IoT Traffic Metadata Attack

Do you love spy movies? Do you imagine how they have eyes and ears everywhere and follow their targets as a shadow? They bug their home, offices, and track every individual’s activity, thus creating their complete profile. What if I say that you have already been bugged and someone might be tracking your movements?

The Internet of Things (IoT) is a network of devices connected via the internet, collecting and sharing data. Ranging from a smartwatch to your home CCTV Snetwork, IoT provides us many conveniences, but this comes at a cost.

All the devices have always-on sensors that provide smooth functioning, but this also means that these devices gather data all the time, which we may not want to give them, thus raising serious privacy concerns. Even if there is data encryption, the device manufacturer can track how a consumer uses its device. Still, the real problem is the metadata tracking by Internet service providers (ISPs), Wi-Fi eavesdroppers, or state-level surveillance entities.

The device metadata contains much information and is a severe threat to privacy. These devices work with communicating with the internet, and though this data may be encrypted, the network activity could provide more than enough information. For example, the network activity recorded by the surveillance devices could tell when the feed is being monitored or not even though the video stream is encrypted.

The traffic rate metadata attack has two components: device identification and activity inference. The adversary leverages devices’ known specific purposes to map changes in traffic rates to user activities at a high level. The following section explains the significant steps during the attack.

Device Identification:

First, the adversary associates individual traffic flows with a known type of device. This alone can be a privacy risk. For example, learning that someone owns an IoT blood sugar monitor or pacemaker effectively reveals diabetes or heart-disease diagnosis. There are several methods to perform device identification, depending on the information available to the attacker.

1. Using MAC addresses: An attacker with the network’s LAN data can use the first three bytes of device MAC addresses to assign manufacturer labels to each flow. Knowing devices’ manufacturers makes the following DNS and traffic rate techniques easier because the space of possible device identities is reduced.
2. Using DNS queries: DNS queries associated with each flow can often be associated with a particular device. An adversary could learn the mappings between DNS queries and devices or perform reverse DNS lookups to pair service IPs with device-identifying domain names.
3. Using traffic rates: Simple traffic features can distinguish devices that belong to the same smart home appliance category. There are also various machine learning techniques like the k-nearest-neighbors algorithm we tested that could be applied to device identification. An adversary can leverage any number of features or algorithms depending on the smart home devices they wish to identify and prior knowledge of their target.

Activity Inference:

Changes in traffic rate correlate to device state changes caused by user activities. An adversary can use this knowledge after device identification to infer user activities from changes in traffic rates.

The attacker can then use the data collected to analyze the pattern and then predict the user’s behavior. To protect user’s privacy, one could do the following steps:

1. Shape and limit the traffic so that you can mask the activity and thus depriving the attacker of the information.
2. Use a trustworthy VPN to mix the network traffic; therefore, the attack could not correlate the activity with a particular user.
3. Encrypt DNS queries so that the attacker could not associate the action with a device.

Though these solutions are promising, they are not ideal. Applying a firewall on the network may cause a failure in the services provided by some devices. Shaping the traffic causes an increase in daily bandwidth usage. Researchers are working on better solutions, but until then, IoT devices will continue to remain a threat to privacy.