Deducing User Presence From Inter-Message Intervals in Home Automation Systems
Frederik Möllers, Christoph Sorge
Saarland University, juris Endowed Professorship of Legal Informatics and CISPA
The Situation
System Model
- Fully connected communication graph
- Automation rules and user habits unknown to outsiders
- Messages are encrypted and padded
- Outside observer cannot recognise devices
Attacker Model
- Global, passive
- Cannot break countermeasures
- No device fingerprinting/triangulation
- A priori knowledge
- No dummy traffic
- 1 hour of traffic captured
- User presence known
Analysis Approach
- Traffic from real-world installations
- Annotate data with user states where known
- Split data into groups (1-hour intervals)
- Compare 2 groups using statistical tests
- Try to deduce state of 2nd group
Statistical Tests I
- Kolmogorow-Smirnow
- Maximum deviation between cumulative distribution functions
Statistical Tests II
- Chi-Square
- Categorized ("binned") data
- Sum of squared errors wrt expected (average) distribution
Statistical Tests III
- Message Counts
- Compare number of messages in each sample
Result
No certain classification, but thresholds seem to exist
Adapted Approach
- Try all possible thresholds
- Compute TPR/FPR
Thresholds
- Observation: Some thresholds never appear in same-state case
- New approach:
- Divide data into training and test sets
- Use test data to learn thresholds
- Take best sample from training data
- Classify test data
Results
- System 1
- Absent source: TPR = 5.3%, FPR = 1.1%
- Present source: TPR = 1%, FPR = 0%
- System 2
- Absent source: TPR = 5.8%, FPR = 0%
- Present source: TPR = 0%
Summary
- Certain classification possible given the right circumstances
- Only a matter of time if suitable source sample available
- One correct classification might be enough
- However: Not (yet) feasible in practice
Outlook
- Do system-(or vendor-)specific, global thresholds exist?
- Countermeasures
- Dummy Traffic
- But: Generation not trivial
