Side-channel Based Study On The Privacy And Identity Security In Internet Of Things

As the third generation of the world's information industry,the Internet of Things(IoT)has driven the transformation of traditional industrial forms and social lifestyles,and becomes one of the strategic pillars of national economic and technological development.While providing rich services,IoT techniques have raised serious security and privacy issues.For instance,maliciously deployed or used IoT devices pose serious threats to the security of user privacy.Uncertified devices or users accessing IoT networks will trigger serious security risks.The key to address the enforcement issues is to identify the malicious devices and users,which we refer to as device and user identification.This paper focuses on the privacy and identity issues in IoT networks,studies four representative scenarios,and proposes corresponding solutions with the side-channel based device and user identification techniques,to improve the IoT identity and privacy security.· For the device identity issue in the IoT networks,we take the identity authentication of mobile devices as a typical example and study the device identification technique in this paper.With the widespread use of smart devices,device authentication has received much attention.One popular method for device authentication is to utilize internally-measured device fingerprints.However,existing software-based device fingerprints are vulnerable to user behaviors while existing hardware-based ones rely on specific hardware compo-nents and thus are not universal.In this paper,we propose DeMiCPU,a new device authentication mechanism based on the CPU electromagnetic side channel.DeMiCPU utilizes the inherent differences between CPU modules of different devices,extracts the CPU fingerprint that can reflect the inherent hardware differences by externally measur-ing the electromagnetic signals emitted from the device's CPU module,and uses it as a device identity marker to achieve device authentication.Compared with existing work,DeMiCPU is more stable and universal.· For the user behavior privacy issue in the IoT networks,we take the hidden wireless cameras secretly filming users as a typical example and study the device type identifica-tion technique in this paper.Wireless cameras are widely deployed in surveillance sys-tems for security guarding.However,the privacy concerns associated with unauthorized videotaping,are drawing an increasing attention recently.Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices.In this paper,we propose DeWiCam,a lightweight and effective hid-den wireless camera detection mechanism based on the traffic side channel.DeWiCam utilizes the intrinsic traffic patterns of flows from wireless cameras as well as the human intervention to achieve hidden wireless camera detection and localization.Compared with existing work,DeWiCam achieves high detection performance without requiring dedicated devices,network access,and traffic decryption.· For the user information privacy issue in the IoT networks,we take the attackers using mobile devices to photograph secret files displayed on screens to leak user information as a typical example and study the user identification technique in this paper.Existing work usually utilizes digital watermarks for digital forensic.However,in the screen-photo-based leakage attack,digital watermarks may no longer be recognizable due to the noises introduced during the photographing process.To address it,we propose m ID,a digital forensics mechanism against the screen-photo-based leakage attack based on the optical side channel.m ID utilizes the natural Moiré phenomenon existing in the screen-camera channel,embeds the user identity into the screen photo by modifying the display contents,and achieves digital forensics by decoding the Moiré stripes in the screen photos.Compared with existing work,m ID is able to achieve screen photo forensics and can work complementarily to existing digital forensics techniques.· For the user identity issue in the IoT networks,we take the child user identification of mobile devices as a typical example and study the user group identification technique in this paper.Nowadays,it is common for children to use their parents' smart devices to access the Internet.Without any precaution,the premature and unsupervised use of smart devices can be harmful to both children and their parents.Existing work is limited in the applicable range or may leak user privacy,thus is not sufficient for child user identifica-tion.In this paper,we propose iCare,a new child user identification mechanism based on the sensing side channel.iCare investigates the intrinsic differences of screen-touch pat-terns between child and adult users from the aspect of physiological maturity,designs 53 key features to capture the unique interaction behaviors of child users,and achieves child user identification with machine learning skills.Compared with existing work,iCare is user-friendly and privacy--preserving.