Through the Spyglass: Towards IoT Companion App Man-in-the-Middle Attacks

Abstract

The lack of mature development in smart home companion applications complicates Internet of Things (IoT) security and privacy. Companion applications offer transparency and control for smart home devices that otherwise lack displays or interfaces. We access our smart home devices through a distributed communication architecture that seamlessly integrates smart home devices, cloud-based servers, and our mobile devices. This paper seeks to better understand IoT security and privacy by studying the design flaws of this distributed communications channel for smart home devices. To understand this, we then assess the vulnerability of 20 popular smart home vendors to this attack. Our analysis discovers pervasive failures in the distributed communications channels across 16 different vendors. A successful attack allows adversaries to conceal device users, manipulate the state of locks, spoof camera images, and manipulate history log files. While our work uncovers pervasive failures, vendors can take measures to improve confidentiality and integrity in smart home devices and their applications.