Section 8: Smart Home Security & Privacy CSE 484 / CSE M 584 - PowerPoint PPT Presentation

Section 8: Smart Home Security & Privacy CSE 484 / CSE M 584

Administrivia May 22 nd May 29 th June 8 th Lab 2 Due HW 3 & Final Project Checkpoint Final Project Due #2 Due Memorial Day Lab 3 Due May 25 th June 5 th

The Smart Home • What makes a home a “smart” home? • What are some “smart” devices you can think of? • What do you think should be the next big smart home invention?

Yes: • Smart home devices can affect the physical environment Is security • There are a lot of smart home startups doing a bad job with respect to security for smart • Smart home devices are proliferating faster than computers homes different? No: • Smart home devices are just small computers; same vulnerabilities as any computer (and sometimes more!)

What do smart home setups look like? Cloud-based devices (clients) Philips Hue servers Philips Hue bulbs Router Amazon control Amazon Echo interface Echo servers on phone Standalone devices (servers) FosCam Router

Threat Modeling: Adversaries Remote (internet) hackers Physical hackers Device manufacturers (companies) Other people in the home

Threat Modeling: Remote (Internet) Hackers • What kinds of vulnerabilities might remote attackers exploit? • What assets would they be interested in?

Botnets Imagine you found the same vulnerability on 10,000+ identical devices Exploit: try running your attack on every IP address in the IPv4 address space (0.0.0.1, 0.0.0.2, …, 255.255.255.255) What can you do with 10,000+ small computers?

Source: https://xkcd.com/1966

Mirai Botnet (2016) • Responsible for 2016 DDoS attacks on Dyn, a DNS provider • Took down GitHub, Twitter, Reddit, Netflix, and Airbnb • Rapidly sent requests to servers faster than they can be processed • Vulnerability exploited: default usernames and passwords • Mostly infected CCTV cameras and routers • Original purpose? Minecraft video game scam • https://www.wired.com/story/mirai-botnet-minecraft-scam-brought- down-the-internet/

Geo-locations of all Mirai-infected devices uncovered so far in 2016 (Source: Imperva)

Threat Modeling: Physical / Nearby Hackers • What parts of the smart home might be vulnerable to adversaries who are nearby? (e.g., people standing outside your house)

Triggering voice assistants • Mixed remote / physical attack: get TV or speakers to say “Alexa” or wake-up word • Shout at Alexa from an open window • Can put things into shopping cart, set alarms, control other smart devices

Source: https://www.nytimes.com/2019/11/04/technology/digital-assistant-laser-hack.html

Attacking nearby smart lights • Zigbee protocol: radio link between IoT devices; used by Phillips Hue Smart Lights • Researchers found a bug in the Zigbee chip that could let any Zigbee transmitter trigger a factory reset and then take control of Zigbee lights from up to 400 meters away • Demonstrated it’s possible to use a drone to fly around and turn off all smart lamps in a city https://ieeexplore.ieee.org/document/7958578

Threat Modeling: Device Manufacturer Companies • What kind of data do smart home companies collect? • How might that data be used?

Amazon workers listen to Echo commands • Voice recordings sent to workers for transcription • Provide better training data for voice recognition • Workers often listened to audio when the users didn’t realize they were being recorded • Recordings captured private conversations, background noise in the house, crying children, singing in the shower, etc. https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio

Threat Modeling: Other Users • How might people living in the smart home exploit each others’ security or privacy?

Multi-User Issues: Privacy Violation • Smart homes track a lot of behavioral data • Locks: when you enter and leave the house • Lights: when you’re home • Voice assistants: listen back to old queries • Savvy users can look at logs and spy on the activities of others in the home

Multi-User Issues: Conflict • Disagreements about how to use devices • How high/low should the thermostat be? • Parents vs. teens: should the front door lock / record when people go in or out? • Disagreements caused by devices • What if Alexa recorded household disputes, or other audio evidence that wouldn’t have been captured otherwise?

Multi-User Issues: Power & Access Imbalances • What if not everyone has access to the devices? • Maybe not everyone cared about it enough • Maybe the person who set it up didn’t share access • The people with access have more control over how devices are used, private info about what people are doing, rules about usage, etc. • Domestic abuse: smart homes can be used by abusers to harass victims, who are denied power and control - turning the thermostat way up, turning lights on and off, randomly playing music, etc.

If you don’t trust anyone … • Roll your own IoT devices! • Raspberry Pi, Arduino • Microcontrollers with WiFi (esp8266, esp32, some Arduinos) • Custom firmware for commercial devices (Tasmota, and others) • Small electronics are a fun learning experience & inexpensive (Adafruit, Sparkfun) • However, now the security is entirely in your hands… • Do you trust your own skills? What’s the new threat model? • Take the cloud out of the equation! • A fun summer project!?

Custom TV and Light Controls Remote Control: http://alexba.in/blog/2013/ 02/23/controlling-lirc-from- the-web/ https://github.com/alexbai n/lirc_web Light Control (LIFX bulbs): https://github.com/mclarkk /lifxlan Web servers running locally on Pi, not accessible outside Raspberry Pi with custom circuit board home network for flashing infrared LEDs to control TV and AV receiver If your TV has an ethernet port, it might support Wake-On-Lan!

Apple HomeKit + Homebridge • Homebridge runs on the Raspberry Pi and allows you to control nearly any IoT device (even unsupported/custom ones) • https://github.com/homebridge/homebridge • Many libraries already exist for some commercial devices • You can also write your own! Raspberry Pi controlling custom- • In contrast to most IoT platforms, HomeKit is made light panel (“The Sun”) via local to your home network Homebridge. • Better privacy – data need not be in the cloud • Works even in the case of an Internet outage

Disclaimer: I am NOT encouraging you to play with Smart {{Your Item Here}}??? main’s power!!!! Be careful with devices that run off 120v!!! Esp8266 microcontrollers can be programmed with Arduino, only cost ~$10 apiece, include digital and analog inputs/outputs, and even have WiFi! • With a bit of experimentation, you can Smart outlet that uses build your own IoT devices! esp8266 Or, hack on existing ones – many • “generic” smart devices contain this exact microcontroller, and some can be flashed with custom firmware that gives you full control (https://tasmota.github.io/docs/) Esp8266 with circuit “Breadboard” for prototyping board for development small electronics

Any lingering questions about Lab 2? Or other aspects of the course?

How Locks Work