research-article

Smart Locks: Lessons for Securing Commodity Internet of Things Devices

Authors:

Pratyush Mishra,

Ashkan Hosseini,

David WagnerAuthors Info & Claims

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Pages 461 - 472

https://doi.org/10.1145/2897845.2897886

Published: 30 May 2016 Publication History

Abstract

We examine the security of home smart locks: cyber-physical devices that replace traditional door locks with deadbolts that can be electronically controlled by mobile devices or the lock manufacturer's remote servers. We present two categories of attacks against smart locks and analyze the security of five commercially-available locks with respect to these attacks. Our security analysis reveals that flaws in the design, implementation, and interaction models of existing locks can be exploited by several classes of adversaries, allowing them to learn private information about users and gain unauthorized home access. To guide future development of smart locks and similar Internet of Things devices, we propose several defenses that mitigate the attacks we present. One of these defenses is a novel approach to securely and usably communicate a user's intended actions to smart locks, which we prototype and evaluate. Ultimately, our work takes a first step towards illuminating security challenges in the system design and novel functionality introduced by emerging IoT systems.

References

[1]

IEEE Standard for Local and metropolitan area networks - Part 15.6: Wireless Body Area Networks, 2012. http://standards.ieee.org/findstds/standard/802.15.6--2012.html.

[2]

August. http://august.com/.

[3]

Lindsey Banks. Best bone conduction headphones of 2015. http://www.everydayhearing.com/hearing-technology/articles/bone-conduction-headphones/, July 2015.

[4]

Lujo Bauer, Lorrie Faith Cranor, Michael K Reiter, and Kami Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. In Symposium on Usable Privacy and Security (SOUPS), 2007.

Digital Library

[5]

Lujo Bauer, Scott Garriss, Jonathan M McCune, Michael K Reiter, Jason Rouse, and Peter Rutenbar. Device-enabled authorization in the grey system. In International Conference on Information Security, 2005.

Digital Library

[6]

Lujo Bauer, Scott Garriss, and Michael K Reiter. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security (TISSEC), 2011.

Digital Library

[7]

Ioana Boureanu and Serge Vaudenay. Challenges in distance bounding. Security & Privacy, IEEE, 2015.

[8]

Eric Brewer. CAP twelve years later: How the "rules" have changed. Computer, 2012.

[9]

Min Chen, Sergio Gonzalez, Athanasios Vasilakos, Huasong Cao, and Victor C Leung. Body area networks: A survey. Mobile networks and applications, 2011.

Digital Library

[10]

Danalock. http://www.danalock.com/.

[11]

Tamara Denning and Tadayoshi Kohno. Empowering consumer electronic security and privacy choices: Navigating the modern home. In Symposium on Usable Privacy and Security (SOUPS), 2013.

[12]

Saar Drimer and Steven J Murdoch. Keep your enemies close: Distance bounding against smartcard relay attacks. In USENIX Security, 2007.

Digital Library

[13]

CES 2012: Ericsson. https://www.youtube.com/watch?v=pJ5fSWspBpo.

[14]

NFC Forum. http://nfc-forum.org/what-is-nfc/about-the-technology/.

[15]

Behrang Fouladi and Sahand Ghanoun. Security evaluation of the Z-Wave wireless protocol. Black Hat USA, 2013.

[16]

Aurélien Francillon, Boris Danev, Srdjan Capkun, Srdjan Capkun, and Srdjan Capkun. Relay attacks on passive keyless entry and start systems in modern cars. In NDSS, 2011.

[17]

Lishoy Francis, Gerhard Hancke, Keith Mayes, and Konstantinos Markantonakis. Practical NFC peer-to-peer relay attack using mobile phones. In Radio Frequency Identification: Security and Privacy Issues. 2010.

Digital Library

[18]

Lishoy Francis, Gerhard P Hancke, Keith Mayes, and Konstantinos Markantonakis. Practical relay attack on contactless transactions by using NFC mobile phones. In Radio Frequency Identification: Security and Privacy Issues, 2010.

[19]

Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. Smart locks: Lessons for securing commodity internet of things devices. Technical Report UCB/EECS-2016--11, EECS Department, University of California, Berkeley, Mar 2016.

Digital Library

[20]

Kevo. http://www.kwikset.com/kevo/default.aspx.

[21]

Ziv Kfir and Avishai Wool. Picking virtual pockets using relay attacks on contactless smartcard. In Security and Privacy for Emerging Areas in Communications Networks (SecureComm), 2005.

Digital Library

[22]

Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker. Challenges in access right assignment for secure home networks. In HotSec, 2010.

[23]

Benoıt Latré, Bart Braem, Ingrid Moerman, Chris Blondia, and Piet Demeester. A survey on wireless body area networks. Wireless Networks, 2011.

Digital Library

[24]

Albert Levi, Erhan Çetintaş, Murat Aydos, Cetin Kaya Koç, and M Ufuk Çuglayan. Relay attacks on Bluetooth authentication and solutions. In Computer and Information Sciences (ISCIS). 2004.

[25]

Lockitron. https://lockitron.com/.

[26]

Farhad Manjoo. The August Smart Lock Shows Why You Should Stick with Dumb Keys. http://bits.blogs.nytimes.com/2014/10/14/the-august-smartlock-shows-why-you-should-stick-with-dumb-keys/, Oct 2014.

[27]

Mercedes-Benz. http://techcenter.mercedes-benz.com/en/keylessgo/detail.html.

[28]

Elinor Mills. Drones can be hijacked via GPS spoofing attack. http://www.cnet.com/news/drones-can-be-hijacked-via-gps-spoofing-attack/, June 2012.

[29]

Nest. https://nest.com/.

[30]

Okidokeys. https://www.okidokeys.com/.

[31]

Yossef Oren and Angelos D Keromytis. From the aether to the ethernet--attacking the internet using broadcast digital television. In USENIX Security, 2014.

Digital Library

[32]

Kasper Bonne Rasmussen and Srdjan Capkun. Realization of RF distance bounding. In USENIX Security, 2010.

Digital Library

[33]

Mike Ryan. Bluetooth: With low energy comes low security. In WOOT, 2013.

Digital Library

[34]

M Seyedi, Behailu Kibret, Daniel TH Lai, and Michael Faulkner. A survey on intrabody communications for body area network applications. IEEE Transactions on Biomedical Engineering, 2013.

[35]

Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, and Srdjan Capkun. On the requirements for successful GPS spoofing attacks. In ACM Conference on Computer & Communications Security (CCS), 2011.

Digital Library

[36]

Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan-Capkun. Attacks on public WLAN-based positioning systems. In Proceedings of the 7th International Conference on Mobile systems, applications, and services, 2009.

Digital Library

[37]

Blase Ur, Jaeyeon Jung, and Stuart Schechter. The current state of access control for smart devices in homes. In Workshop on Home Usable Privacy and Security (HUPS), 2013.

[38]

Blase Ur, Jaeyeon Jung, and Stuart Schechter. Intruders versus intrusiveness: teens' and parents' perspectives on home-entryway surveillance. In ACM International Joint Conference on Pervasive and Ubiquitous Computing, 2014.

Digital Library

[39]

Lin Zhong, Dania El-Daye, Brett Kaufman, Nick Tobaoda, Tamer Mohamed, and Michael Liebschner. Osteoconduct: Wireless body-area communication based on bone conduction. In Proceedings of the ICST 2nd International Conference on Body Area Networks, 2007.

Digital Library

Cited By

Misra GHazela BChaurasia B(2024)Privacy Preserving Authentication of IoMT in Cloud ComputingEAI Endorsed Transactions on Internet of Things10.4108/eetiot.623510Online publication date: 3-Jun-2024
https://doi.org/10.4108/eetiot.6235
Wan LWang KWang HBai GChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Is It Safe to Share Your Files? An Empirical Security Analysis of Google WorkspaceProceedings of the ACM Web Conference 202410.1145/3589334.3645697(1892-1901)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645697
Akiirne ZBenkirane ABouzidi D(2024)A Comparative Study of Authentication Protocols in DGC-Based Smart Lock Systems2024 11th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM62286.2024.10656608(1-6)Online publication date: 23-Jul-2024
https://doi.org/10.1109/WINCOM62286.2024.10656608
Show More Cited By

Index Terms

Smart Locks: Lessons for Securing Commodity Internet of Things Devices
1. Security and privacy

Recommendations

Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the IoT ...
Smart cyber-physical systems: beyond usable security to security ergonomics by design
SEsCPS '17: Proceedings of the 3rd International Workshop on Software Engineering for Smart Cyber-Physical Systems

Securing cyber-physical systems is hard. They are complex infrastructures comprising multiple technological artefacts, designers, operators and users. Existing research has established the security challenges in such systems as well as the role of ...
Survey on smart homes: Vulnerabilities, risks, and countermeasures
Abstract
Over the last few years, the explosive growth of Internet of Things (IoT) has revolutionized the way we live and interact with each other as well as with various types of systems and devices which form part of the Information ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

May 2016

958 pages

ISBN:9781450342339

DOI:10.1145/2897845

General Chair:
Xiaofeng Chen
Xidian University, China
,
Program Chairs:
XiaoFeng Wang
Indiana University at Bloomington, USA
,
Xinyi Huang
Fujian Normal University, China

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

MURI
NSF

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2016

Xi'an, China

Acceptance Rates

ASIA CCS '16 Paper Acceptance Rate 73 of 350 submissions, 21%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

178
Total Citations
View Citations
3,014
Total Downloads

Downloads (Last 12 months)176
Downloads (Last 6 weeks)27

Reflects downloads up to 03 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Misra GHazela BChaurasia B(2024)Privacy Preserving Authentication of IoMT in Cloud ComputingEAI Endorsed Transactions on Internet of Things10.4108/eetiot.623510Online publication date: 3-Jun-2024
https://doi.org/10.4108/eetiot.6235
Wan LWang KWang HBai GChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Is It Safe to Share Your Files? An Empirical Security Analysis of Google WorkspaceProceedings of the ACM Web Conference 202410.1145/3589334.3645697(1892-1901)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645697
Akiirne ZBenkirane ABouzidi D(2024)A Comparative Study of Authentication Protocols in DGC-Based Smart Lock Systems2024 11th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM62286.2024.10656608(1-6)Online publication date: 23-Jul-2024
https://doi.org/10.1109/WINCOM62286.2024.10656608
Smolyakova SKhodayarseresht EMajumdar S(2024)Traditional IOCs Meet Dynamic App–Device Interactions for IoT-Specific Threat IntelligenceIEEE Internet of Things Journal10.1109/JIOT.2024.341335111:19(30571-30593)Online publication date: 1-Oct-2024
https://doi.org/10.1109/JIOT.2024.3413351
Mao JLin QZhu SMa LLiu J(2024)SmartTracer: Anomaly-Driven Provenance Analysis Based on Device Correlation in Smart Home SystemsIEEE Internet of Things Journal10.1109/JIOT.2023.330808911:4(5731-5744)Online publication date: 15-Feb-2024
https://doi.org/10.1109/JIOT.2023.3308089
Monjur MYu Q(2024)CTC: Continuous-Time Convolution based Multi-Attack Detection for Sensor Networks2024 IEEE International Symposium on Circuits and Systems (ISCAS)10.1109/ISCAS58744.2024.10557885(1-5)Online publication date: 19-May-2024
https://doi.org/10.1109/ISCAS58744.2024.10557885
Allen AMylonas AVidalis SGritzalis D(2024)Smart homes under siegeComputers and Security10.1016/j.cose.2023.103687139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103687
Ansari ANazir MMustafa K(2024)Smart Homes App Vulnerabilities, Threats, and Solutions: A Systematic Literature ReviewJournal of Network and Systems Management10.1007/s10922-024-09803-132:2Online publication date: 29-Feb-2024
https://doi.org/10.1007/s10922-024-09803-1
Chiara PChiara P(2024)Disentangling (Cyber)Security from the Privacy Debate in the IoTThe Internet of Things and EU Law10.1007/978-3-031-67663-5_3(29-63)Online publication date: 27-Oct-2024
https://doi.org/10.1007/978-3-031-67663-5_3
Ivory DLoukas GGan D(2024)Enabling the Human-as-a-Security-Sensor Paradigm in the Internet of ThingsSecurity and Privacy in Smart Environments10.1007/978-3-031-66708-4_4(75-97)Online publication date: 29-Oct-2024
https://doi.org/10.1007/978-3-031-66708-4_4
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents