Side Channel Attacks in the Wild: The Smart Home

Side channel attacks are not something most network engineers are familiar with; I provided a brief introduction to the concept over at The Network Collective in this Short Take. If you aren’t familiar with the concept, it might be worth watching that video (a little over 4 minutes) before reading this post.

Side channel attacks are more common, and more dangerous, than many engineers understand. In this post, I’ll take a look at a 2017 research paper that builds and exploits a side channel attack against several smart home devices to see how such a side channel attack plays out. They begin their test with a series of devices, including a children’s sleep monitor, a pair of security cameras, a pair of smart power plugs, and a voice based home assistant.

The attack itself takes place in two steps. The first is to correlate individual traffic flows with a particular device (where a traffic flow is a 5 tuple. The researchers did this in three different ways. First, they observed the MAC address of each device talking on the network, comparing the first three octets of this address to a list of known manufacturers. Most home device manufacturers use a small number of Ethernet chipsets; knowing the brand of the chipset can often narrow the range of possible devices sending a stream to a relatively small number.

The second mechanism the researchers used was to examine the DNS queries transmitted by a device. If a device queries hello-audiop.s3.amazonaws.com, for instance, it is likely to be an Amazon produced home assistant. A list of these correlations can be built by examining different devices in an experimental setup, or even in the wild. Note these DNS queries, and their responses, are unencrypted, so this information is available regardless of any other encryption being used. Finally, the kind of device can be further pinpointed by examining the rates at which each device sends traffic. Video devices are likely to send traffic at a higher rate than voice only devices, for instance.

Once the researchers identified each device, they then began inferring specific activities within the home. This primarily involved using the amount of traffic being transmitted by each device. The researchers tried different states of operation for each device in a lab setting to determine what kind of activity correlates to different traffic levels. For instance, for a sleep monitor, a sleeping child might produce one level of traffic, an awake child might produce another, and an empty room might produce a third level. Watching television or listening to music, which indicate occupancy, would produce a different level of activity on a smart assistant device, while an empty home would produce another. Security cameras increase and decrease the amount of traffic they are generating based on how much motion is in their field of view.

Combining these traffic levels with even a basic amount of information about what kind of device is generating the traffic can provide a fairly good view of what is going on in the home. A sleeping child monitor with an intermediate level of activity combined with home assistants that are sending traffic indicating background noise indicates the house is occupied with a child sleeping in one room, and one or more adults watching television in another, for instance.

The importance of this form of attack is that it does not matter whether or not encryption is being used to mask the contents of any or all of these traffic flows. Merely the ability to determine what kind of device, combined with what “normal” traffic levels look like under different conditions, and finally with the observation of those traffic levels, reveals a good deal about the activity inside a home.

In the final section of this paper, the researchers then attempt to find some way to mitigate their ability to see the traffic levels effectively enough to infer activity from traffic levels. What they discover is that by adding random traffic to the various streams, increasing the overall traffic flow by about 20%, they can prevent the effective determination of activity. While the authors of the paper state this seems like a small amount of traffic, it is actually large amount of traffic to be carried, given the number of homes, the amount of aggregate bandwidth this represents, etc.

Side channel attacks of this kind are a real threat—while the paper considered here examines smart home devices, the ability to infer activity is much broader than this single use case. Side channel attacks are an important concept to understand for network security professionals, and network architects.