “Cyber Security in the Age of Large-Scale Adversaries” (CASA) in Bochum, Jason Kim and Associate Professor Daniel Genkin from Georgia Tech and Stephan van Schaik from the University of Michigan. They will present their findings at the Conference on Computer and Communications Security (CCS), which will take place in Copenhagen from 26 to 30 November 2023.

Gaining access to passwords and email accounts

In order to execute the new attack called “iLeakage”, attackers must first direct users to a website that they control. “Users can’t tell that they’ve landed on such a page,” explains Yuval Yarom from the Faculty of Computer Science at Ruhr University Bochum. His advice: “As always, the rule is that you should only click on trustworthy sites.”

If a user visits the attacker’s website, the attacker can open the user’s email app in a new window and read the contents of the inbox. Or they can open other websites, for example the login page of the user’s bank. “We also showed that the attacker could automatically use the login data stored in the password manager LastPass if the auto-fill option is enabled,” says Yuval Yarom. This is how even supposedly securely stored passwords could be hacked.

Security gap in hardware architecture

The security gap results from the operating principle of modern processors (CPUs). When a CPU receives a series of instructions, it doesn’t execute them one after another, but runs them simultaneously. Sometimes, instructions  that require certain conditions to be met are initiated even if it’s not yet clear whether these conditions do apply. This speculative approach speeds up the system. The CPU estimates which condition is likely to apply and starts the process that is probably required. If it turns out that the precondition hasn’t been met, the CPU discards the process and restarts it. However, discarded processes leave traces in the system, and this is precisely where the vulnerability lies. Attackers can extract sensitive memory data from such changes in the system.

Vendors have integrated countermeasures into their browsers as protection against this form of side-channel attack. In Safari, for example, each web page accessed by the user is supposed to be run in a separate process. However, the researchers showed that they could bypass the defence and open a second web page in the same process. This would allow attackers to intercept information that should in fact be unattainable.

No comments: