back to article Encryption doesn't stop him or her or you... from working out what Thing 1 is up to

You don't need to sniff clear-text Internet of Things traffic to comprehensively compromise a gadget-fan's home privacy: mere traffic profiles will do the job nicely, a group of researchers has found. Encrypted streams can be surprisingly revealing, after all: just ask Cisco, which learned how to identify malware crossing the …

  1. Pascal Monett Silver badge

    There's a war brewing

    The war is on between those who want their privacy respected and those who don't realize (or care) about the issue.

    IoT sits squarely on the side of Don't Care.

    So, if you care, don't use IoT.

    1. Anonymous Coward
      Big Brother

      Re: So, if you care, don't use IoT.

      Or Facebook or Google or Microsoft or a smartphone or anything coming out of silicon valley for that matter...

      It's all about monetisation of people's private information these days...

      1. Dave 126 Silver badge

        Re: So, if you care, don't use IoT.

        Apple cares about security in HomeKit, but they just haven't been that enthusiastic about HomeKit generally - little updating of a clunky UI and insistence on an Apple TV acting as a hub. I might be that their analysts saw something like ARM's mBed platform or a joint venture gaining more traction, or they were just playing the wait and see game.

        3rd party HomeKit gizmos had to contain Apple chips and pass Apple's scrutiny - costly and time consuming for vendors, especially if they saw people buying cheap insecure stuff.

        I don't need home automation... yet. But I'm still young. We've seen medical devices such as pacemakers with security vulnerabilities, but the answer is not to stop making pacemakers (obviously!), the answer is to improve security. With an aging population Tele-Medince, which is a form of IoT, will have a role to play, as will a bit of home automation to ease the lives of the physically frail.

    2. Christian Berger

      Re: There's a war brewing

      Well IoT which is dumbed down so that even idiots can use it is usually the problem. There's nothing wrong about having controllable lights on your own LAN or VPN. It's just highly idiotic to have any vendor service involved.

      1. Dave 126 Silver badge

        Re: There's a war brewing

        > Well IoT which is dumbed down so that even idiots can use it is usually the problem.

        No, it's the poor design of the kit. People will assume that a piece of kit is fit for the purpose for which it is sold. The company making the kit employs experts who should (and actually do) know better, but they often aren't given the time and money required to do a good job (competing on price, competing to be first to market).

    3. An nonymous Cowerd

      I wrote a paper on this a few years ago, with great colleagues

      I snooped everything 'encrypted' from the first 'Smart' device I bought for research, a 55" Sammy 3D telly.

      It neeed a bit of AI/ML but basically could profile all the Smart TV's owner's Wi-Fi traffic, political affiliation, nationality etc by cross referencing the encrypted but analysed packets against similarly chunked Alexa sites, till we found a match.

  2. Harry Stottle

    Privacy=Security

    One of the hardest things to explain to the "If you've nothing to hide" fools is that if anyone can discover where you are, they also know where you aren't. Which, along with remotely "casing the joint" (google street view ferinstance), gives them all they need to know about when to break in.

    The level of detail they can get from this extra level of surveillance is the icing on the cake. Now they can figure out what time you go to bed, get up, leave the house etc etc. Even more detailed than the "Smart Meters" they're trying to impose.

    Welcome to Panopticon World...

    1. monty75

      Re: Privacy=Security

      Also, posting your holiday photos on Instagram is a dead giveaway that your house is unoccupied.

  3. Milton

    Speaking of a war ...

    Speaking of a war, I don't want to rain on the researchers' parade but the basic concept here dates back at least to WW2. Traffic analysis upon unbroken ciphers was an important tool—ands even better if you can introduce some specific behaviours within the network—something an adversary would certainly want to do when compromising an IoT-infested LAN. By changing the internal state of a supposedly fully encrypted network, you can cause it to leak. It might be as simple as ringing the doorbell.

    As a completely (I assume!) fictional example: even if you couldn't break a newly deployed Japanese Naval Cipher, you could infer a great deal about lines of communication, organisational hierarchies, importance and purpose of specific bases, and even specific intelligence about the likely content of encrypted messages, by watching the traffic patterns. Let's say you plant a story about the lack of starter cartridges for American combat aircraft in the eastern Pacific theatre, making sure you quote or invent an unusual and lengthy specification or part number, "accidentally" revealing the name of a cargo vessel and a couple of ports it will need to call at while delivering said vital components.

    First, you've triggered a flood of encrypted messages, the timing, frequency and length of which will tell you a great deal about the enemy's interception capabiltiies, response times, analytical tactics, command structure, plus a good chance of learning the dispositions of some enemy forces, like submarines, that may be tasked with attacking the 'vital' shipment ... I'm sure everyone here gets the picture.

    Second, you've thrown some nice cribs into the encrypted streams: by choosing some specific names (ports, ships, islands) you can be fairly certain that those will occur in the ciphertext, encrypted. Using a long-ish and unique phrase (like our hypothetical part number) of supposed significance, we can add an additional particularly handy crib that will be included only in messages specifically resulting from our planted story. Its uniqueness and length can both be helpful to the cryptanalyst: 'COFF222BVER888HPSTART' is more useful than 'Rabaul'. (Note a couple of handy character repetitions, too.)

    This doesn't automatically break a good encryption scheme: but it does mean that whatever weaknesses it may have (especially human-factors weaknesses, like a lazy or hasty clerk reusing a key) are more likely to give you a way in.

    The crypto schemes used in local networking are far better than the relatively naïve ones of 1942, but—as we've seen with WPA2 during the last year or so—still have vulnerabilities.

    I'd be very interested to read the researchers' next paper, where I hope they move on from passive sniffing and "inferring" to finding ways of planting subtle seeds (probably using completely innocent-seeming and plausibly deniable interactions) which then expose vast additional troves of data.

    1. Dave 126 Silver badge

      Re: Speaking of a war ...

      Indeed, what these researchers have done is very far from novel - information about communication can be valuable to an adversary even if they don't know its contents - but I'm sure their work is still valuable.

      The concept is even in popular culture - "I'm detecting a lot of chatter over the Covenant battle net" says Cortana in the video game Halo, i,e, I have reason to think the enemy is up to something even if I don't know what they're up to.

      1. This post has been deleted by its author

    2. smudge

      Re: Speaking of a war ...

      Speaking of a war, I don't want to rain on the researchers' parade but the basic concept here dates back at least to WW2.

      You don't need to explain traffic analysis here. And anyway, most of your post is about what Bletchley Park called "gardening", which was more about attacking the crypto system than about traffic analysis.

      From a quick glance at the paper itself, it seems that the novel things in the research are not traffic analysis itself, but:

      1) attacks on a wide range of devices which use multiple different protocols

      2) analyis and understanding of the aggregated information, to determine what is happening in the house - the person walking through the smart home is a simple example of this.

      This is all facilitated and supported - and some of it is automated - by machine learning.

      Difficult to see how your suggested "gardening" would work. I'm assuming that most IoT devices have fairly limited dialogue capabilities, and that opportunities of introducing a crib to enable a known-plaintext attack would be severely constrained.

  4. GIRZiM
    Holmes

    No shit, Sherlock

    "the combination of unencrypted headers (MAC address and other information that helps identify manufacturers) with traffic patterns revealed not just what a device is doing (the light went on or off), but enough to infer what the user is doing (walking between rooms, sleeping, cooking and so on) [...] As a very simple example, the researchers wrote, a user walking through a smart home will activate lamps and motion sensors in a sequence that tells the researcher where they went, even without decrypting payloads."

    Not exactly a startling revelation really; not one that makes you strike your forehead and exclaim "Well, blow me! Who'd have thunk!?" Burglars have been doing exactly that for centuries (since even before the discovery of electricity) simply by watching the lights (or candles) come on/go out (or flicker past the window).

    Okay, so you might not want to sit in the cold, dark and rain to case the joint and prefer to do so from the luxury of somewhere a bit warmer and drier. So, you just look at the sequence of devices that went on/off and when, as they suggested. It doesn't take a genius to figure out what's going on, nor does it take one to figure out that it would be possible to do so and I guarantee you any professional burglar worth the appellation didn't need even one, let alone nine, researchers from Florida International University, Italy's University of Padua, and the Technical University of Darmstadt in Germany to tell them that - instead, they have (as I've been suggesting to people for years now) been doing it all along.

    This is the kind of thing people research these days is it?

    I can see Magnus Magnusson now:

    "And our next contestant on 'Mastermind' is a university researcher - their specialist subject, the bleedin' obvious."

    1. Dave 126 Silver badge

      Re: No shit, Sherlock

      I've seen LED light arrays sold in Lidl as 'television simulators' to give the impression through net curtains that there is somebody inside a house.

      It won't be long til someone writes some code to produce spoof IoT traffic with the same intent.

      1. GIRZiM

        Re: No shit, Sherlock

        > I've seen LED light arrays sold in Lidl as 'television simulators' to give the impression through net curtains that there is somebody inside a house.

        It doesn't stop criminals from watching the power usage though and noting that the kettle didn't go on during the advert breaks and figuring out that you're faking it.

        Moreover, I simply leave my television on because that way it fools all burglars, not just the deaf ones.

        I also shut my curtains at such times so that burglars don't notice that no light appears to leak into the room from the rest of the property from time to time because I don't get up and go to the bathroom, or kitchen (which kind of gives the game away) and also so that the really confident/brave/stupid/desperate can't shine a torch through my net curtains and ascertain that there's nobody watching the T.V.

        Of course then there's the problem of the curtains being shut all day every day.

        But, otoh, the other way around there's the problem of the curtains never being shut, no extraneous light bleed and the T.V. never being turned off or ever making a sound - so, swings and roundabouts really.

        I had some power blocks that were controlled from my ZX81 back in the 1980s,which used to turn lights on and off at random during the evening and even turn the T.V. on and off at 'home' time and off at bed time - a better solution than a bunch of LEDs that pretend to be a silent movie buff ; )

        > It won't be long til someone writes some code to produce spoof IoT traffic with the same intent.

        Assuredly.

        Most people still won't bother though, because they don't know or care about it.

        Maybe insurers will insist on it, if you want your payout after a burglary though. We'll have to see: on the one hand, they're populated by teams of clueless lusers the same way as the estate agents on the high street but (on the other) they're tight-fisted bastards who make a point of knowing every possible way to avoid parting with a single penny, so who knows?

  5. Anonymous Coward
    Anonymous Coward

    A reliable friend once told me that some of the military bases in the US would place a regular fixed order for pizza delivery...whether or not they needed it.

    It occured to the staff there that observers would be able to work out how many people were on shift at any one time, based on the size of the order...and if they suddenly started getting lots of late night orders then something big was going on...

    So perhaps IoT gadgets should do something similar - send regular, fixed size packets...even if they're empty (or saying "no change") most of the time.

    1. linkbox8

      That's because exactly that did happen in the first Gulf war. The nightime US bombing of Baghdad was preceded by a surge in evening pizza deliveries to the White House.

      https://www.washingtonpost.com/wp-srv/politics/special/clinton/stories/pizza121998.htm

    2. smudge
      Black Helicopters

      It occured to the staff there that observers would be able to work out how many people were on shift at any one time, based on the size of the order

      I once worked on a spooky project in a completely separate outbuilding on my company's premises. Physical access was restricted to those who worked on the project, plus a couple of specially-cleared cleaners.

      A company administrator complained that we were using "far too much coffee for the number of people working in there!".

      To which the reply was "You do not know - and have no need to know - how many people are working in here".

      1. Giovani Tapini

        Upvote for the story, but why do I get the feeling the administrator still was probably right...

        1. smudge

          Are you implying that someone was nicking it? I never thought of that until now!

          We were working 24x7 for a while...

        2. Dave559 Silver badge

          Coffee

          I imagine that whatever the skunkworks project was, it was most definitely a “coffee intensive” project, no matter how many people may or may not have been working there…

  6. dnicholas

    And the number of crimes committed with such info will be precisely 0

    1. dnicholas

      Lol at the thumbs down. Who actually thinks Darren the crackhead burglar is going to monitor IOT chatter before knocking in the side window? IOT is DECADES from being ubiquitous enough, hopefully by which time side channel security would be addressed. Intel is out of IOT, right?!

      1. GIRZiM
        Pirate

        Darren the crackhead burglar

        I never expected scriptkiddies either - I naively assumed that those with the smarts to penetrate systems would keep the knowledge (and the rewards) to themselves, or at least sell their services to the highest bidder, not pile them high and sell them cheap.

        The number of 'rent-a-botnet' services out there (with full SLA/KPI/T&C contractual agreements) is an eye-opener and Darren himself may be none too bright but he might know someone, whose mate knows someone who "showed him this app right. You just put the address in and it doesn't just tell you whether anyone's home, it shows what room they're in!" (And the copy of the app installed on his friend's mate's acquaintance's phone will probably be a crack too).

        Don't rule it out. All tech eventually gets commoditised. All tech eventually gets turned to nefarious purpose (usually long before it gets commoditised too). Darren won't be monitoring IoT chatter, his accomplice will be using a 'case the place' service to pick suitable targets - a monthly fee gets them access to activity records and analyses showing behaviour patterns (most significantly, when the property is usually empty and how long for). Said accomplice will then engage Darren to do some B&E, bring the goods to them for fencing and give Darren a slice sliver of the action.

        In short, Darren will be doing exactly what he does today, it's just that his fence will be making use of a service that monitors IoT chatter to speed matters up.

        It isn't Darren who's the problem, it's the people he works for. That's the thing about organised crime': it's organised - anarchic, perhaps, but organised all the same.

  7. Voland's right hand Silver badge

    Interesting detail

    Applause. Especially for using proper math (markov chain model) instead of the fashionable tea leaf future telling aka neural nets.

  8. Anonymous Coward
    Anonymous Coward

    Now you know

    why all those dodgy "battery saver" apps are so desperate to get you to install on your mobile phone.

  9. Arthur the cat Silver badge

    Why we hardly have to sniff the packet to know you play tennis with an IoT racket

    Come on, anyone dumb enough to buy such a thing is going to insist everybody at the tennis club takes a look at it, no packet sniffing needed.

  10. Irongut

    Not to defend IoT security but...

    "a user walking through a smart home will activate lamps and motion sensors in a sequence that tells the researcher where they went, even without decrypting payloads"

    I can deduce the exact same results without even detecting payloads and for a home with no IoT devices at all, just watch the windows and look where the lights come on. I know IoT security is crap but that is needless scaremongering.

    1. Charles 9

      Re: Not to defend IoT security but...

      Except you don't have to physically be present to figure this out. Plant your bug during the day while everyone's at work/school/shopping, then you can peek in from the privacy of your own place.

      As for chaff, one problem is if you have limited power, meaning you're caught in the middle of the scale of efficiency versus obscurity, unable to achieve both yet forced to do it anyway (because you don't want your traffic sniffed BUT you can't waste power either).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like