1.
Tayebeh Rajabi, Alvi Ataur Khalil, Mohammad Hossein Manshaei, Mohammad Ashiqur Rahman, Mohammad Dakhilalian, Maurice Ngouen, Murtuza Jadliwala, A. Selcuk Uluagac
Feasibility Analysis for Sybil Attacks in Shard-Based Permissionless Blockchains Journal Article
ACM Distributed Ledger Technologies: Research and Practice Journal, 2023.
Abstract | Links | BibTeX | Tags: Blockchain Security, Network Security, Smart Home Security
@article{Tayabeh2023,
title = {Feasibility Analysis for Sybil Attacks in Shard-Based Permissionless Blockchains},
author = {Tayebeh Rajabi and Alvi Ataur Khalil and Mohammad Hossein Manshaei and Mohammad Ashiqur Rahman and Mohammad Dakhilalian and Maurice Ngouen and Murtuza Jadliwala and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3618302},
doi = {10.1145/3618302},
year = {2023},
date = {2023-12-01},
urldate = {2023-12-01},
journal = {ACM Distributed Ledger Technologies: Research and Practice Journal},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Committee-based permissionless blockchain approaches overcome single leader consensus protocols’ scalability issues by partitioning the outstanding transaction set into shards and selecting multiple committees to process these transactions in parallel. However, by design, shard-based blockchain solutions are vulnerable to Sybil attacks. An adversary with enough computational/hash power can easily manipulate the consensus protocol by generating multiple valid node identifiers/IDs (i.e., multiple Sybil committee members).Despite the straightforward nature of these attacks, they have not been systematically investigated. This article fills this research gap by analyzing Sybil attacks in shard-based consensus of proof-of-work blockchain systems. Specifically, we provide a detailed analysis for Elastico, one of the prominent shard-based blockchain models. We show that the proof-of-work technique used for ID generation in the initial phase of such protocols is vulnerable to Sybil attacks when an adversary (could be a group of colluding nodes) possesses enough hash power. We analytically derive conditions for two different Sybil attacks and perform numerical simulations to validate our theoretical results under various parameters. Further, we utilize the BlockSim simulator to validate our mathematical computation, and results confirm the correctness of the analysis.},
keywords = {Blockchain Security, Network Security, Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
Committee-based permissionless blockchain approaches overcome single leader consensus protocols’ scalability issues by partitioning the outstanding transaction set into shards and selecting multiple committees to process these transactions in parallel. However, by design, shard-based blockchain solutions are vulnerable to Sybil attacks. An adversary with enough computational/hash power can easily manipulate the consensus protocol by generating multiple valid node identifiers/IDs (i.e., multiple Sybil committee members).Despite the straightforward nature of these attacks, they have not been systematically investigated. This article fills this research gap by analyzing Sybil attacks in shard-based consensus of proof-of-work blockchain systems. Specifically, we provide a detailed analysis for Elastico, one of the prominent shard-based blockchain models. We show that the proof-of-work technique used for ID generation in the initial phase of such protocols is vulnerable to Sybil attacks when an adversary (could be a group of colluding nodes) possesses enough hash power. We analytically derive conditions for two different Sybil attacks and perform numerical simulations to validate our theoretical results under various parameters. Further, we utilize the BlockSim simulator to validate our mathematical computation, and results confirm the correctness of the analysis.
2.
N. Haque, M. Ngouen, M. Rahman, S. Uluagac, L. Njilla
SHATTER: Control and Defense-Aware Attack Analytics for Activity-Driven Smart Home Systems Conference Paper
In the Proceedings of the 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2023.
Abstract | Links | BibTeX | Tags: Cryptojacking, Smart Home Security
@conference{Haque2023,
title = {SHATTER: Control and Defense-Aware Attack Analytics for Activity-Driven Smart Home Systems},
author = {N. Haque and M. Ngouen and M. Rahman and S. Uluagac and L. Njilla},
url = {https://doi.ieeecomputersociety.org/10.1109/DSN58367.2023.00015},
year = {2023},
date = {2023-06-01},
urldate = {2023-06-01},
booktitle = {In the Proceedings of the 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)},
abstract = {Modern smart home control systems utilize realtime occupancy and activity monitoring to ensure control efficiency, occupants' comfort, and optimal energy consumption. Moreover, adopting machine learning-based anomaly detection models (ADMs) enhances security and reliability. However, sufficient system knowledge allows adversaries/attackers to alter sensor measurements through stealthy false data injection (FDI) attacks. Although ADMs limit attack scopes, the availability of information like occupants' location, conducted activities, and alteration capability of smart appliances increase the attack surface. Therefore, performing an attack space analysis of modern home control systems is crucial to design robust defense solutions. However, state-of-the-art analyzers do not consider contemporary control and defense solutions and generate trivial attack vectors. To address this, we propose a control and defense-aware novel attack analysis framework for a modern smart home control system, efficiently extracting ADM rules. We verify and validate our framework using a state-of-the-art dataset and a prototype testbed.},
keywords = {Cryptojacking, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
Modern smart home control systems utilize realtime occupancy and activity monitoring to ensure control efficiency, occupants' comfort, and optimal energy consumption. Moreover, adopting machine learning-based anomaly detection models (ADMs) enhances security and reliability. However, sufficient system knowledge allows adversaries/attackers to alter sensor measurements through stealthy false data injection (FDI) attacks. Although ADMs limit attack scopes, the availability of information like occupants' location, conducted activities, and alteration capability of smart appliances increase the attack surface. Therefore, performing an attack space analysis of modern home control systems is crucial to design robust defense solutions. However, state-of-the-art analyzers do not consider contemporary control and defense solutions and generate trivial attack vectors. To address this, we propose a control and defense-aware novel attack analysis framework for a modern smart home control system, efficiently extracting ADM rules. We verify and validate our framework using a state-of-the-art dataset and a prototype testbed.
3.
Luis C Puche Rondon, Leonardo Babun, Kemal Akkaya, A Selcuk Uluagac
Systems and methods for monitoring activity in an HDMI network Patent
US Patent, 2021.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@patent{rondon2021systems,
title = {Systems and methods for monitoring activity in an HDMI network},
author = {Luis C Puche Rondon and Leonardo Babun and Kemal Akkaya and A Selcuk Uluagac},
url = {https://patents.google.com/patent/US10929530B1/en},
year = {2021},
date = {2021-02-01},
urldate = {2021-02-01},
publisher = {Google Patents},
abstract = {Systems and methods for monitoring activity within High Definition Multimedia Interface (HDMI) enabled consumer electronics control (CEC) devices and their networks and identifying unexpected and/or suspicious activity within the network are provided. CEC message packets and packet attribute analysis can be used to identify unexpected and/or suspicious CEC activity within two or more interconnected HDMI devices. Three fundamental steps can be used: a data collection step can capture CEC activity occurring within an HDMI distribution; a data processing step can correlate data into a packet analysis process to create a model later used for evaluation; and a decision process step can use the model created in the data processing step to determine if activity occurring within the HDMI distribution is expected or unexpected.},
howpublished = {US Patent},
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {patent}
}
Systems and methods for monitoring activity within High Definition Multimedia Interface (HDMI) enabled consumer electronics control (CEC) devices and their networks and identifying unexpected and/or suspicious activity within the network are provided. CEC message packets and packet attribute analysis can be used to identify unexpected and/or suspicious CEC activity within two or more interconnected HDMI devices. Three fundamental steps can be used: a data collection step can capture CEC activity occurring within an HDMI distribution; a data processing step can correlate data into a packet analysis process to create a model later used for evaluation; and a decision process step can use the model created in the data processing step to determine if activity occurring within the HDMI distribution is expected or unexpected.
4.
Luis Puche Rondon, Leonardo Babun, Ahmet Aris, Kemal Akkaya, A Selcuk Uluagac
LightningStrike: (in) secure practices of E-IoT systems in the wild Conference Paper
In the Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2021.
Abstract | BibTeX | Tags: IoT Security, Smart Home Security
@conference{rondon2021lightningstrike,
title = {LightningStrike: (in) secure practices of E-IoT systems in the wild},
author = {Luis Puche Rondon and Leonardo Babun and Ahmet Aris and Kemal Akkaya and A Selcuk Uluagac},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {In the Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)},
abstract = {The widespread adoption of specialty smart ecosystems has changed the everyday lives of users. As a part of smart ecosystems, Enterprise Internet of Things (E-IoT) allows users to integrate and control more complex installations in comparison to off-the-shelf IoT systems. With E-IoT, users have a complete control of audio, video, scheduled events, lightning fixtures, shades, door access, and relays via available user interfaces. As such, these systems see widespread use in government or smart private offices, schools, smart buildings, professional conference rooms, hotels, smart homes, yachts, and similar professional settings. },
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
The widespread adoption of specialty smart ecosystems has changed the everyday lives of users. As a part of smart ecosystems, Enterprise Internet of Things (E-IoT) allows users to integrate and control more complex installations in comparison to off-the-shelf IoT systems. With E-IoT, users have a complete control of audio, video, scheduled events, lightning fixtures, shades, door access, and relays via available user interfaces. As such, these systems see widespread use in government or smart private offices, schools, smart buildings, professional conference rooms, hotels, smart homes, yachts, and similar professional settings.
5.
Amit Kumar Sikder, Giuseppe Petracca, Hidayet Aksu, Trent Jaeger, A Selcuk Uluagac
A survey on sensor-based threats and attacks to smart devices and applications Journal Article
IEEE Communications Surveys & Tutorials, 2021.
Abstract | BibTeX | Tags: Smart Home Security
@article{sikder2021survey,
title = {A survey on sensor-based threats and attacks to smart devices and applications},
author = {Amit Kumar Sikder and Giuseppe Petracca and Hidayet Aksu and Trent Jaeger and A Selcuk Uluagac},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {IEEE Communications Surveys & Tutorials},
publisher = {IEEE},
abstract = {Modern electronic devices have become smart as well as omnipresent in our day-to-day lives. From small household devices to large industrial machines, smart devices have become very popular in every possible application domain. Smart devices in our homes, offices, buildings, and cities can connect with other devices as well as with the physical world around them. This increasing popularity has also placed smart devices as the center of attention among attackers. Already, several types of malicious activities exist that attempt to compromise the security and privacy of smart devices. One interesting and noteworthy emerging threat vector is the attacks that abuse the use of sensors on smart devices. Smart devices are vulnerable to sensor-based threats and attacks due to the lack of proper security mechanisms available to control the use of sensors by installed apps.},
keywords = {Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
Modern electronic devices have become smart as well as omnipresent in our day-to-day lives. From small household devices to large industrial machines, smart devices have become very popular in every possible application domain. Smart devices in our homes, offices, buildings, and cities can connect with other devices as well as with the physical world around them. This increasing popularity has also placed smart devices as the center of attention among attackers. Already, several types of malicious activities exist that attempt to compromise the security and privacy of smart devices. One interesting and noteworthy emerging threat vector is the attacks that abuse the use of sensors on smart devices. Smart devices are vulnerable to sensor-based threats and attacks due to the lack of proper security mechanisms available to control the use of sensors by installed apps.
6.
Hidayet Aksu, A Selcuk Uluagac, Elizabeth S Bentley
Internet of things (IoT) identifying system and associated methods Patent
US Patent, 2020.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@patent{aksu2020internet,
title = {Internet of things (IoT) identifying system and associated methods},
author = {Hidayet Aksu and A Selcuk Uluagac and Elizabeth S Bentley},
url = {https://uspto.report/patent/grant/10,826,902},
year = {2020},
date = {2020-11-01},
urldate = {2020-11-01},
publisher = {Google Patents},
abstract = {A wireless Internet-of-Things (IoT) device identification method and framework incorporates machine learning (ML) techniques with information from the protocol used (eg, Bluetooth, Bluetooth Low Energy/Bluetooth Smart, and others). A passive, non-intrusive feature selection technique targets IoT device captures with an ML classifier selection algorithm for the identification of IoT devices (ie, picking the best performing ML algorithm among multiple ML algorithms available). Using an input training label and training dataset (eg, training wireless IoT packets) associated with the IoT device, a classifier and a filter are selected. An inter-arrival-time (IAT) associated with the filtered training data set and a density distribution for the IAT are then calculated. After converting the density distribution to the training feature vector, a prediction model and the selected classifier are stored for subsequent application to testing.},
howpublished = {US Patent},
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {patent}
}
A wireless Internet-of-Things (IoT) device identification method and framework incorporates machine learning (ML) techniques with information from the protocol used (eg, Bluetooth, Bluetooth Low Energy/Bluetooth Smart, and others). A passive, non-intrusive feature selection technique targets IoT device captures with an ML classifier selection algorithm for the identification of IoT devices (ie, picking the best performing ML algorithm among multiple ML algorithms available). Using an input training label and training dataset (eg, training wireless IoT packets) associated with the IoT device, a classifier and a filter are selected. An inter-arrival-time (IAT) associated with the filtered training data set and a density distribution for the IAT are then calculated. After converting the density distribution to the training feature vector, a prediction model and the selected classifier are stored for subsequent application to testing.
7.
Abbas Acar, Hossein Fereidooni, Tigist Abera, Amit Kumar Sikder, Markus Miettinen, Hidayet Aksu, Mauro Conti, Ahmad-Reza Sadeghi, Selcuk Uluagac
Peek-a-boo: I see your smart home activities, even encrypted! Conference Paper
In the Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2020.
Abstract | BibTeX | Tags: IoT Security, Smart Home Security
@conference{acar2020peek,
title = {Peek-a-boo: I see your smart home activities, even encrypted!},
author = {Abbas Acar and Hossein Fereidooni and Tigist Abera and Amit Kumar Sikder and Markus Miettinen and Hidayet Aksu and Mauro Conti and Ahmad-Reza Sadeghi and Selcuk Uluagac},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {In the Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks},
abstract = {A myriad of IoT devices such as bulbs, switches, speakers in a smart home environment allow users to easily control the physical world around them and facilitate their living styles through the sensors already embedded in these devices. Sensor data contains a lot of sensitive information about the user and devices. However, an attacker inside or near a smart home environment can potentially exploit the innate wireless medium used by these devices to exfiltrate sensitive information from the encrypted payload (i.e., sensor data) about the users and their activities, invading user privacy. With this in mind, in this work, we introduce a novel multi-stage privacy attack against user privacy in a smart environment. },
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
A myriad of IoT devices such as bulbs, switches, speakers in a smart home environment allow users to easily control the physical world around them and facilitate their living styles through the sensors already embedded in these devices. Sensor data contains a lot of sensitive information about the user and devices. However, an attacker inside or near a smart home environment can potentially exploit the innate wireless medium used by these devices to exfiltrate sensitive information from the encrypted payload (i.e., sensor data) about the users and their activities, invading user privacy. With this in mind, in this work, we introduce a novel multi-stage privacy attack against user privacy in a smart environment.
8.
Amit Kumar Sikder, Leonardo Babun, Z Berkay Celik, Abbas Acar, Hidayet Aksu, Patrick McDaniel, Engin Kirda, A Selcuk Uluagac
Kratos: Multi-user multi-device-aware access control system for the smart home Conference Paper
In the Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2020.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@conference{sikder2020kratos,
title = {Kratos: Multi-user multi-device-aware access control system for the smart home},
author = {Amit Kumar Sikder and Leonardo Babun and Z Berkay Celik and Abbas Acar and Hidayet Aksu and Patrick McDaniel and Engin Kirda and A Selcuk Uluagac},
url = {https://dl.acm.org/doi/10.1145/3395351.3399358},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {In the Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)},
abstract = {In a smart home system, multiple users have access to multiple devices, typically through a dedicated app installed on a mobile device. Traditional access control mechanisms consider one unique trusted user that controls the access to the devices. However, multi-user multi-device smart home settings pose fundamentally different challenges to traditional single-user systems. For instance, in a multi-user environment, users have conflicting, complex, and dynamically changing demands on multiple devices, which cannot be handled by traditional access control techniques. To address these challenges, in this paper, we introduce Kratos, a novel multi-user and multi-device-aware access control mechanism that allows smart home users to flexibly specify their access control demands. Kratos has three main components: user interaction module, back-end server, and policy manager. },
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
In a smart home system, multiple users have access to multiple devices, typically through a dedicated app installed on a mobile device. Traditional access control mechanisms consider one unique trusted user that controls the access to the devices. However, multi-user multi-device smart home settings pose fundamentally different challenges to traditional single-user systems. For instance, in a multi-user environment, users have conflicting, complex, and dynamically changing demands on multiple devices, which cannot be handled by traditional access control techniques. To address these challenges, in this paper, we introduce Kratos, a novel multi-user and multi-device-aware access control mechanism that allows smart home users to flexibly specify their access control demands. Kratos has three main components: user interaction module, back-end server, and policy manager.
9.
Leonardo Babun, Hidayet Aksu, Lucas Ryan, Kemal Akkaya, Elizabeth S Bentley, A Selcuk Uluagac
Z-iot: Passive device-class fingerprinting of zigbee and z-wave iot devices Conference Paper
In the proceedings of the IEEE International Conference on Communications (ICC) Conference, IEEE 2020.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@conference{babun2020z,
title = {Z-iot: Passive device-class fingerprinting of zigbee and z-wave iot devices},
author = {Leonardo Babun and Hidayet Aksu and Lucas Ryan and Kemal Akkaya and Elizabeth S Bentley and A Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/document/9149285},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {In the proceedings of the IEEE International Conference on Communications (ICC) Conference},
organization = {IEEE},
abstract = {In addition to traditional networking devices (e.g., gateways, firewalls), current corporate and industrial networks integrate resource-limited Internet of Things (IoT) devices like smart outlets and smart sensors. In these settings, cyber attackers can bypass traditional security solutions and spoof legitimate IoT devices to gain illegal access to the systems. Thus, IoT device-class identification is crucial to protect critical networks from unauthorized access. In this paper, we propose Z-IoT, the first fingerprinting framework used to identify IoT device classes that utilize ZigBee and Z-Wave protocols. Z-IoT monitors idle network traffic among IoT devices to implement signature-based device-class fingerprinting mechanisms. Utilizing passive packet capturing techniques and optimal selection of filtering criteria and machine learning algorithms, Z-IoT identifies different types of IoT devices while guaranteeing the anonymity.},
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
In addition to traditional networking devices (e.g., gateways, firewalls), current corporate and industrial networks integrate resource-limited Internet of Things (IoT) devices like smart outlets and smart sensors. In these settings, cyber attackers can bypass traditional security solutions and spoof legitimate IoT devices to gain illegal access to the systems. Thus, IoT device-class identification is crucial to protect critical networks from unauthorized access. In this paper, we propose Z-IoT, the first fingerprinting framework used to identify IoT device classes that utilize ZigBee and Z-Wave protocols. Z-IoT monitors idle network traffic among IoT devices to implement signature-based device-class fingerprinting mechanisms. Utilizing passive packet capturing techniques and optimal selection of filtering criteria and machine learning algorithms, Z-IoT identifies different types of IoT devices while guaranteeing the anonymity.
10.
AKM Iqtidar Newaz, Amit Kumar Sikder, Leonardo Babun, A Selcuk Uluagac
Heka: A novel intrusion detection system for attacks to personal medical devices Conference Paper
In the proceedings of the IEEE Conference on Communications and Network Security (CNS), IEEE 2020.
Abstract | Links | BibTeX | Tags: Healthcare Security, IoT Security, Smart Home Security
@conference{newaz2020heka,
title = {Heka: A novel intrusion detection system for attacks to personal medical devices},
author = {AKM Iqtidar Newaz and Amit Kumar Sikder and Leonardo Babun and A Selcuk Uluagac},
url = {https://csl.fiu.edu/wp-content/uploads/2023/05/heka.pdf},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {In the proceedings of the IEEE Conference on Communications and Network Security (CNS)},
organization = {IEEE},
abstract = {Modern Smart Health Systems (SHS) involve the concept of connected personal medical devices. These devices significantly improve the patient's lifestyle as they permit remote monitoring and transmission of health data (i.e., telemedicine), lowering the treatment costs for both the patient and the healthcare providers. Although specific SHS communication standards (i.e., ISO/IEEE 11073) enable real-time plug-and-play interoperability and communication between different personal medical devices, they do not specify any features for secure communications. In this paper, we demonstrate how personal medical device communication is indeed vulnerable to different cyber attacks. Specifically, we show how an external attacker can hook into the personal medical device's communication and eavesdrop the sensitive health data traffic, and implement manin-the-middle, replay, false data injection, and denial-of service.},
keywords = {Healthcare Security, IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
Modern Smart Health Systems (SHS) involve the concept of connected personal medical devices. These devices significantly improve the patient's lifestyle as they permit remote monitoring and transmission of health data (i.e., telemedicine), lowering the treatment costs for both the patient and the healthcare providers. Although specific SHS communication standards (i.e., ISO/IEEE 11073) enable real-time plug-and-play interoperability and communication between different personal medical devices, they do not specify any features for secure communications. In this paper, we demonstrate how personal medical device communication is indeed vulnerable to different cyber attacks. Specifically, we show how an external attacker can hook into the personal medical device's communication and eavesdrop the sensitive health data traffic, and implement manin-the-middle, replay, false data injection, and denial-of service.
11.
Abbas Acar, Hidayet Aksu, A Selcuk Uluagac, Kemal Akkaya
A usable and robust continuous authentication framework using wearables Journal Article
IEEE Transactions on Mobile Computing Journal, 2020.
Abstract | BibTeX | Tags: Authentication, IoT Security, Smart Home Security
@article{acar2020usable,
title = {A usable and robust continuous authentication framework using wearables},
author = {Abbas Acar and Hidayet Aksu and A Selcuk Uluagac and Kemal Akkaya},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {IEEE Transactions on Mobile Computing Journal},
publisher = {IEEE},
abstract = {One-time login process in conventional authentication systems does not guarantee that the identified user is the actual user throughout the session. However, it is necessary to re-verify the user identity periodically throughout a login session, which is lacking in existing one-time login systems. Continuous authentication, which re-verifies the user identity without breaking the continuity of the session, can address this issue. However, existing methods for Continuous Authentication are either not reliable or not usable. In this paper, we introduce a usable and reliable Wearable-Assisted Continuous Authentication (WACA), which relies on the sensor-based keystroke dynamics and the authentication data is acquired through the built-in sensors of a wearable (e.g., smartwatch) while the user is typing. },
keywords = {Authentication, IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
One-time login process in conventional authentication systems does not guarantee that the identified user is the actual user throughout the session. However, it is necessary to re-verify the user identity periodically throughout a login session, which is lacking in existing one-time login systems. Continuous authentication, which re-verifies the user identity without breaking the continuity of the session, can address this issue. However, existing methods for Continuous Authentication are either not reliable or not usable. In this paper, we introduce a usable and reliable Wearable-Assisted Continuous Authentication (WACA), which relies on the sensor-based keystroke dynamics and the authentication data is acquired through the built-in sensors of a wearable (e.g., smartwatch) while the user is typing.
12.
Nico Saputro, Samet Tonyali, Abdullah Aydeger, Kemal Akkaya, Mohammad A Rahman, Selcuk Uluagac
A review of moving target defense mechanisms for internet of things applications Journal Article
Modeling and Design of Secure Internet of Things Journal, 2020.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@article{saputro2020review,
title = {A review of moving target defense mechanisms for internet of things applications},
author = {Nico Saputro and Samet Tonyali and Abdullah Aydeger and Kemal Akkaya and Mohammad A Rahman and Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/abstract/document/9124015},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Modeling and Design of Secure Internet of Things Journal},
publisher = {Wiley Online Library},
abstract = {The chapter presents a review of proactive Moving Target Defense (MTD) paradigm and investigates the feasibility and potential of specific MTD approaches for the resourceconstrained Internet of Things (IoT) applications. The aim is not only to provide taxonomy of various MTD approaches but also to advocate MTD techniques in the dynamic network domain in conjunction with the emerging Software Defined Networking (SDN) for more effective proactive IoT defense. The Internet of Battlefield Things (IoBT) and Industrial IoT (IIoT), which subject to more attacks, are identified as two critical IoT domains that can reap from the SDNbased MTD approaches. Finally, the chapter also discusses potential future research challenges of the MTD approaches in the IoT domain.},
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
The chapter presents a review of proactive Moving Target Defense (MTD) paradigm and investigates the feasibility and potential of specific MTD approaches for the resourceconstrained Internet of Things (IoT) applications. The aim is not only to provide taxonomy of various MTD approaches but also to advocate MTD techniques in the dynamic network domain in conjunction with the emerging Software Defined Networking (SDN) for more effective proactive IoT defense. The Internet of Battlefield Things (IoBT) and Industrial IoT (IIoT), which subject to more attacks, are identified as two critical IoT domains that can reap from the SDNbased MTD approaches. Finally, the chapter also discusses potential future research challenges of the MTD approaches in the IoT domain.
13.
Luis Puche Rondon, Leonardo Babun, Kemal Akkaya, A Selcuk Uluagac
HDMI-watch: Smart intrusion detection system against HDMI attacks Journal Article
IEEE Transactions on Network Science and Engineering Journal, 2020.
Abstract | BibTeX | Tags: CPS Security, IoT Security, Smart Home Security
@article{rondon2020hdmi,
title = {HDMI-watch: Smart intrusion detection system against HDMI attacks},
author = {Luis Puche Rondon and Leonardo Babun and Kemal Akkaya and A Selcuk Uluagac},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {IEEE Transactions on Network Science and Engineering Journal},
publisher = {IEEE},
abstract = {The High Definition Multimedia Interface (HDMI) is the backbone and the de-facto standard for Audio/Video connections between video-enabled devices. Today, nearly ten billion HDMI devices are used to distribute A/V signals in homes, offices, concert halls, and sporting events. An important component in HDMI is the Consumer Electronics Control (CEC) protocol, which allows HDMI devices to share an HDMI distribution to communicate and interact with each other. In this work, we identify security and privacy issues in HDMI networks by taping into CEC protocol vulnerabilities, using them to implement realistic proof-of-work attacks on HDMI distribution networks. We study how current insecure CEC protocol practices and carelessly implemented HDMI distributions may grant an adversary a novel attack surface for HDMI devices, otherwise thought to be unreachable through traditional network means.},
keywords = {CPS Security, IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
The High Definition Multimedia Interface (HDMI) is the backbone and the de-facto standard for Audio/Video connections between video-enabled devices. Today, nearly ten billion HDMI devices are used to distribute A/V signals in homes, offices, concert halls, and sporting events. An important component in HDMI is the Consumer Electronics Control (CEC) protocol, which allows HDMI devices to share an HDMI distribution to communicate and interact with each other. In this work, we identify security and privacy issues in HDMI networks by taping into CEC protocol vulnerabilities, using them to implement realistic proof-of-work attacks on HDMI distribution networks. We study how current insecure CEC protocol practices and carelessly implemented HDMI distributions may grant an adversary a novel attack surface for HDMI devices, otherwise thought to be unreachable through traditional network means.
14.
AKM Iqtidar Newaz, Nur Imtiazul Haque, Amit Kumar Sikder, Mohammad Ashiqur Rahman, A Selcuk Uluagac
Adversarial attacks to machine learning-based smart healthcare systems Conference Paper
In the proceedings of the IEEE Global Communications Conference (GLOBECOM), IEEE 2020.
Abstract | Links | BibTeX | Tags: Adverserial Machine Learning, Smart Home Security
@conference{newaz2020adversarial,
title = {Adversarial attacks to machine learning-based smart healthcare systems},
author = {AKM Iqtidar Newaz and Nur Imtiazul Haque and Amit Kumar Sikder and Mohammad Ashiqur Rahman and A Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/document/9322472},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {In the proceedings of the IEEE Global Communications Conference (GLOBECOM)},
organization = {IEEE},
abstract = {The increasing availability of healthcare data requires accurate analysis of disease diagnosis, progression, and real-time monitoring to provide improved treatments to the patients. In this context, Machine Learning (ML) models are used to extract valuable features and insights from high-dimensional and heterogeneous healthcare data to detect different diseases and patient activities in a Smart Healthcare System (SHS). However, recent researches show that ML models used in different application domains are vulnerable to adversarial attacks. In this paper, we introduce a new type of adversarial attacks to exploit the ML classifiers used in a SHS. We consider an adversary who has partial knowledge of data distribution, SHS model, and ML algorithm to perform both targeted and untargeted attacks. Employing these adversarial capabilities, we manipulate medical device readings to alter patient status,},
keywords = {Adverserial Machine Learning, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
The increasing availability of healthcare data requires accurate analysis of disease diagnosis, progression, and real-time monitoring to provide improved treatments to the patients. In this context, Machine Learning (ML) models are used to extract valuable features and insights from high-dimensional and heterogeneous healthcare data to detect different diseases and patient activities in a Smart Healthcare System (SHS). However, recent researches show that ML models used in different application domains are vulnerable to adversarial attacks. In this paper, we introduce a new type of adversarial attacks to exploit the ML classifiers used in a SHS. We consider an adversary who has partial knowledge of data distribution, SHS model, and ML algorithm to perform both targeted and untargeted attacks. Employing these adversarial capabilities, we manipulate medical device readings to alter patient status,
15.
Luis Puche Rondon, Leonardo Babun, Ahmet Aris, Kemal Akkaya, A Selcuk Uluagac
PoisonIvy: (In) secure Practices of Enterprise IoT Systems in Smart Buildings Conference Paper
In the Proceedings of the 7th ACM International Conference on Systems for Energy-Efficient Buildings, Cities, and Transportation, 2020.
Abstract | Links | BibTeX | Tags: CPS Security, IoT Security, Smart Home Security
@conference{rondon2020poisonivy,
title = {PoisonIvy: (In) secure Practices of Enterprise IoT Systems in Smart Buildings},
author = {Luis Puche Rondon and Leonardo Babun and Ahmet Aris and Kemal Akkaya and A Selcuk Uluagac},
url = {https://dl.acm.org/doi/abs/10.1145/3408308.3427606},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {In the Proceedings of the 7th ACM International Conference on Systems for Energy-Efficient Buildings, Cities, and Transportation},
pages = {130–139},
abstract = {The rise of IoT devices has led to the proliferation of smart buildings, offices, and homes worldwide. Although commodity IoT devices are employed by ordinary end-users, complex environments such as smart buildings, government, or private smart offices, conference rooms, or hospitality require customized and highly reliable solutions. Those systems called Enterprise Internet of Things (EIoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors (e.g., Control4, Crestron, Lutron, etc.). As EIoT systems require specialized training, software, and equipment to deploy, many of these systems are closed-source and proprietary in nature. This has led to very little research investigating the security of EIoT systems and their components. },
keywords = {CPS Security, IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
The rise of IoT devices has led to the proliferation of smart buildings, offices, and homes worldwide. Although commodity IoT devices are employed by ordinary end-users, complex environments such as smart buildings, government, or private smart offices, conference rooms, or hospitality require customized and highly reliable solutions. Those systems called Enterprise Internet of Things (EIoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors (e.g., Control4, Crestron, Lutron, etc.). As EIoT systems require specialized training, software, and equipment to deploy, many of these systems are closed-source and proprietary in nature. This has led to very little research investigating the security of EIoT systems and their components.
16.
Amit Kumar Sikder, Leonardo Babun, Hidayet Aksu, A. Selcuk Uluagac
Aegis: A Context-Aware Security Framework for Smart Home Systems Conference Paper
In the Proceedings of the 35th Annual Computer Security Applications Conference (ACSA), 2019.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@conference{Sikder2019Aegis,
title = {Aegis: A Context-Aware Security Framework for Smart Home Systems},
author = {Amit Kumar Sikder and Leonardo Babun and Hidayet Aksu and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3359789.3359840},
doi = {10.1145/3359789.3359840},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
publisher = {In the Proceedings of the 35th Annual Computer Security Applications Conference (ACSA)},
abstract = {Our everyday lives are expanding fast with the introduction of new Smart Home Systems (SHSs). Today, a myriad of SHS devices and applications are widely available to users and have already started to re-define our modern lives. Smart home users utilize the apps to control and automate such devices. Users can develop their own apps or easily download and install them from vendor-specific app markets. App-based SHSs offer many tangible benefits to our lives, but also unfold diverse security risks. Several attacks have already been reported for SHSs. However, current security solutions consider smart home devices and apps individually to detect malicious actions rather than the context of the SHS as a whole. The existing mechanisms cannot capture user activities and sensor-device-user interactions in a holistic fashion. To address these issues, in this paper, we introduce Aegis, a novel context-aware security framework to detect malicious behavior in a SHS. Specifically, Aegis observes the states of the connected smart home entities (sensors and devices) for different user activities and usage patterns in a SHS and builds a contextual model to differentiate between malicious and benign behavior. We evaluated the efficacy and performance of Aegis in multiple smart home settings (i.e., single bedroom, double bedroom, duplex) with real-life users performing day-to-day activities and real SHS devices. We also measured the performance of Aegis against five different malicious behaviors. Our detailed evaluation shows that Aegis can detect malicious behavior in SHS with high accuracy (over 95%) and secure the SHS regardless of the smart home layout, device configuration, installed apps, and enforced user policies. Finally, Aegis achieves minimum overhead in detecting malicious behavior in SHS, ensuring easy deployability in real-life smart environments.},
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
Our everyday lives are expanding fast with the introduction of new Smart Home Systems (SHSs). Today, a myriad of SHS devices and applications are widely available to users and have already started to re-define our modern lives. Smart home users utilize the apps to control and automate such devices. Users can develop their own apps or easily download and install them from vendor-specific app markets. App-based SHSs offer many tangible benefits to our lives, but also unfold diverse security risks. Several attacks have already been reported for SHSs. However, current security solutions consider smart home devices and apps individually to detect malicious actions rather than the context of the SHS as a whole. The existing mechanisms cannot capture user activities and sensor-device-user interactions in a holistic fashion. To address these issues, in this paper, we introduce Aegis, a novel context-aware security framework to detect malicious behavior in a SHS. Specifically, Aegis observes the states of the connected smart home entities (sensors and devices) for different user activities and usage patterns in a SHS and builds a contextual model to differentiate between malicious and benign behavior. We evaluated the efficacy and performance of Aegis in multiple smart home settings (i.e., single bedroom, double bedroom, duplex) with real-life users performing day-to-day activities and real SHS devices. We also measured the performance of Aegis against five different malicious behaviors. Our detailed evaluation shows that Aegis can detect malicious behavior in SHS with high accuracy (over 95%) and secure the SHS regardless of the smart home layout, device configuration, installed apps, and enforced user policies. Finally, Aegis achieves minimum overhead in detecting malicious behavior in SHS, ensuring easy deployability in real-life smart environments.
17.
Amit Kumar Sikder, Hidayet Aksu, A Selcuk Uluagac
{6thSense}: A context-aware sensor-based attack detector for smart devices Conference Paper
In the Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), 2017.
Abstract | Links | BibTeX | Tags: IoT Security, Smart Home Security
@conference{Sikder6thSenseUSENIX,
title = {{6thSense}: A context-aware sensor-based attack detector for smart devices},
author = {Amit Kumar Sikder and Hidayet Aksu and A Selcuk Uluagac},
url = {https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sikder},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {In the Proceedings of the 26th USENIX Security Symposium (USENIX Security 17)},
abstract = {Sensors (e.g., light, gyroscope, accelerometer) and sensing enabled applications on a smart device make the applications more user-friendly and efficient. However, the current permission-based sensor management systems of smart devices only focus on certain sensors and any App can get access to other sensors by just accessing the generic sensor API. In this way, attackers can exploit these sensors in numerous ways: they can extract or leak users’ sensitive information, transfer malware, or record or steal sensitive information from other nearby devices. In this paper, we propose 6thSense, a context-aware intrusion detection system which enhances the security of smart devices by observing changes in sensor data for different tasks of users and creating a contextual model to distinguish benign and malicious behavior of sensors. 6thSense utilizes three different Machine Learning-based detection mechanisms (i.e., Markov Chain, Naive Bayes, and LMT) to detect malicious behavior associated with sensors. We implemented 6thSense on a sensor-rich Android smart device (i.e., smartphone) and collected data from typical daily activities of 50 real users. Furthermore, we evaluated the performance of 6thSense against three sensor-based threats: (1) a malicious App that can be triggered via a sensor (e.g., light), (2) a malicious App that can leak information via a sensor, and (3) a malicious App that can steal data using sensors. Our extensive evaluations show that the 6thSense framework is an effective and practical approach to defeat growing sensor-based threats with an accuracy above 96% without compromising the normal functionality of the device. Moreover, our framework costs minimal overhead.},
keywords = {IoT Security, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
Sensors (e.g., light, gyroscope, accelerometer) and sensing enabled applications on a smart device make the applications more user-friendly and efficient. However, the current permission-based sensor management systems of smart devices only focus on certain sensors and any App can get access to other sensors by just accessing the generic sensor API. In this way, attackers can exploit these sensors in numerous ways: they can extract or leak users’ sensitive information, transfer malware, or record or steal sensitive information from other nearby devices. In this paper, we propose 6thSense, a context-aware intrusion detection system which enhances the security of smart devices by observing changes in sensor data for different tasks of users and creating a contextual model to distinguish benign and malicious behavior of sensors. 6thSense utilizes three different Machine Learning-based detection mechanisms (i.e., Markov Chain, Naive Bayes, and LMT) to detect malicious behavior associated with sensors. We implemented 6thSense on a sensor-rich Android smart device (i.e., smartphone) and collected data from typical daily activities of 50 real users. Furthermore, we evaluated the performance of 6thSense against three sensor-based threats: (1) a malicious App that can be triggered via a sensor (e.g., light), (2) a malicious App that can leak information via a sensor, and (3) a malicious App that can steal data using sensors. Our extensive evaluations show that the 6thSense framework is an effective and practical approach to defeat growing sensor-based threats with an accuracy above 96% without compromising the normal functionality of the device. Moreover, our framework costs minimal overhead.
18.
Kemal Akkaya, A Selcuk Uluagac, Abdullah Aydeger, Apurva Mohan
Secure Software Defined Networking Architectures for The Smart Grid Journal Article
Smart Grid-Networking, Data Management, and Business Models Book, 2017.
Abstract | Links | BibTeX | Tags: CPS Security, SDN Security, Smart Home Security
@article{AkkayaSecureSmart,
title = {Secure Software Defined Networking Architectures for The Smart Grid},
author = {Kemal Akkaya and A Selcuk Uluagac and Abdullah Aydeger and Apurva Mohan},
url = {https://www.taylorfrancis.com/chapters/edit/10.1201/b19664-3/secure-software-defined-networking-architectures-smart-grid-kemal-akkaya-selcuk-uluagac-abdullah-aydeger-apurva-mohan},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
journal = {Smart Grid-Networking, Data Management, and Business Models Book},
abstract = {This chapter summarizes the use of software-defined networking (SDN) for various applications in the smart grid. It explains how SDN can be utilized in the applications, describes potential security threats that can arise as a result of deploying SDN in these applications, and suggests solutions to alleviate the threats. The chapter explores the ample unique research challenges within an SDN-enabled smart grid infrastructure and provides some background on SDN. It examines how several smart grid applications can exploit SDN by summarizing the existing efforts and discusses the security issues with SDN and potential security threats related to smart grid-enabled SDN. The SDN-enabled networks become more flexible and accessible networks with software interfaces making it very convenient for network management. SDN can provide more fine-grained control on traffic compared to traditional networks. SDN enables innovation on the network and each transmission control protocol/Internet protocol layer might have an independent innovation.},
keywords = {CPS Security, SDN Security, Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
This chapter summarizes the use of software-defined networking (SDN) for various applications in the smart grid. It explains how SDN can be utilized in the applications, describes potential security threats that can arise as a result of deploying SDN in these applications, and suggests solutions to alleviate the threats. The chapter explores the ample unique research challenges within an SDN-enabled smart grid infrastructure and provides some background on SDN. It examines how several smart grid applications can exploit SDN by summarizing the existing efforts and discusses the security issues with SDN and potential security threats related to smart grid-enabled SDN. The SDN-enabled networks become more flexible and accessible networks with software interfaces making it very convenient for network management. SDN can provide more fine-grained control on traffic compared to traditional networks. SDN enables innovation on the network and each transmission control protocol/Internet protocol layer might have an independent innovation.
19.
Leonardo Babun, Hidayet Aksu, A. Selcuk Uluagac
Identifying counterfeit smart grid devices: A lightweight system level framework Conference Paper
In the Proceedings of the IEEE International Conference on Communications (ICC), 2017.
Abstract | Links | BibTeX | Tags: Fingerprinting, Smart Home Security
@conference{BabunIdentifyingIEEEICC,
title = {Identifying counterfeit smart grid devices: A lightweight system level framework},
author = {Leonardo Babun and Hidayet Aksu and A. Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/document/7996877},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {In the Proceedings of the IEEE International Conference on Communications (ICC)},
abstract = {The use of counterfeit smart grid devices throughout the smart grid communication infrastructure represents a real problem. Hence, monitoring and early detection of counterfeit smart grid devices is critical for protecting smart grid's components and data. To address these concerns, in this paper, we introduce a novel system level approach to identify counterfeit smart grid devices. Specifically, our approach is a configurable framework that combines system and function call tracing techniques and statistical analysis to detect counterfeit smart grid devices based on their behavioural characteristics. Moreover, we measure the efficacy of our framework with a realistic testbed that includes both resource-limited and resource-rich counterfeit devices. In total, we analyze six different counterfeit devices in our testbed. The devices communicate via an open source version of the IEC61850 protocol suite (i.e., libiec61850). Experimental results reveal an excellent rate on the detection of smart grid counterfeit devices. Finally, the performance analysis demonstrates that the use of the proposed framework has minimal overhead on the smart grid devices' computing resources.},
keywords = {Fingerprinting, Smart Home Security},
pubstate = {published},
tppubtype = {conference}
}
The use of counterfeit smart grid devices throughout the smart grid communication infrastructure represents a real problem. Hence, monitoring and early detection of counterfeit smart grid devices is critical for protecting smart grid's components and data. To address these concerns, in this paper, we introduce a novel system level approach to identify counterfeit smart grid devices. Specifically, our approach is a configurable framework that combines system and function call tracing techniques and statistical analysis to detect counterfeit smart grid devices based on their behavioural characteristics. Moreover, we measure the efficacy of our framework with a realistic testbed that includes both resource-limited and resource-rich counterfeit devices. In total, we analyze six different counterfeit devices in our testbed. The devices communicate via an open source version of the IEC61850 protocol suite (i.e., libiec61850). Experimental results reveal an excellent rate on the detection of smart grid counterfeit devices. Finally, the performance analysis demonstrates that the use of the proposed framework has minimal overhead on the smart grid devices' computing resources.
20.
Nico Saputro, Ali Ihsan Yurekli, Kemal Akkaya, Selcuk Uluagac
Privacy preservation for IoT used in smart buildings Journal Article
Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations, 2016.
Abstract | Links | BibTeX | Tags: IoT Security, Privacy Preserving, Smart Home Security
@article{SaputroPrivacyIOT,
title = {Privacy preservation for IoT used in smart buildings},
author = {Nico Saputro and Ali Ihsan Yurekli and Kemal Akkaya and Selcuk Uluagac},
url = {https://www.sciencedirect.com/science/article/pii/S0167739X23001322},
year = {2016},
date = {2016-01-01},
urldate = {2016-01-01},
journal = {Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations},
abstract = {Smart Buildings (SBs) employ the latest IoT technologies to automate building operations and services with the objective of increasing operational efficiency, maximising occupant comfort, and minimising environmental impact. However, these smart devices – mostly cloud-based – can capture and share a variety of sensitive and private data about the occupants, exposing them to various privacy threats. Given the non-intrusive nature of these devices, individuals typically have little or no awareness of the data being collected about them. Even if they do and claim to care about their privacy, they fail to take the necessary steps to safeguard it due to the convenience offered by the IoT devices. This discrepancy between user attitude and actual behaviour is known as the ‘privacy paradox’. To address this tension between data privacy, consent and convenience, this paper proposes a novel solution for informed consent management in shared smart spaces. Our proposed Informed Consent Management Engine (ICME) (a) increases user awareness about the data being collected by the IoT devices in the SB environment, (b) provides fine-grained visibility into privacy conformance and compliance by these devices, and (c) enables informed and confident privacy decision-making, through digital nudging. This study provides a reference architecture for ICME that can be used to implement diverse end-user consent management solutions for smart buildings. A proof-of-concept prototype is also implemented to demonstrate how ICME works in a shared smart workplace. Our proposed solution is validated by conducting expert interviews with 15 highly experienced industry professionals and academic researchers to understand the strengths, limitations, and potential improvements of the proposed system.},
keywords = {IoT Security, Privacy Preserving, Smart Home Security},
pubstate = {published},
tppubtype = {article}
}
Smart Buildings (SBs) employ the latest IoT technologies to automate building operations and services with the objective of increasing operational efficiency, maximising occupant comfort, and minimising environmental impact. However, these smart devices – mostly cloud-based – can capture and share a variety of sensitive and private data about the occupants, exposing them to various privacy threats. Given the non-intrusive nature of these devices, individuals typically have little or no awareness of the data being collected about them. Even if they do and claim to care about their privacy, they fail to take the necessary steps to safeguard it due to the convenience offered by the IoT devices. This discrepancy between user attitude and actual behaviour is known as the ‘privacy paradox’. To address this tension between data privacy, consent and convenience, this paper proposes a novel solution for informed consent management in shared smart spaces. Our proposed Informed Consent Management Engine (ICME) (a) increases user awareness about the data being collected by the IoT devices in the SB environment, (b) provides fine-grained visibility into privacy conformance and compliance by these devices, and (c) enables informed and confident privacy decision-making, through digital nudging. This study provides a reference architecture for ICME that can be used to implement diverse end-user consent management solutions for smart buildings. A proof-of-concept prototype is also implemented to demonstrate how ICME works in a shared smart workplace. Our proposed solution is validated by conducting expert interviews with 15 highly experienced industry professionals and academic researchers to understand the strengths, limitations, and potential improvements of the proposed system.
Citations: 8413
h-index: 44
i10-index: 107
