Delay Wreaks Havoc on Your Smart Home: Delay-based Automation Interference Attacks

With the proliferation of Internet of Things (IoT) devices and platforms, it becomes a trend that IoT devices associated with different IoT platforms coexist in a smart home, demonstrating the following characteristics. First, a smart home may use more than one platform to support its devices and automation. Second, IoT devices of a home may transmit messages over different paths. By selectively delaying IoT messages, our study finds that two issues, inconsistency and disorder, can be exacerbated by attackers significantly. We then explore how these issues can be exploited and present seven types of exploitation, collectively referred to as Delay-based Automation Interference (DAI) attacks. DAI attacks cause home automation to yield incorrect interaction results, placing the IoT devices and smart home in insecure, unsafe, or unexpected states. It is worth highlighting that DAI attacks do not depend on any IoT implementation vulnerabilities or leaked keys/tokens, and they do not trigger alarms at any layers of the IoT protocol stack. To demonstrate and evaluate the new attacks, we set up two real-world testbeds, where commercial IoT devices and apps are deployed. The week-long experiments from both testbeds show that an attacker has adequate opportunities to launch DAI attacks that cause security or safety issues.