Schneier on Security
A blog covering security and security technology.
« High School Teacher Assigns Movie-Plot Threat Contest Problem |
| More Skein News »
August 31, 2010
Eavesdropping on Smart Homes with Distributed Wireless Sensors
"Protecting your daily in-home activity information from a wireless snooping attack," by Vijay Srinivasan, John Stankovic, and Kamin Whitehouse:
Abstract: In this paper, we first present a new privacy leak in residential wireless ubiquitous computing systems, and then we propose guidelines for designing future systems to prevent this problem. We show that we can observe private activities in the home such as cooking, showering, toileting, and sleeping by eavesdropping on the wireless transmissions of sensors in a home, even when all of the transmissions are encrypted. We call this the Fingerprint and Timing-based Snooping (FATS) attack. This attack can already be carried out on millions of homes today, and may become more important as ubiquitous computing environments such as smart homes and assisted living facilities become more prevalent. In this paper, we demonstrate and evaluate the FATS attack on eight different homes containing wireless sensors. We also propose and evaluate a set of privacy preserving design guidelines for future wireless ubiquitous systems and show how these guidelines can be used in a hybrid fashion to prevent against the FATS attack with low implementation costs.
The group was able to infer surprisingly detailed activity information about the residents, including when they were home or away, when they were awake or sleeping, and when they were performing activities such as showering or cooking. They were able to infer all this without any knowledge of the location, semantics, or source identifier of the wireless sensors, while assuming perfect encryption of the data and source identifiers.
Posted on August 31, 2010 at 12:39 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"...when they were home or away, when they were awake or sleeping, and when they were performing activities such as showering or cooking."
But could it tell if they've been bad or good?
Having said all this before when talking about "smart meters" just a little while ago...
Do you think the nay sayers are going to make their same comments or just lurk quietly ;-)
It seems that broadcasting random signals in addition to the "true" signals would solve this, at least in the encrypted case.
It seems that a standard sweep of a residence, should reveal the presence and location of such devices, so they can be removed. Or, are such sensors equipped to detect detection and go silent to avoid being detected by detectors.
You're assuming that these are being used surreptitiously for spying.
In many cases devices like this are desired so that attendants can monitor the activities of the resident (say, a senior citizen) without being overly intrusive. The devices enable the attendants to verify that the senior citizen is moving around and performing "activities of life".
Lacking the content of the source document, I need to determine what wireless sensors I have in my house. Hmmm. None. One meter is read from a wireless connection but that point is outside my house and accessed by the utility once a month. My wireless router does not broadcast (only allows fixed IPs to connect), so I guess I don't have any of these. So, I guess I fail to see how the "help me I've fallen and can't get up" button can tell if I am in the bathroom, basement, in bed, or dead. What other sensors are we allowing in homes? Is this just a security theater discussion?
Follow the link that Clive posted for more details.
In short: the authors examine security vulnerabilities in wireless networks designed to monitor the daily activities of someone in an assisted-living unit. (One reason to monitor: to make sure the resident is still moving about normally.) The wireless networks are secured (via encryption) to protect the medical privacy of those so monitored. However, the present method has vulnerabilities, for which the authors propose improvements.
You must be mistaken about how you think your router works. It's impossible to "not broadcast", though you may mean you don't broadcast your SSID (which means nothing security wise) and you probably mean fixed MAC addresses, which is no security at all since anyone can spoof those. Just in case you don't know the only way you can have *any* security with wifi is by using WPA/WPA2 encryption.
Interesting study but most of this is probably already ascertainable via social network sites. People seem to eagerly give away this information with frequent posts detailing everything from breakfast to when vacation time is. I believe thieves would be most likely to take the path of least resistance.
@ Bruce: As a researcher in this area I can tell you there are still many issues to be solved, technical as well as social.
So far as I can see from a quick scan, this is just a new application of traffic analysis, but rather than call it that they've made up a new acronym. They seem to be making their result look more innovative than it really is. (Which is not to say it isn't important.)
The importance of this study is negligible. Placing and monitoring a few, small, hidden cameras outside a house will provide more reliable information than their FATS technique, and the camera technology is simple and inexpensive.
Unless you want to remotely monitor many houses and then send someone over when it's quiet to "do something". It reminds me of "The Prisoner", an old British TV series.
Also consider that you can likely automate the technique in the paper to monitor a bunch of houses fairly easily.
It would be much easier than trying to automate the same thing with cameras.
I imagine it would also be a lot harder to catch someone passively monitoring RF leakage from a house than someone who has setup a bunch of cameras.
Ummm... did anyone notice that the copyright date on the article was September 2008?
One wonders if the research has progressed or been shelved as relatively pointless.
This paper is about houses with X10 and ZigBee wireless home automation devices installed. As someone who wants to do as much home automation as possible in my new house, this was something I thought about as soon as I found out that it uses powerline _and_ wireless RF to communicate to each other and the control unit.
The only thing I can think of about this is that most houses with Home Automation stuff installed have lots of other high ticket items as well, so if you can see if people are home (or in the shower) you might know when the best time to break in is.
This is a problem that that's shared with the military supplies system (I read about it in a magazine). All locations that can request supplies has to always send (on a schedule) a huge, fixed size, encrypted request, even if nothing is currently being requested.
It seems inefficient, but imagine if we were going to invade somebody and one nearby base suddenly had a huge increase in encrypted supplies requests vs. other nearby bases. It's effectively broadcasting the highly confidential location of the staging base for an invasion.
Because supplies requests never change in size and/or frequency under the actual system, the staging base can't be guessed this way and remains secret.
Now in homes with X10 and ZigBee, this same system concept could be used to defeat this attack. If every device announced it's status (or changes/data) every x minutes with a big fixed size encrypted update packet, then timing and fingerprint attacks would be much harder.
I did a bit of ZigBee consulting a while back and thought it's security, authentication and encryption models immature to say the least.
This is undoubtedly due to a lack of real world attacks. Low actual/perceived risk equals low effort/money spent at good security. I'm not sure I even disagree with this prioritization.
If ZigBee and X10 had real world attacks were power usage was not tracked/charged to others, control usurped or money lost by somebody, i'm sure we'd see these systems becoming more sure and, as a side effect, the privacy aspects getting better.
This is pure security theatre. is this attach possible? Absolutely, if you are using enough sensors which is currently doubtful unless as some have stated you are in an elderly home using the devices TO MONITOR YOU.
There are far easier ways to do this type of monitoring (social networks as someone suggested being one). It is laughable where the paper states that no one has studied this type of attach before as any security person that knows anything about wireless could have explained the possibility just as well.
"We show that we can observe private activities in the home such as cooking, showering, toileting"
Wait, what? Toileting???
What kind of wireless sensors are we talking about here?
I have a disturbing vision of a 3-D Clippy hologram appearing in front of the hapless resident as he sits on the can, and announcing "It looks like you're trying to take a dump. Would you like help with that?"
I'm not sure I'd agree it's security theatre. More homes are getting home automation systems all the time. Comcast is selling home automation and home security systems (http://www.comcast.com/homesecurity/product_packages.htm) in at least some markets.
Also if you've got a home security system, you've probably got wireless door sensors and motion sensors.
Useful for the assassin who wants to know where you are before he hits.
Reminds me of a novel I read where an assassin monitors the water pressure of the house and when the occupant takes a shower, the assassin walks right in past the security alarms into the bathroom and shoots the guy.
@ David Donahue:
It reminds me of an anecdote I read somewhere (probably in a comment on this blog?) -- a journalist was talking to a shopkeeper in Iraq, and the shopkeeper mentioned that a big U.S. offensive was about to start. Journalist, surprised, asked how he knew. Shopkeeper replied that soldiers had been coming in continuously for an extra day or two buying extra batteries.
It probably points back to a f'd up procurement process. Probably some bureaucratic rule about how many batteries each soldier is allowed to be issued, or something. (Maybe there was insufficient supply on the base?) If the soldiers were issued as many extra batteries as they thought they might need, they wouldn't have an incentive to go buy them from the locals. I guess in this case, the path of least resistance to get the gear they thought they needed, was to buy it from the locals. Good for the soldiers, bad for opsec.
@Cornerstone (in reply to my earlier comment): “... It reminds me of "The Prisoner", an old British TV series.”
I purchased the series on DVD so I could finally watch all the episodes in order. The monitoring in The Village was more intrusive than a combination of FATS, hidden cameras, and hidden microphones.
@Eam said: “... you can likely automate the technique in the paper to monitor a bunch of houses fairly easily.
It would be much easier than trying to automate the same thing with cameras.”
Wrong. There are off-the-shelf computer security programs that can monitor hundreds of cameras simultaneously. Hidden cameras would provide better information that scanning and analyzing X10 sensor signals.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.