Privacy invasion via smart-home hub in personal area networks

Smart-home devices are being increasingly used in our daily lives. While these devices provide convenient functions to users, such convenience may come at a greater cost, such as the leakage of the user’s private information. This paper presents a system ChatterHub to address privacy risks in smart-home devices. Specifically, this work focuses on the devices that use Zigbee or Z-wave and are controlled by a centralized smart-home hub in a personal area network (PAN) for connecting to the Internet. ChatterHub passively eavesdrops on encrypted network traffic from the hub and leverages machine learning techniques to classify events and states of smart-home devices. We deployed ChatterHub on three real-world smart-home settings to evaluate its accuracy and efficiency. The evaluation results show that the attacker can successfully disclose smart-home devices’ behaviors with over 89% of recall and -score. We also demonstrate that an attacker can interfere with the smart-home hub’s communication and selectively drop packets to disable alerting users of a device’s status, such as security sensors and smart-locks. Furthermore, as a mitigation approach, we developed a packet-injection approach to effectively prevent threats from ChatterHub by generating only 9.2 MB of extra network traffic per day.