skip to main content


This content will become publicly available on March 20, 2025

Title: SunBlock: Cloudless Protection for IoT Systems
With an increasing number of Internet of Things (IoT) devices present in homes, there is a rise in the number of potential infor- mation leakage channels and their associated security threats and privacy risks. Despite a long history of attacks on IoT devices in unprotected home networks, the problem of accurate, rapid detection and prevention of such attacks remains open. Many existing IoT protection solutions are cloud-based, sometimes ineffective, and might share consumer data with unknown third parties. This paper investigates the potential for effective IoT threat detection locally, on a home router, using AI tools combined with classic rule-based traffic-filtering algorithms. Our results show that with a slight rise of router hardware resources caused by machine learn- ing and traffic filtering logic, a typical home router instrumented with our solution is able to effectively detect risks and protect a typical home IoT network, equaling or outperforming existing popular solutions, with- out any effects on benign IoT functionality, and without relying on cloud services and third parties.  more » « less
Award ID(s):
1955227
NSF-PAR ID:
10531482
Author(s) / Creator(s):
; ; ; ;
Publisher / Repository:
Passive and Active Measurement. PAM 2024
Date Published:
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. Home networks lack the powerful security tools and trained personnel available in enterprise networks. This compli- cates efforts to address security risks in residential settings. While prior efforts explore outsourcing network traffic to cloud or cloudlet services, such an approach exposes that network traffic to a third party, which introduces privacy risks, particularly where traffic is decrypted (e.g., using Transport Layer Security Inspection (TLSI)). To enable security screening locally, home networks could introduce new physical hardware, but the capital and deployment costs may impede deployment. In this work, we explore a system to leverage existing available devices, such as smartphones, tablets and laptops, already inside a home network to create a platform for traffic inspection. This software-based solution avoids new hardware deployment and allows decryption of traffic without risk of new third parties. Our investigation compares on-router inspection of traffic with an approach using that same router to direct traffic through smartphones in the local network. Our performance evaluation shows that smartphone middleboxes can substantially increase the throughput of communication from around 10 Mbps in the on-router case to around 90 Mbps when smartphones are used. This approach increases CPU usage at the router by around 15%, with a 20% CPU usage increase on a smartphone (with single core processing). The network packet latency increases by about 120 milliseconds. 
    more » « less
  2. Smart home devices are constantly exchanging data with a variety of remote endpoints. This data encompasses diverse information, from device operation and status to sensitive user information like behavioral usage patterns. However, there is a lack of transparency regarding where such data goes and with whom it is potentially shared. This paper investigates the diverse endpoints that smart home Internet-of-Things (IoT) devices contact to better understand and reason about the IoT backend infrastructure, thereby providing insights into potential data privacy risks. We analyze data from 5,413 users and 25,123 IoT devices using the IoT Inspector, an open-source application allowing users to monitor traffic from smart home devices on their networks. First, we develop semi-automated techniques to map remote endpoints to organizations and their business types to shed light on their potential relationships with IoT end products. We discover that IoT devices contact more third or support-party domains than first-party domains. We also see that the distribution of contacted endpoints varies based on the user's location and across vendors manufacturing similar functional devices, where some devices are more exposed to third parties than others. Our analysis also reveals the major organizations providing backend support for IoT smart devices and provides insights into the temporal evolution of cross-border data-sharing practices. 
    more » « less
  3. null (Ed.)
    Abstract Despite the prevalence of Internet of Things (IoT) devices, there is little information about the purpose and risks of the Internet traffic these devices generate, and consumers have limited options for controlling those risks. A key open question is whether one can mitigate these risks by automatically blocking some of the Internet connections from IoT devices, without rendering the devices inoperable. In this paper, we address this question by developing a rigorous methodology that relies on automated IoT-device experimentation to reveal which network connections (and the information they expose) are essential, and which are not. We further develop strategies to automatically classify network traffic destinations as either required ( i.e. , their traffic is essential for devices to work properly) or not, hence allowing firewall rules to block traffic sent to non-required destinations without breaking the functionality of the device. We find that indeed 16 among the 31 devices we tested have at least one blockable non-required destination, with the maximum number of blockable destinations for a device being 11. We further analyze the destination of network traffic and find that all third parties observed in our experiments are blockable, while first and support parties are neither uniformly required or non-required. Finally, we demonstrate the limitations of existing blocklists on IoT traffic, propose a set of guidelines for automatically limiting non-essential IoT traffic, and we develop a prototype system that implements these guidelines. 
    more » « less
  4. The number of smart home IoT (Internet of Things) devices has been growing fast in recent years. Along with the great benefits brought by smart home devices, new threats have appeared. One major threat to smart home users is the compromise of their privacy by traffic analysis (TA) attacks. Researchers have shown that TA attacks can be performed successfully on either plain or encrypted traffic to identify smart home devices and infer user activities. Tunneling traffic is a very strong countermeasure to existing TA attacks. However, in this work, we design a Signature based Tunneled Traffic Analysis (STTA) attack that can be effective even on tunneled traffic. Using a popular smart home traffic dataset, we demonstrate that our attack can achieve an 83% accuracy on identifying 14 smart home devices. We further design a simple defense mechanism based on adding uniform random noise to effectively protect against our TA attack without introducing too much overhead. We prove that our defense mechanism achieves approximate differential privacy. 
    more » « less
  5. Despite the significant benefits of the widespread adoption of smart home Internet of Things (IoT) devices, these devices are known to be vulnerable to active and passive attacks. Existing literature has demonstrated the ability to infer the activities of these devices by analyzing their network traffic. In this study, we introduce a packet-based signature generation and detection system that can identify specific events associated with IoT devices by extracting simple features from raw encrypted network traffic. Unlike existing techniques that depend on specific time windows, our approach automatically determines the optimal number of packets to generate unique signatures, making it more resilient to network jitters. We evaluate the effectiveness, uniqueness, and correctness of our signatures by training and testing our system using four public datasets and an emulated dataset with varying network delays, verifying known signatures and discovering new ones. Our system achieved an average recall and precision of 98-99% and 98-100%, respectively, demonstrating the effectiveness and feasibility of using packet-level signatures to detect IoT device activities. 
    more » « less