I Still See You: Why Existing IoT Traffic Reshaping Fails

TL;DR

This paper introduces a comprehensive framework and a novel attack method revealing significant privacy vulnerabilities in IoT traffic, demonstrating current defenses are inadequate and providing a tool for systematic evaluation.

Contribution

The paper presents ITEMTK, an open-source system for evaluating IoT traffic analysis attacks and defenses, along with a new image-based attack that bypasses existing privacy measures.

Findings

Current defenses are insufficient against new image-based attacks

IoT traffic analysis can infer sensitive user information

ITEMTK enables systematic benchmarking of attacks and defenses

Abstract

The Internet traffic data produced by the Internet of Things (IoT) devices are collected by Internet Service Providers (ISPs) and device manufacturers, and often shared with their third parties to maintain and enhance user services. Unfortunately, on-path adversaries could infer and fingerprint users' sensitive privacy information such as occupancy and user activities by analyzing these network traffic traces. While there's a growing body of literature on defending against this side-channel attack-malicious IoT traffic analytics (TA), there's currently no systematic method to compare and evaluate the comprehensiveness of these existing studies. To address this problem, we design a new low-cost, open-source system framework-IoT Traffic Exposure Monitoring Toolkit (ITEMTK) that enables people to comprehensively examine and validate prior attack models and their defending approaches. In particular, we also design a novel image-based attack capable of inferring sensitive user information, even when users employ the most robust preventative measures in their smart homes. Researchers could leverage our new image-based attack to systematize and understand the existing literature on IoT traffic analysis attacks and preventing studies. Our results show that current defending approaches are not sufficient to protect IoT device user privacy. IoT devices are significantly vulnerable to our new image-based user privacy inference attacks, posing a grave threat to IoT device user privacy. We also highlight potential future improvements to enhance the defending approaches. ITEMTK's flexibility allows other researchers for easy expansion by integrating new TA attack models and prevention methods to benchmark their future work.