2021 IEEE 2nd International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE 2021)
2021 IEEE 2nd International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE) | 978-1-6654-1540-8/20/$31.00 ©2021 IEEE | DOI: 10.1109/ICBAIE52039.2021.9389849
Smart Home Security Analysis System Based on The
Internet o f Things
Rui Yu
D epartm ent o f C om puter Science and T echnology
O cean U niversity o f China
Q ingdao, Shandong, C hina
yurui@ stu.ouc.edu.cn
M inyuan Z hang
D epartm ent o f Com puter Science and Technologry Ocean
U niversity o f C hina
Q ingdao, Shandong, C hina
zhangm inyuan@ stu.ouc.edu.cn
Abstract—In recent years, the Internet of Things technology
has developed rapidly and has a wide range of applications in the
fields of smart home, Internet of Vehicles, and Industrial Internet
of Things. Most of the emerging smart devices have relatively
simple architectures, and security vulnerabilities may exist in the
perception layer, transport layer, and application layer. At
present, most of the security analysis frameworks for IoT devices
require additional high-performance devices. At the same time,
the emerging "mining" malware and other attack methods that
directly plunder the computing resources of the device have not
received attention. In response to the above problems, this paper
designs and implements a smart home security analysis system.
Our experiments show that the system can effectively detect and
defend against contactless attacks that smart homes may suffer,
and has a small impact on home network performance. The
system can better solve the contradiction between smart home
network security requirements and device performance
limitations.
Keywords-Internet o f Things; Smart Home Security; Malware
Detection; Firmware Security
I. In t r o d u c t io n
The Internet of Things (IoT) is a system composed of
interconnected computing devices, machinery, objects, animals
or people, and can transmit data through the network to achieve
direct interaction between things. In recent years, as the
Internet of Things technology continues to heat up, more and
more smart home devices have provided convenience to
people's lives. However, in the past few years, the security
vulnerabilities of smart home devices have been exploded.
Smart home devices have been compromised and turned into
"monitoring devices" or used to launch DDoS (Distributed
Denial of Service) attacks [1].
Although the research on the security of smart home
systems is gradually increasing, it is still in its infancy. At
present, there are many IoT devices on the market, but the
protection functions of these IoT devices are very lacking. For
firmware vulnerabilities, we can only wait for manufacturers to
repair and update the firmware. However, most of the current
security analysis frameworks for IoT devices require additional
high-performance devices. At the same time, the emerging
978-1-6654-1540-8/21/$31.00 ©2021 IEEE
596
Authorized licensed use limited to: Carleton University. Downloaded on May 28,2021 at 15:02:44 UTC from IEEE Xplore. Restrictions apply.
X iaohua Z hang*
State Grid Shandong E lectric Pow er W eifang Pow er Supply
Com pany
W eifang, Shandong, China
C o rre sp o n d in g author: 1041740457@ qq.com
"mining" malware directly captures them. The attack method of
equipment computing resources has not been taken seriously.
Manufacturers want to control costs, most of the IoT devices
on the market have very limited computing resources and
performance. It is not feasible to use complex security software
on the device, and add new security protection equipment to
the home network.
This paper puts forward a smart home security analysis
system based on home routers by studying a variety of smart
home devices. The system can effectively detect and defend the
current contact attacks that smart homes may suffer, such as
firmware implantation attacks, non-contact attacks and attacks
on computing resources. At the same time, plug-ins can be used
to cover possible vulnerabilities in the future. The system
supports the protection of home network security without
adding any external devices. This paper designs simulation
experiments to test devices such as "smart speakers", and
"smart routers". Our experiments show that the system detects
and mitigates common attacks effectively, and has a small
impact on home network performance.
II. Re l a t ed Wo r k
In 2015, Subramanyan [2] used symbolic execution to
detect the security of the information flow in the firmware. In
2017, DeMarinis [3] conducted a multi-dimensional analysis of
the network traffic of IoT devices and proved that it is feasible
to build a policy-based malicious traffic restriction framework.
Lau [4] found that Amazon Echo smart speakers exposed
debugging interfaces, which can directly implant backdoor
programs into smart speakers to realize remote control and
monitoring of the speakers. Zhang [5] found that it is possible
to use ultrasonic waves that cannot be heard by humans to
attack smart speakers to achieve complete control of smart
speaker devices. The advantage is that the user cannot detect
the existence of the attack, and the disadvantage is also obvious
that the attack can not be too far away.
III. Th e De s i g n of Sm a r t H o m e Se c u r it y An a l y s is
Sy s t e m
The smart home security analysis system model
implemented in this paper is shown in Fig. 1. The system
mainly includes the traffic capture module, the traffic analysis
module, the system detection module, and the warning
notification module. The traffic capture module captures the
traffic passing through the router, which is used in the next
traffic analysis module. The traffic analysis module will
perform matching analysis on the captured traffic to determine
whether the traffic is malicious traffic or unexpected traffic,
and the captured traffic is cleaned and reissued. The system
detection module mainly detects "mining" malware, monitors
the progress of the system in real time, restricts abnormal
processes that occur, and sends notifications to users through
the warning notification module. The warning notification
module sends warning notifications to users. When the system
detects an attack or a vulnerability that cannot be handled, it
can promptly notify users of the existence of security risks

The traffic analysis

module

Protocol analysis
Inflow
Inflow
Implant attack analysis

Outflow <=■ Outflow

The System Detection Module

System performance testing

r> Exploit detection

Plugin
V
library
> Repair

Figure 1. The process of smart home security analysis system.

A. The traffic capture module
The traffic capture module collects the data packets that
need to be inspected, and delivers them to the traffic analysis
module for further processing. This module mainly uses the
Netfilter framework to capture traffic. The Netfilter framework
sets up five monitoring points [6]. At each monitoring point,
developers can write their own callback functions (HOOK) to
analyze and process the traffic flowing there. The location of
the monitoring points are shown in Fig. 2.

-Message entry- — Message export-

After the network data packet enters the IP layer, it first TABLE I. Ca l l b a c k f u n c t io n r e t u r n v a l u e a n d c o r r e s po n d in g
passes through the PRE_ROUTING point to determine whether OPERATION.
the destination address is local. If it is, it will be transferred
Function
from the LOCA_IN point to the upper layer protocol stack, return value
Operation
otherwise, it will pass through the FORWARD point and flow
NF_DROP Drop this packet
out via POST_ROUTUNG. The data packet sent by this
machine passes through LOCA_OUT point and flows out NF_ACCEPT Keep this packet
through POST_ROUTUNG. At the same time, after the Hook
NF_STOLEN Ignore this packet
function completes the verification of the data packet, it can
return different values to perform different operations on the Insert data packet into
NF_QUEUE
user space
data packet. The return value and corresponding operation are Call this callback
shown in tab. I . NF_REPEAT
function again

597

Authorized licensed use limited to: Carleton University. Downloaded on May 28,2021 at 15:02:44 UTC from IEEE Xplore. Restrictions apply.
 The traffic capture module mainly obtains data packets at
the two hooks PRE_ROUTING and POST_ROUTUNG. Then,
the traffic analysis module will be invoked to perform
statistical analysis on the captured data packets.
B. The traffic analysis module
• The second method is page jump notification. This
This module analyzes the amount, content, and protocol
types of traffic passing through smart home devices, and
determines whether the data packet contains malicious content,
abnormal protocols, or whether there is abnormal flow in the
flow through it, whether there is abnormal increase in flow, etc.
• In the first method, the risk information is sent to the
owner's mailbox by email to remind the owner that a
certain device has a security risk, and the owner is
requested to perform the corresponding repair
operation.
method is used in emergency situations. All pages
accessed by the user are redirected to the alert
information page.
IV. Ev a l u a t io n

After the traffic is acquired, the traffic analysis module first In order to verify the actual effect of the smart home
classifies and recognizes the protocol, address, main content, security analysis system, this paper installs the analysis system
etc. in the data packet for subsequent detection and analysis. If on the experimental router and selects smart home devices
the device has monitoring capabilities, such as smart speakers, from different manufacturers and models to connect to the
smart TVs, smart cameras, etc., the module detects router. The performance experiment selects common network
implantation attack and extracts fingerprints from fingerprint operations of ordinary users to verify the impact of the system
database for matching identification. If the device does not on home network performance.
have monitoring components, the protocol of the device needs
A. The Equipment
to be screened. After passing the protocol detection, malicious
content and illegal IP screening will be carried out. After all the The details of the smart router equipped with the security
above checks are passed, it is necessary to perform statistics on analysis system is shown in tab. II.
recent traffic to determine whether there is a short-term surge
TABLE II. THE DETAILS OF THE SMART ROUTER.
in traffic, and finally decide whether to release the traffic.
C. The System Detection Module Model NETGEAR WNDR4300
WLAN
The main function of the system detection module has two Atheros AR9344
Hardware
parts:
CPU MHz 560
• The first part is aimed at "mining" malicious files, real-
RAM MB 128
time detection of system performance, and system
timing tasks to find suspicious items. Flash MB 128NAND
• The second part is explores the possible weaknesses of Release OpenWrt Chaos Calmer
the system and the smart home devices connected to
The Linux
the local launch hotspot. For the vulnerabilities that 3.18.29
kernel version
have been exposed, the verification scripts and
The details of the laptop used in the attack experiment
mitigation scripts are specially written, and they are
platform is shown in tab. III.
regularly checked and repaired.
The first part is the detection of "mining" malicious files. TABLE III. Th e d e t a il s o f t h e l a pt o p .
The main purpose of "mining" malicious files obtain benefits
by plundering the computing resources of the device. In order Brand Name Hasee
to maximize the benefits, the device's CPU is generally fully Model
utilized. The detection method of this module is filtering the K670E-G6E3
Number
processes that restart frequently, and obtaining their CPU CPU Intel i5 8400
occupancy rate to distinguish whether they are "mining"
malicious files. The second part is device vulnerability CPU MHz 2.8GHz
detection. This module plays a role by maintaining the POC RAM 8GB
plug-in library and the corresponding repair plug-in library. It Hard Drive
is necessary to regularly write POC scripts and corresponding 256GB+1TB
Capacity
repair scripts for vulnerabilities that burst on the network. The details of the Smart speaker is shown in tab. IV.
D. The warning notification module
TABLE IV. Th e d e t a il s o f t h e Sm a r t Sp e a k e r .
The warning notification module is responsible for sending
reports to users after receiving risk messages from other CPU Allwinner R16
modules. This module needs to notify users as quickly as
Architecture ARMv7
possible so that users can find risks and take measures as early
as possible. This module adopts two notification methods RAM 256MB
according to different security risk levels to improve the Operating
OpenWrt
success rate of users receiving notifications System
The Linux
Linux 3.4
kernel version

598

Authorized licensed use limited to: Carleton University. Downloaded on May 28,2021 at 15:02:44 UTC from IEEE Xplore. Restrictions apply.
B. Experimental Results selected to simulate the real scenario. The "mining" malware
In the non-contact attack experiment, in order to approach scrlPt is modified and uPloaded to the device through scp. The
the real usage scenario, the open source botnet virus Mirai[7] is final experimental results are shown in tab. V

TABLE V. N o n -c o n t a c t a t t a c k d ef en se r esu l t .

Equipment Protocol Attack Method Result

Smart HTTP Command Injection Success
Router(TP-
Link) HTTP Stack Overflow Success
Smatr TCP DDos Mirai Success
Router(NETG
EAR) HTTP "Mining" Malware Success

The system is built in a home wireless router and needs to

analyze and process the passing traffic. This is equivalent to V. CONCLUTION
adding a step to the normal network access, which will affect This paper designs and implements a router-based smart
the throughput of the original network. In order to cover the home security analysis system. Our experiments show that the
network operations of users who use the network daily, four smart home security analysis system can effectively detect and
different performance test items are designed. The results are defend against the attacks, and it can use plug-ins to cover
shown in tab. VI. possible vulnerabilities in the future.
• Using the ping command to test the response time of The next step will consider introducing machine learning
the network. algorithms into the system, so that abnormal traffic can be
• Using the system ftp command to download a specific identified more accurately.
file, and counting the total time and average download
speed. Re f e r en c es

• Using the system wget command to download files, [1] Antonakakis, Manos, et al. "Understanding the mirai botnet." 26th
and counting the total time and average download {USENIX} security symposium ({USENIX} Security 17). 2017.
speed. [2] Subramanyan, Pramod, et al. "Verifying information flow properties of
firmware using symbolic execution." 2016 Design, Automation & Test
• Using a browser to open frequently used web pages in Europe Conference & Exhibition (DATE). IEEE, 2016.
and calculating the average time consumption.
[3] DeMarinis, Nicholas, and Rodrigo Fonseca. "Toward usable network
traffic policies for IoT devices in consumer networks." Proceedings of
TABLE VI. Th e r esul t of Sy s t e m pe r f o r m a n c e Te s t . the 2017 Workshop on Internet of Things Security and Privacy. 2017.
[4] Lau, Josephine, Benjamin Zimmerman, and Florian Schaub. "Alexa, are
Result
you listening? privacy perceptions, concerns and privacy-seeking
Test Item The system is The system is behaviors with smart speakers." Proceedings of the ACM on Human-
turned on not turned on Computer Interaction 2.CSCW (2018): 1-31.
pmg 22.951ms 24.287ms [5] hang, Guoming, et al. "Dolphinattack: Inaudible voice commands."
Proceedings of the 2017 ACM SIGSAC Conference on Computer and
3.32s 3.91s
ftp Communications Security. 2017.
(9.34MB/s) (7.93MB/s)
[6] Yang, Yang, and Wang Yonggang. "A software implementation for a
6.52s 7.53s
wget hybrid firewall using linux netfilter." 2010 Second World Congress on
(10.41MB/s) (9.02MB/s) Software Engineering. Vol. 1. IEEE, 2010.
browser 10.91s 11.22s [7] GITHUB. Mirai Source Code. https://github.com/jgamblin/Mirai-
Source-Code.

599

Authorized licensed use limited to: Carleton University. Downloaded on May 28,2021 at 15:02:44 UTC from IEEE Xplore. Restrictions apply.