Judson Wilson
Riad S. Wahby
Henry Corrigan-Gibbs
Dan Boneh
ABSTRACT
Internet-of-Things devices often collect and transmit sensitive information like camera footage, health monitoring data, or whether someone is home. These devices protect data in transit with end-to-end encryption, typically using TLS connections between devices and associated cloud services. But these TLS connections also prevent device owners from observing what their own devices are saying about them. Unlike in traditional Internet applications, where the end user controls one end of a connection (e.g., their web browser) and can observe its communication, Internet-of-Things vendors typically control the software in both the device and the cloud. As a result, owners have no way to audit the behavior of their own devices, leaving them little choice but to hope that these devices are transmitting only what they should.
This paper presents TLS--Rotate and Release (TLS-RaR), a system that allows device owners (e.g., consumers, security researchers, and consumer watchdogs) to authorize devices, called auditors, to decrypt and verify recent TLS traffic without compromising future traffic. Unlike prior work, TLS-RaR requires no changes to TLS's wire format or cipher suites, and it allows the device's owner to conduct a surprise inspection of recent traffic, without prior notice to the device that its communications will be audited.
- Alexa and Alexa device FAQs. Amazon.com. https://www.amazon.com/gp/help/customer/display.html?nodeId=201602230. Accessed: 2017-04--25.Google Scholar
- Top 1,000,000 sites (updated daily). Alexa Internet Inc., 2009--2016. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip. Accessed: 2016-01--18.Google Scholar
- Keeping data safe at Nest. Nest Labs, Dec. 2016. https://nest.com/security/.Google Scholar
- M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. In Advances in Cryptology -- CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14--18, 2005. Proceedings, pages 205--222, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg. Google ScholarDigital Library
- J. Angwin and J. Valentino-Devries. Google's iPhone tracking: Web giant, others bypassed Apple browser settings for guarding privacy. The Wall Street Journal, Feb. 17, 2012. http://www.wsj.com/articles/SB10001424052970204880404577225380456599176.Google Scholar
- M. Bellare, A. Boldyreva, and A. O'Neill. Deterministic and efficiently searchable encryption. In Proceedings of the 27th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO'07, pages 535--552. Springer-Verlag, Berlin, Heidelberg, 2007. Google ScholarDigital Library
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security & Privacy 2015, San Jose, United States, May 2015. IEEE. Google ScholarDigital Library
- K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti, and P. Y. Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP '14, pages 98--113, Washington, DC, USA, 2014. IEEE Computer Society. Google ScholarDigital Library
- K. Bhargavan and G. Leurent. Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH. In 23nd Annual Network and Distributed System Security Symposium 2016, NDSS 2016, Feb. 2016.Google ScholarCross Ref
- D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search. In Advances in Cryptology - EUROCRYPT 2004: International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2--6, 2004. Proceedings, pages 506--522, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.Google Scholar
- S. Cabuk, C. E. Brodley, and C. Shields. IP covert timing channels: design and detection. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 178--187, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable encryption. In Annual International Cryptology Conference, CRYPTO '97, Aug. 1997. Google ScholarDigital Library
- L. Cauley. NSA has massive database of Americans' phone calls; 3 telecoms help government collect billions of domestic records. USA Today, May 11, 2006. http://usatoday30.usatoday.com/news/washington/2006-05--10-nsa_x.htm.Google Scholar
- E. Chiel. Here are the sites you can't access because someone took the internet down. Fusion, October 20 2016. http://fusion.net/story/360952/which-sites-affected-ddos-attack/.Google Scholar
- R. Chirgwin. Internet of Things 'smart' devices are dumb by design. The Register, Jan. 19, 2016. https://www.theregister.co.uk/2016/01/19/iot_smart_devices_are_dumb/.Google Scholar
- Cicero. Ad Pontifices, XLI., 109, translated by Harbottle, Dictionary of Quotations (Classical) (Sonnenschein 1906).Google Scholar
- R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: Improved definitions and efficient constructions. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS '06, pages 79--88, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- CVE-2012--3372: Vulnerability in Cyberoam DPI devices. Common Vulnerabilities and Exposures List, June 30, 2012. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012--3372.Google Scholar
- CVE-2014-0160: OpenSSL 'Heartbleed' Vulnerability. Common Vulnerabilites and Exposures List, Apr. 2014. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.Google Scholar
- CVE-2016--1280: Self-signed certificate with spoofed trusted issuer cn accepted as valid. Common Vulnerabilites and Exposures List, July 2016. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016--1280.Google Scholar
- X. d. C. de Carnavalet and M. Mannan. Killed by proxy: Analyzing client-end tls interception software. In 23nd Annual Network and Distributed System Security Symposium 2016, NDSS 2016, Feb. 2016.Google Scholar
- T. Dierks and C. Allen. The TLS protocol version 1.0. IETF, 1999. RFC 2246. Google ScholarDigital Library
- T. Dierks and E. Rescorla. The transport-layer security (TLS) protocol, version 1.1. IETF, 2006. RFC 4346.Google ScholarCross Ref
- T. Dierks and E. Rescorla. The transport layer security (TLS) protocol version 1.2. IETF, 2008. RFC 5246.Google ScholarCross Ref
- B. Donohue. Dozens of popular Android apps leak sensitive user data. Kaspersky Lab official blog, Sept. 18, 2016. https://blog.kaspersky.com/privacy_holes_in_popular_android_apps/6047/.Google Scholar
- R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the Great Firewall discovers hidden circumvention servers. In Proceedings of the 2015 Internet Measurement Conference, IMC '15, pages 445--458, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
- S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith. Rethinking SSL development in an appified world. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, pages 49--60, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext transfer protocol--HTTP/1.1. IETF, 1999. RFC 2616. Google ScholarDigital Library
- R. Fielding and J. Reschke. Hypertext transfer protocol (HTTP/1.1): Message syntax and routing. IETF, 2014. RFC 7230.Google ScholarCross Ref
- J. Follorou and F. Johannès. Révélations sur le Big Brother français {revelations about the French Big Brother}. Le Monde, July 4, 2013. http://www.lemonde.fr/societe/article/2013/07/04/revelations-sur-le-big-brother-francais_3441973_3224.html.Google Scholar
- S. Gianvecchio and H. Wang. Detecting covert timing channels: An entropy-based approach. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 307--316, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- M. Godbe. Google deceptively tracks students' internet browsing, EFF says in FTC complaint. Electronic Frontier Foundation, December 1, 2015. https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade.Google Scholar
- G. Greenwald. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books, 2014. Google ScholarDigital Library
- S. Grover and N. Feamster. The internet of unpatched things. In PrivacyCon, Jan. 2016.Google Scholar
- J. Hoffman-Andrews. Ad network turn will suspend zombie cookie program. when will verizon? Electronic Frontier Foundation, January 16, 2015. https://www.eff.org/deeplinks/2015/01/ad-network-turn-will-suspend-zombie-cookie-program-when-will-verizon.Google Scholar
- A. Houmansadr and N. Borisov. CoCo: Coding-based covert timing channels for network flows. In Proceedings of the 13th International Conference on Information Hiding, IH'11, pages 314--328, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- L. S. Huang, A. Rice, E. Ellingsen, and C. Jackson. Analyzing forged SSL certificates in the wild. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP '14, pages 83--97, Washington, DC, USA, 2014. IEEE Computer Society. Google ScholarDigital Library
- Internet of things research study, 2015 report. Hewlett Packard. http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5--4759ENW.pdf.Google Scholar
- H. Krawczyk. Perfect forward secrecy. In Encyclopedia of Cryptography and Security, pages 457--458. Springer, 2005.Google ScholarCross Ref
- Y. Liu, D. Ghosal, F. Armknecht, A.-R. Sadeghi, S. Schulz, and S. Katzenbeisser. Hide and seek in time: Robust covert timing channels. In Proceedings of the 14th European Conference on Research in Computer Security, ESORICS'09, pages 120--135, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarDigital Library
- S. Loreto, J. Mattsson, R. Skog, H. Spaak, G. Gus, D. Druta, and M. Hafeez. Explicit trusted proxy in HTTP/2.0. IETF HTTPBis Working Group Internet-Draft draft-loreto-httpbis-trusted-proxy20-01, February 14, 2014.Google Scholar
- D. McGrew, D. Wing, Y. Nir, and P. Gladstone. TLS proxy server extension. IETF TLS Internet-Draft draft-mcgrew-tls-proxy-server-01, July 16, 2012.Google Scholar
- D. A. McGrew and J. Viega. The Galois/counter mode of operation (GCM), May 31, 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf.Google Scholar
- E. Nakashima. Chinese hackers who breached Google gained access to sensitive data, U.S. officials say. The Washington Post, May 20, 2013. https://www.washingtonpost.com/51330428-be34--11e2--89c9--3be8095fe767_story.html.Google Scholar
- D. Naylor, K. Schomp, M. Varvello, I. Leontiadis, J. Blackburn, D. R. López, K. Papagiannaki, P. Rodriguez Rodriguez, and P. Steenkiste. Multi-context TLS (mcTLS): Enabling secure in-network functionality in TLS. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM '15, pages 199--212, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
- Y. Nir. A method for sharing record protocol keys with a middlebox in TLS. IETF TLS Working Group Internet-Draft draft-nir-tls-keyshare-02, March 26, 2012.Google Scholar
- V. Paxson, M. Christodorescu, M. Javed, J. R. Rao, R. Sailer, D. L. Schales, M. P. Stoecklin, K. Thomas, W. Venema, and N. Weaver. Practical comprehensive bounds on surreptitious communication over DNS. In Proceedings of the 22nd USENIX Security Symposium, USENIX-SS'17, pages 17--32. USENIX Association, Aug. 2013. Google ScholarDigital Library
- R. Peon. Explicit proxies for HTTP/2.0. IETF Network Working Group Internet-Draft draft-rpeon-httpbis-exproxy-00, June 8, 2012.Google Scholar
- A. Peterson. How the NSA may be using games to encourage digital snooping. The Washington Post, June 18, 2014. https://www.washingtonpost.com/news/the-switch/wp/2014/06/18/how-the-nsa-may-have-used-games-to-encourage-digital-snooping/.Google Scholar
- R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. CryptDB: Protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, pages 85--100, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- R. A. Popa, E. Stark, J. Helfer, S. Valdez, N. Zeldovich, M. F. Kaashoek, and H. Balakrishnan. Building web applications on top of encrypted data using Mylar. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, NSDI'14, pages 157--172, Berkeley, CA, USA, 2014. USENIX Association. Google ScholarDigital Library
- M. W. R. Seggelmann, M. Tuexen. Transport layer security (TLS) and datagram transport layer security (DTLS) heartbeat extension. IETF, 2012. RFC 6520.Google ScholarCross Ref
- E. Rescorla. The transport layer security (TLS) protocol version 1.3. IETF, 2017. draft-ietf-tls-tls13--19.Google Scholar
- J. Risen and E. Lichtblau. Bush lets U.S. spy on callers without courts. The New York Times, December 16, 2005. https://www.nytimes.com/2005/12/16/politics/bush-lets-us-spy-on-callers-without-courts.html.Google Scholar
- P. Rogaway. The moral character of cryptographic work. Cryptology ePrint Archive, Report 2015/1162, 2015. http://eprint.iacr.org/2015/1162.Google Scholar
- E. Ronen, C. O'Flynn, A. Shamir, and A. Weingarten. IoT Goes Nuclear: Creating a ZigBee Chain Reaction, Preliminary Draft Version 0.93, Nov. 2016. http://iotworm.eyalro.net/iotworm.pdf.Google Scholar
- J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. Transport layer security (TLS) session resumption without server-side state. IETF, 2008. RFC 5077.Google Scholar
- D. E. Sanger and J. H. Davis. Hacking linked to China exposes millions of U.S. workers. The New York Times, June 4, 2015. https://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html.Google Scholar
- S. Schultze. How the Nokia browser decrypts SSL traffic: A "man in the client". Freedom To Tinker Blog, January 11, 2013. https://freedom-to-tinker.com/blog/sjs/how-the-nokia-browser-decrypts-ssl-traffic-a-man-in-the-client/.Google Scholar
- G. Shah, A. Molina, and M. Blaze. Keyboards and covert channels. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. BlindBox: Deep packet inspection over encrypted traffic. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM '15, pages 213--226, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
- G. R. Simpson. Treasury tracks financial data in secret program. The Wall Street Journal, June 23, 2006. http://www.wsj.com/articles/SB115101988281688182.Google Scholar
- R. Singel. Whistle-blower outs NSA spy room. Wired, April 7, 2006. https://archive.wired.com/science/discoveries/news/2006/04/70619.Google Scholar
- D. X. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encrypted data. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP '00, pages 44--55, Washington, DC, USA, 2000. IEEE Computer Society. Google ScholarDigital Library
- Vulnerability note VU\#792004. CERT Vulnerability Notes Database. https://www.kb.cert.org/vuls/id/792004.Google Scholar
- F. Wang, J. Mickens, N. Zeldovich, and V. Vaikuntanathan. Sieve: Cryptographically enforced access control for user data in untrusted clouds. In Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation, NSDI'16, pages 611--626, Berkeley, CA, USA, 2016. USENIX Association. Google ScholarDigital Library
- C. Wisniewski. Smart meter hacking can disclose which TV shows and movies you watch. naked security by SOPHOS, Jan. 8, 2012. https://nakedsecurity.sophos.com/2012/01/08/28c3-smart-meter-hacking-can-disclose-which-tv-shows-and-movies-you-watch/.Google Scholar
- Z. Zhou and T. Benson. Towards a safe playground for HTTPS and middle boxes with QoS2. In Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization, HotMiddlebox '15, pages 7--12, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
Index Terms
- Trust but Verify: Auditing the Secure Internet of Things
Recommendations
IoTLS: understanding TLS usage in consumer IoT devices
IMC '21: Proceedings of the 21st ACM Internet Measurement ConferenceConsumer IoT devices are becoming increasingly popular, with most leveraging TLS to provide connection security. In this work, we study a large number of TLS-enabled consumer IoT devices to shed light on how effectively they use TLS, in terms of ...
Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild
IMC '23: Proceedings of the 2023 ACM on Internet Measurement ConferenceIoT devices are increasingly used in consumer homes. Despite recent works in characterizing IoT TLS usage for a limited number of in-lab devices, there exists a gap in quantitatively understanding TLS behaviors from devices in the wild and server-side ...
Comments