by Frederik Möllers, Sebastian Seitz, Andreas Hellmann and Christoph Sorge
Abstract:
Wireless home automation systems are becoming increasingly popular. They can help users save energy and increase the comfort.However, this increased convenience also comes with new attack vectors. Many available systems provide little to no security. In this paper, we explore the possibilities of passive attacks against these systems. We exemplarily investigate two real-world installations of off-the-shelf home automation systems to see what amount of information can be obtained by a passive adversary.Our results show that the systems provide no privacy. They leak information about the users' habits as well as their presence and can be abused to plan burglaries. Furthermore, we conclude that even encrypted communication does not fully protect against the attack presented here. In particular, it is still possible to predict user presence and absence even if individual actions cannot be identified.
Reference:
Frederik Möllers, Sebastian Seitz, Andreas Hellmann and Christoph Sorge: Extrapolation and Prediction of User Behaviour from Wireless Home Automation Communication, In 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec 2014), ACM, pp. 195–200, 2014.
Bibtex Entry:
@InProceedings{ moellers14wireless,
title = {{Extrapolation and Prediction of User Behaviour from
Wireless Home Automation Communication}},
author = { Frederik M{\"o}llers AND Sebastian Seitz AND Andreas
Hellmann AND Christoph Sorge},
booktitle = {{7th ACM Conference on Security and Privacy in Wireless
and Mobile Networks (ACM WiSec 2014)}},
year = {2014},
address = {New York, NY, USA},
pages = {195--200},
publisher = {ACM},
series = {{WiSec '14}},
abstract = {Wireless home automation systems are becoming increasingly
popular. They can help users save energy and increase the
comfort.However, this increased convenience also comes with
new attack vectors. Many available systems provide little
to no security. In this paper, we explore the possibilities
of passive attacks against these systems. We exemplarily
investigate two real-world installations of off-the-shelf
home automation systems to see what amount of information
can be obtained by a passive adversary.Our results show
that the systems provide no privacy. They leak information
about the users' habits as well as their presence and can
be abused to plan burglaries. Furthermore, we conclude that
even encrypted communication does not fully protect against
the attack presented here. In particular, it is still
possible to predict user presence and absence even if
individual actions cannot be identified.},
doi = {10.1145/2627393.2627407},
isbn = {978-1-4503-2972-9},
slides = {https://www.uni-saarland.de/fileadmin/upload/lehrstuhl/sorge/Paper-Downloads/WiSec-2014_Slides.pdf},
url = {https://www.uni-saarland.de/fileadmin/upload/lehrstuhl/sorge/Paper-Downloads/WiSec-2014.pdf}
}