The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

Can allowlists capture the variability of home IoT device network behavior?

Can allowlists capture the variability of home IoT device network behavior?
Can allowlists capture the variability of home IoT device network behavior?

Home Internet of Things (IoT) devices can be difficult for users to secure. Prior work has suggested measuring these devices' network behaviors and using these characterizations to create allowlists of permitted endpoints. Unfortunately, previous studies have typically been conducted in controlled lab settings, with one or two devices per product. In this paper, we examine whether popular home IoT products' network behaviors generalize via both in-lab experiments of 24 devices and a large, crowdsourced dataset of IoT devices in the wild. We find that observing traffic from one device in one lab is often insufficient to fully characterize an IoT product's network behaviors. For example, specifying which endpoints a device may contact based on initial measurements in our lab led 25% of products to stop functioning later, and even more when using a VPN. We then used the crowdsourced dataset to better understand this traffic's heterogeneity and pinpoint how to create more generalizable allowlists. We identified causes of failure, such as regionalization, CDN usage, third-party integrations, and API changes. Finally, we used the crowdsourced data in numerous configurations to specify which endpoints each product in our lab could contact. We found that domain-level allowlists enabled the majority of devices to function in our lab using data collected years in the past. For the remaining devices, we characterize how to mitigate the failures observed and pave the way to creating more generalizable allowlists.

114-138
He, W.
f2223ad6-d8bd-4a98-8d6b-6ca8feef0a04
Bryson, K.
06a79f19-068e-4a12-a68a-7cc63fb0727a
Calderon, R.
f33b2f23-bff5-4baf-a40b-3193b3c1ae5f
Prakash, V.
4ed21020-f7a2-4c8e-a47b-1a9937d7d7dd
Feamster, N.
8aed4756-4fbf-40e0-8226-66d048ee1138
Huang, D.Y.
45273fbd-271f-43fe-8da6-a6d6d50ce756
Ur, B.
34b9030c-c01e-4c39-9e77-55b109414a77
He, W.
f2223ad6-d8bd-4a98-8d6b-6ca8feef0a04
Bryson, K.
06a79f19-068e-4a12-a68a-7cc63fb0727a
Calderon, R.
f33b2f23-bff5-4baf-a40b-3193b3c1ae5f
Prakash, V.
4ed21020-f7a2-4c8e-a47b-1a9937d7d7dd
Feamster, N.
8aed4756-4fbf-40e0-8226-66d048ee1138
Huang, D.Y.
45273fbd-271f-43fe-8da6-a6d6d50ce756
Ur, B.
34b9030c-c01e-4c39-9e77-55b109414a77

He, W., Bryson, K., Calderon, R., Prakash, V., Feamster, N., Huang, D.Y. and Ur, B. (2024) Can allowlists capture the variability of home IoT device network behavior? In Proceedings - 9th IEEE European Symposium on Security and Privacy, Euro S and P 2024. pp. 114-138 . (doi:10.1109/EuroSP60621.2024.00015).

Record type: Conference or Workshop Item (Paper)

Abstract

Home Internet of Things (IoT) devices can be difficult for users to secure. Prior work has suggested measuring these devices' network behaviors and using these characterizations to create allowlists of permitted endpoints. Unfortunately, previous studies have typically been conducted in controlled lab settings, with one or two devices per product. In this paper, we examine whether popular home IoT products' network behaviors generalize via both in-lab experiments of 24 devices and a large, crowdsourced dataset of IoT devices in the wild. We find that observing traffic from one device in one lab is often insufficient to fully characterize an IoT product's network behaviors. For example, specifying which endpoints a device may contact based on initial measurements in our lab led 25% of products to stop functioning later, and even more when using a VPN. We then used the crowdsourced dataset to better understand this traffic's heterogeneity and pinpoint how to create more generalizable allowlists. We identified causes of failure, such as regionalization, CDN usage, third-party integrations, and API changes. Finally, we used the crowdsourced data in numerous configurations to specify which endpoints each product in our lab could contact. We found that domain-level allowlists enabled the majority of devices to function in our lab using data collected years in the past. For the remaining devices, we characterize how to mitigate the failures observed and pave the way to creating more generalizable allowlists.

This record has no associated files available for download.

More information

Published date: 8 July 2024
Additional Information: Publisher Copyright: © 2024 IEEE.
Learn more about Cyber Security research

Identifiers

Local EPrints ID: 496529
URI: http://eprints.soton.ac.uk/id/eprint/496529
DOI: doi:10.1109/EuroSP60621.2024.00015
PURE UUID: ad414389-1960-4e5b-8681-2a4cabc05533
ORCID for W. He: ORCID iD orcid.org/0009-0002-1189-7063

Catalogue record

Date deposited: 17 Dec 2024 17:47
Last modified: 18 Dec 2024 03:19

Export record

Altmetrics

Contributors

Author: W. He ORCID iD
Author: K. Bryson
Author: R. Calderon
Author: V. Prakash
Author: N. Feamster
Author: D.Y. Huang
Author: B. Ur

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×