Hi Aniketh,
Thanks for forwarding the paper - interesting work!
The homenet working group was closed some time back. I think
the currently open IETF venues that might be relevant for this
work would be madinas (considering mac address randomisation),
snac (working on a subset of home n/w issues) and pearg which
is a privacy related IRTF research group.
I'd say best might be to send a mail to the pearg list and
see if folks there start some discussion.
If mac address randomisation would/would-not mitigate some
of these issues then posting about that to the madinas wg list
would be a good thing. (Better in that case to send a mail
setting out why mac address ramdomisation would or would not
make things better rather that expecting many list members to
read the paper - you need to tempt 'em in:-)
I'm not sure if this'd be relevant for snac, but there are
people active there on this list so perhaps silence from
them means it's not that relevant.
Cheers,
S.
On 15/11/2023 18:13, Aniketh Girish wrote:
Hi,
I am writing to share our research paper[1] published recently at ACM IMC 2023,
which addresses critical security and privacy concerns in smart home local
networks. Our study focuses on characterizing local device communication and
reveals substantial privacy risks associated with the misuse of discovery
protocols. Additionally, we discover the inadvertent exposure of personally
identifiable information (PII) by smart devices in discovery
broadcasts/multicasts and detail the methods used by entities like advertisers
and trackers to covertly exfiltrate this data.
Key findings of our paper include:
- Unintentional PII Broadcasts and Protocol Vulnerabilities: Our study shows
that half of the devices in our dataset directly communicate with each other
without any user interactions, often conspicuously broadcasting sensitive
information like device names, private IDs, and household geolocations. This is
amplified by vulnerabilities in network protocols such as DHCP, mDNS, and UPnP,
leading to risks like outdated DHCP clients being vulnerable to exploitation
and cross-device tracking due to unique identifiers in discovery protocol
fields such as hostnames.
- Broadcasts exploited by Mobile Apps and Third-Party Libraries: We find that
mobile apps and third-party libraries exploit these network broadcasts to
secretly extract PIIs and device identifiers and relay this local network data
to remote endpoints. This occurs without user consent, using discovery
protocols to access data protected by Android and iOS permissions, enabling
network observers to infer precise user geolocation and other sensitive
information.
We have diligently disclosed all risks found in the paper to the affected
vendors and they are actively working on several remedial measures. We would
also like to engage with IETF Working Groups, as our work is closely aligned
with the efforts of groups like DNS-SD, Homenet, and the Open Connectivity
Foundation (OCF).We are reaching out to the relevant working groups to seek
interest in our findings and to engage in discussions to improve the current
state.
Would your group be interested in reconsidering these issues or connecting us
with other ongoing efforts within the IETF where our work might be more
relevant? We would also be open to present our paper at one of your upcoming
meetings and engage in a discussion on how we can collectively enhance network
protocol security and privacy standards.
For more details, please refer to the paper. Your feedback on our paper and
thoughts on how it impacts the work of the IETF would be invaluable. We look
forward to hearing back from you soon.
[1]: https://dl.acm.org/doi/pdf/10.1145/3618257.3624830
Cheers.
--
Aniketh Girish
PhD Student, IMDEA Networks Institute
https://anikethgirish.in/
This message may contain confidential or privileged information. If you have
received it in error, please do not use it, notify the sender and delete it.
See https://networks.imdea.org/legal-notice-email/
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet