DOCSLIB.ORG

Rethinking Access Control and Authentication for the Home Internet of Things (Iot)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Rethinking Access Control and Authentication for the Home Internet of Things (Iot) Rethinking Access Control and Authentication for the Home Internet of Things (IoT) Weijia He, University of Chicago; Maximilian Golla, Ruhr-University Bochum; Roshni Padhi and Jordan Ofek, University of Chicago; Markus Dürmuth, Ruhr-University Bochum; Earlence Fernandes, University of Washington; Blase Ur, University of Chicago https://www.usenix.org/conference/usenixsecurity18/presentation/he This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Rethinking Access Control and Authentication for the Home Internet of Things (IoT) Weijia He, Maximilian Golla†, Roshni Padhi, Jordan Ofek, Markus Durmuth¨ †, Earlence Fernandes‡, Blase Ur University of Chicago, † Ruhr-University Bochum, ‡ University of Washington Abstract fairs is troubling because the characteristics that make the IoT distinct from prior computing domains neces- Computing is transitioning from single-user devices to sitate a rethinking of access control and authentication. the Internet of Things (IoT), in which multiple users Traditional devices like computers, phones, tablets, and with complex social relationships interact with a single smart watches are generally used by only a single per- device. Currently deployed techniques fail to provide son. Therefore, once a user authenticates to their own usable access-control specification or authentication in device, minimal further access control is needed. These such settings. In this paper, we begin reenvisioning ac- devices have screens and keyboards, so the process of au- cess control and authentication for the home IoT. We pro- thentication often involves passwords, PINs, fingerprint pose that access control focus on IoT capabilities (i. e., biometrics, or similar approaches [6]. certain actions that devices can perform), rather than on Home IoT devices are fundamentally different. First, a per-device granularity. In a 425-participant online user numerous users interact with a single home IoT de- study, we find stark differences in participants’ desired vice, such as a household’s shared voice assistant or access-control policies for different capabilities within a Internet-connected door lock. Widely deployed tech- single device, as well as based on who is trying to use niques for specifying access-control policies and authen- that capability. From these desired policies, we identify ticating users fall short when multiple users share a de- likely candidates for default policies. We also pinpoint vice [50]. Complicating matters, users in a household necessary primitives for specifying more complex, yet often have complex social relationships with each other, desired, access-control policies. These primitives range changing the threat model. For example, mischievous from the time of day to the current location of users. Fi- children [38], parents curious about what their teenagers nally, we discuss the degree to which different authenti- are doing [44], and abusive romantic partners [29] are all cation methods potentially support desired policies. localized threats amplified in home IoT environments. Furthermore, few IoT devices have screens or key- 1 Introduction boards [37], so users cannot just type a password. While users could possibly use their phone as a central authen- Recent years have seen a proliferation of Internet of tication mechanism, this would lose IoT devices’ hands- Things (IoT) devices intended for consumers’ homes, in- free convenience, while na¨ıve solutions like speaking a cluding Samsung SmartThings [35], the Amazon Echo password to a voice assistant are often insecure. voice assistant [2], the Nest Thermostat [48], Belkin’s Real-world examples of the shortcomings of current Wemo devices [5], and Philips Hue lights [32]. To date, access-control-policy specification and authentication IoT security and privacy research has focused on such de- for home IoT devices have begun to appear. A Burger vices’ insecure software-engineering practices [3,13,15], King TV commercial triggered Google Home voice as- improper information flows [15,40,45], and the inherent sistants to read Wikipedia pages about the Whopper [47], difficulties of patching networked devices [49, 51]. while the cartoon South Park mischievously triggered Surprisingly little attention has been paid to access- Amazon Echo voice assistants to fill viewers’ Amazon control-policy specification (expressing which particular shopping carts with risque´ items [34]. While these ex- users, in which contexts, are permitted to access a re- amples were relatively harmless, one could imagine a source) or authentication (verifying that users are who rogue child remotely controlling the devices in a sibling’s they claim to be) in the home IoT. This state of af- room to annoy them, a curious babysitter with temporary USENIX Association 27th USENIX Security Symposium 255 access to a home perusing a device’s history of interac- than the babysitter setting a persistent rule to unlock the tions, or an enterprising burglar asking a voice assistant front door whenever anyone rings the doorbell. through a cracked window to unlock the front door [42]. RQ3: On what contextual factors (e. g., location) In this paper, we take a first step toward rethinking do access-control policies depend? (Section 6.5). the specification of access-control policies and authenti- In addition to a user’s location, we found that partici- cation for the home IoT. We structure our investigation pants wanted to specify access-control policies based on around four research questions, which we examine in a user’s age, the location of a device, and other factors. a 425-participant user study. These research questions Almost none of these contextual factors are supported are motivated by our observation that many home IoT by current devices. Finally, to identify promising di- devices combine varied functionality in a single device. rections for designing authentication mechanisms in the For example, a home hub or a voice assistant can perform home IoT, we asked: tasks ranging from turning on the lights to controlling the RQ4: What types of authentication methods bal- door locks. Current access control and authentication is ance convenience and security, holding the potential often based on a device-centric model where access is to successfully balance the consequences of falsely granted or denied per device. We move to a capability- allowing and denying access? (Section 6.6). centric model, where we define a capability as a partic- Analyzing consequences participants noted for falsely al- ular action (e. g., ordering an item online) that can be lowing or denying access to capabilities, we identify a performed on a particular device (e. g., a voice assistant). spectrum of methods that seem promising for authenti- Intuition suggests that different capabilities have differ- cating users (Section7), thereby enabling enforcement of ent sensitivities, leading to our first research question: users’ desired access-control policies for the home IoT. RQ1: Do desired access-control policies differ among capabilities of single home IoT devices? Contributions We begin to reenvision access control (Section 6.2 and 6.3). and authentication for the home IoT through a 425- We investigated this question by having each study par- participant user study. Our contributions include: ticipant specify their desired access-control policy for (i) Proposing access-control specification for the one of 22 home IoT capabilities we identified. For house- multi-user home IoT based on capabilities that bet- hold members of six different relationships (e. g., spouse, ter fits users’ expectations than current approaches. child, babysitter), the participant specified when that per- (ii) Showing the frequent context-dependence of son should be allowed to use that capability. Our findings access-control policies, identifying numerous con- validated our intuition that policies about capabilities, textual factors that future interfaces should support. rather than devices, better capture users’ preferences. (iii) Setting an agenda for authentication in the home Different capabilities for voice assistants and doors par- IoT based on methods that minimize the conse- ticularly elicited strikingly different policies. quences of falsely allowing or denying access. While the ability to specify granularly who should be able to use which capabilities is necessary to capture users’ policies, it incurs a steep usability cost. To mini- 2 Background mize this burden through default policies, we asked: RQ2: For which pairs of relationships (e. g., child) In this section, we scope our notion of home IoT de- and capabilities (e. g., turn on lights) are desired vices, identify our threat model, and review current de- access-control policies consistent across partici- vices’ support for access control and authentication. We pants? These can be default settings (Section 6.4). define home IoT devices to be small appliances that In our study, nearly all participants always wanted their are Internet-connected and used primarily in the home. spouses to be able to use capabilities other than log dele- Internet-connected lights and thermostats are two exam- tion at all times. Participants also wanted others to be ples. Many such devices are managed through a hub able to control the lights and thermostat while at home. that facilitates communication between devices, enforces As intimated
Load more

Recommended publications
  • Access Control
    Security Engineering: A Guide to Building Dependable Distributed Systems CHAPTER 4 Access Control Going all the way back to early time-sharing systems, we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum. —ROGER NEEDHAM Microsoft could have incorporated effective security measures as standard, but good sense prevailed. Security systems have a nasty habit of backfiring, and there is no doubt they would cause enormous problems. —RICK MAYBURY 4.1 Introduction Access control is the traditional center of gravity of computer security. It is where se- curity engineering meets computer science. Its function is to control which principals (persons, processes, machines, . .) have access to which resources in the sys- tem—which files they can read, which programs they can execute, how they share data with other principals, and so on. NOTE This chapter necessarily assumes more computer science background than previous chapters, but I try to keep it to a minimum. 51 Chapter 4: Access Controls Figure 4.1 Access controls at different levels in a system. Access control works at a number of levels, as shown in Figure 4.1, and described in the following: 1. The access control mechanisms, which the user sees at the application level, may express a very rich and complex security policy. A modern online busi- ness could assign staff to one of dozens of different roles, each of which could initiate some subset of several hundred possible transactions in the system. Some of these (such as credit card transactions with customers) might require online authorization from a third party while others (such as refunds) might require dual control.
    [Show full text]
  • Using Certificate-Based Authentication for Access Control
    GLOBALSIGN WHITE PAPER Using Certificate‐based Authentication for Access Control GLOBALSIGN WHITE PAPER John Harris for GlobalSign GLOBALSIGN WHITE PAPER CONTENTS Introduction ...................................................................................................................................................................2 Finding The Right Path ...................................................................................................................................................2 Certicate‐based Network Authentication ......................................................................................................................3 What Is It? ................................................................................................................................................................. 3 How Does It All Work? .............................................................................................................................................. 4 What Can Users Expect? ........................................................................................................................................... 4 How Does It Stack Up To Other Authentication Methods? ....................................................................................... 4 Other Authentication Methods ................................................................................................................................. 5 Comparing Authentication Methods ........................................................................................................................
    [Show full text]
  • Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems
    Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems Nan Zhang∗, Xianghang Mi∗, Xuan Fengy∗, XiaoFeng Wang∗, Yuan Tianz and Feng Qian∗ ∗Indiana University, Bloomington Email: fnz3, xmi, xw7, [email protected] yBeijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, China Email: [email protected] zUniversity of Virginia Email: [email protected] Abstract—Virtual personal assistants (VPA) (e.g., Amazon skills by Amazon and actions by Google1) to offer further Alexa and Google Assistant) today mostly rely on the voice helps to the end users, for example, order food, manage bank channel to communicate with their users, which however is accounts and text friends. In the past year, these ecosystems known to be vulnerable, lacking proper authentication (from the user to the VPA). A new authentication challenge, from the VPA are expanding at a breathtaking pace: Amazon claims that service to the user, has emerged with the rapid growth of the VPA already 25,000 skills have been uploaded to its skill market to ecosystem, which allows a third party to publish a function (called support its VPA (including the Alexa service running through skill) for the service and therefore can be exploited to spread Amazon Echo) [1] and Google also has more than one thousand malicious skills to a large audience during their interactions actions available on its market for its Google Home system with smart speakers like Amazon Echo and Google Home. In this paper, we report a study that concludes such remote, large- (powered by Google Assistant).
    [Show full text]
  • Access Control
    Access Control CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Access Control • Describe the permissions available to computing processes – Originally, all permissions were available • Clearly, some controls are necessary – Prevent bugs in one process from breaking another • But, what should determine access? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2 Permissions for Processes • What permissions should be granted to... – An editor process? – An editor process that you run? – An editor process that someone else runs? – An editor process that contains malware? – An editor process used to edit a password file? • Q: How do we determine/describe the permissions available to processes? • Q: How are they enforced? • Q: How might they change over time? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3 Protection System • Any “system” that provides resources to multiple subjects needs to control access among them – Operating system – Servers • Consists of: – Protection state • Description of permission assignments (i.e., policy) • Determines how security goals are met – Enforcement mechanism • Enforce protection state on “system” CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4 Protection State • Describes the conditions under which the system is secure
    [Show full text]
  • Security in Ordinary Operating Systems
    39 C H A P T E R 4 Security in Ordinary Operating Systems In considering the requirements of a secure operating system,it is worth considering how far ordinary operating systems are from achieving these requirements. In this chapter, we examine the UNIX and Windows operating systems and show why they are fundamentally not secure operating systems. We first examine the history these systems, briefly describe their protection systems, then we show, using the requirements of a secure operating system defined in Chapter 2, why ordinary operating systems are inherently insecure. Finally, we examine common vulnerabilities in these systems to show the need for secure operating systems and the types of threats that they will have to overcome. 4.1 SYSTEM HISTORIES 4.1.1 UNIX HISTORY UNIX is a multiuser operating system developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs [266]. UNIX started as a small project to build an operating system to play a game on an available PDP-7 computer. However, UNIX grew over the next 10 to 15 years into a system with considerable mindshare, such that a variety of commercial UNIX efforts were launched. The lack of coherence in these efforts may have limited the market penetration of UNIX, but many vendors, even Microsoft, had their own versions. UNIX remains a significant operating system today, embodied in many systems, such as Linux, Sun Solaris, IBM AIX, the various BSD systems, etc. Recall from Chapter 3 that Bell Labs was a member of the Multics consortium. However, Bell Labs dropped out of the Multics project in 1969, primarily due to delays in the project.
    [Show full text]
  • General Access Control Guidance for Cloud Systems
    NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems Vincent C. Hu Michaela Iorga Wei Bao Ang Li Qinghua Li Antonios Gouglidis This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-210 C O M P U T E R S E C U R I T Y NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems Vincent C. Hu Michaela Iorga Computer Security Division Information Technology Laboratory Wei Bao Ang Li Qinghua Li Department of Computer Science and Computer Engineering University of Arkansas Fayetteville, AR Antonios Gouglidis School of Computing and Communications Lancaster University Lancaster, United Kingdom This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-210 July 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • FACILITY ACCESS CONTROL an Interagency Security Committee Best Practice
    FACILITY ACCESS CONTROL An Interagency Security Committee Best Practice 2020 Edition U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency Interagency Security Committee Message from the Chief One of the priorities of the Department of Homeland Security (DHS) is the protection of federal employees and private citizens who work within and visit federally owned or leased facilities. The Interagency Security Committee (ISC), chaired by DHS, consists of 64 executive-level departments and agencies and has a mission to develop security policies, standards, and recommendations for nonmilitary federal facilities in the United States. As Chief of the ISC, I am pleased to introduce the ISC document titled Facility Access Control: An Interagency Security Committee Best Practice. At a recent ISC Strategic Summit, members identified facility access control as their number-one subject area. Based on their request, the ISC formed a working group on facility access control, resulting in the development of this document. This ISC document provides guidance on addressing facility access control throughout the full access control process, from employee and visitor entry, through security screening, to the first point of authentication into nonpublic space. This guide represents exemplary collaboration within the ISC Facility Access Control Working Group and across the entire ISC. Daryle Hernandez Chief, Interagency Security Committee Facility Access Control: 1 An ISC Best Practice Table of Contents Message from the Chief ...................................................................................................................................
    [Show full text]
  • No Recharging Or Power Stealing. It's the Smart Thermostat Pros Trust
    No recharging or power stealing. It’s the smart thermostat Pros trust. 5-YEAR PRO INSTALL WARRANTY Get our 3-year standard warranty plus 2 years for pro purchase and install. Here’s why pros love us. Here’s why consumers love us. RELIABLY POWERED CONTROL FROM ANYWHERE, ANYTIME No common wire? No problem. Your ecobee comes with a Customers can easily control temperature and settings Power Extender Kit so it doesn’t rely on other equipment from anywhere with an Apple Watch, Android, or to charge itself. iOS device. COMPATIBLE WITH MOST AVERAGE 23% SAVINGS* ecobee3 lite works with most HVAC systems including When customers bring home the ecobee3 lite, they radiant heating systems, multistage, and dual fuel save an average of 23% annually on heating and heat pumps. ecobee.com/compatibility cooling costs. *Learn more at ecobee.com/savings EASY INSTALLATION UPDATES YOU AS NEEDED Installation takes 30 minutes or less in most cases. We also ecobee3 lite monitors heating and cooling systems, and offer easy access to HVAC tech support, wiring diagrams, alerts customers if it senses something is wrong. and manuals if you ever need assistance. SUPPORT HOURS Available 8am–10pm (Mon–Fri) and 9am–9pm (Sat-Sun). 1.866.518.6740 | [email protected] Apple, iPhone, iPad, and iPod touch are trademarks of Apple Inc., registered in the U.S. and other countries. HomeKit is a trademark of Apple Inc. Use of the HomeKit logo means that an electronic accessory has been designed to connect specifically to iPod, iPhone, or iPad, respectively, and has been certified by the developer to meet Apple performance standards.
    [Show full text]
  • Operating Systems & Virtualisation Security Knowledge Area
    Operating Systems & Virtualisation Security Knowledge Area Issue 1.0 Herbert Bos Vrije Universiteit Amsterdam EDITOR Andrew Martin Oxford University REVIEWERS Chris Dalton Hewlett Packard David Lie University of Toronto Gernot Heiser University of New South Wales Mathias Payer École Polytechnique Fédérale de Lausanne The Cyber Security Body Of Knowledge www.cybok.org COPYRIGHT © Crown Copyright, The National Cyber Security Centre 2019. This information is licensed under the Open Government Licence v3.0. To view this licence, visit: http://www.nationalarchives.gov.uk/doc/open-government-licence/ When you use this information under the Open Government Licence, you should include the following attribution: CyBOK © Crown Copyright, The National Cyber Security Centre 2018, li- censed under the Open Government Licence: http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at con- [email protected] to let the project know how they are using CyBOK. Issue 1.0 is a stable public release of the Operating Systems & Virtualisation Security Knowl- edge Area. However, it should be noted that a fully-collated CyBOK document which includes all of the Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas KA Operating Systems & Virtualisation Security j October 2019 Page 1 The Cyber Security Body Of Knowledge www.cybok.org INTRODUCTION In this Knowledge Area, we introduce the principles, primitives and practices for ensuring se- curity at the operating system and hypervisor levels.
    [Show full text]
  • Physical Access Control Systems (PACS) Customer Ordering Guide
    Physical Access Control Systems (PACS) Customer Ordering Guide Revised January 2017 1 Physical Access Control Systems (PACS) Customer Ordering Guide Table of Contents Purpose ...................................................................................................................3 Background .............................................................................................................3 Recent Policy Announcements ...............................................................................4 What is PACS? .......................................................................................................5 As an end-user agency, where do I start and what steps are involved? ................. 7 Where do I purchase PACS Solutions from GSA? ..............................................10 How do I purchase a PACS Solution using GSA eBuy? .....................................11 Frequently Asked Questions (FAQs) ...................................................................12 GSA Points of Contact for PACS .........................................................................15 Reference Documents ...........................................................................................16 Sample Statement of Work (SOW) ......................................................................18 2 Physical Access Control Systems (PACS) Customer Ordering Guide Purpose The purpose of this document is to create a comprehensive ordering guide that assists ordering agencies, particularly contracting officers, to
    [Show full text]
  • Standards and Procedures Installation of Access Control Equipment At
    Standards and Procedures Installation of Access Control Equipment At University of North Carolina at Wilmington UNCW REV 120617 Provided by UNCW Physical Security and Access INDEX OVERVIEW ................................................................................................................................... 3 OUTLINE ....................................................................................................................................... 4 UNCW Door Hardware Standards .................................................................................................. 5 LENEL Network Communications................................................................................................. 5 Door Control Cabling ..................................................................................................................... 6 Responsibilities ............................................................................................................................... 7 UNCW ........................................................................................................................................ 7 Contractors .................................................................................................................................. 7 Standards for Termination of wires and cables in Lenel Panel, Lock Power Supplies, Readers, Hinges and Door Hardware ............................................................................................................ 8 UNCW Wireless Access Control
    [Show full text]
  • Integrated Access Control
    INTEGRATED ACCESS CONTROL Protect and manage your facility with confidence ACCESS CONTROL INCLUDES ALARM MANAGEMENT In the past, a sturdy lock was the most effective method Adding to the benefits of an access control system is the available to control access to your facility. Today you have ability to review reports detailing the arrival and departure the capability to truly manage both exterior and interior of each individual and which protected areas they entered. access. With the appropriate security devices and alarm An access control system not only provides added security, management software, which is integrated into a single but it also enhances your facility management capabilities. security solution, you can take control of who goes where and when throughout your facility. As a network application, real-time changes can be made to the access rights of any individual from anywhere with an Internet connection. Rather than worry about retrieving keys from discharged employees or re-keying locks, sim- ply delete their access privileges. You can also remotely lock and unlock any protected door. Access Control Hardware The main component in any access control system is the Request-to-Exit Devices: Motion sensors, buttons, or crash control panel. It communicates with and manages the var- bars used to bypass a door or release an electronic lock. ious other devices installed throughout the facility. DMP High Security Readers: Based on the MIFARE platform, systems include an “integrated” panel that also provides the high security reader is a globally accepted, secure, and intrusion and fire alarm capabilities, all in a single unit.
    [Show full text]