Just one device could leave your home vulnerable to cyber attacks
It seems like just about every new household device connects to the internet these days. Thermostat? Check. Doorbell? Yup. Washer and dryer? In 2024, of course. Even pet feeders connect to WiFi now to be controlled by an app.
While this is all convenient for the dishwashers and pet owners of the world, this trend also leaves consumers vulnerable to cyberattacks. That’s because Internet of Things (IoT) devices tend to be full of security vulnerabilities, and there are ample examples of IoT devices serving as backdoors into private networks and then being used as botnets (infected malware) in malicious denial of service attacks.
BYU computer engineering professor Phil Lundrigan says these exploits are possible because of WiFi’s security design. That’s because when you connect a device to your WiFi by providing your network name and password, you give the device full access to your network. And just one unsecure device can compromise an entire network.
“When you hook up a device to the network, it can start scanning for vulnerabilities; or maybe it’s a Trojan horse, monitoring the traffic on your network,” Lundrigan said. “You buy this cheap device, but how do you know if you can trust it? We are saying don’t connect it to the network — use our technology instead.”
According to Lundrigan, WiFi has only two modes of trust: complete trust or complete distrust. He used the analogy of someone coming to your house and the only two options are to never answer the door or to give them the keys to the house. “There’s got to be an in-between option,” he said.
An in-between option that grants partial trust would allow consumers to connect simple IoT devices like air quality monitors to their home network without the risk of it compromising the network. And that’s exactly what Lundrigan and a team of students — Jacob Johnson, Ashton Palacios and undergraduate student Cody Arvonen — have created.
Their solution allows for communication between a WiFi device, such as a sensor, that sends little amounts of data, and a trusted WiFi network, without connecting the device to the network. Lundrigan and his colleagues achieve communication through the following technical steps:
- First they strategically and “surgically” jam the WiFi communications with the device.
- This jamming causes the time it takes for data to travel across the network (called latency) to increase momentarily.
- The pattern in which the device jams the network conveys information.
- A different device on the network detects the changes in latency and receives the data.
The result is a new wireless subprotocol they call “Latency Shift Keying," or "LSK." Going back to the stranger-on-your-doorstep analogy, Lundrigan says LSK is like having someone knock on your door, but they knock in a particular pattern to convey data. Prior to this new method, there were only two ways of using the (WiFi) door: open it or keep it closed. Now there’s a third way to interact with the person on the other side of the door.
“Communication through knocking requires someone to be home and listening, which is the same as our protocol — you need a device inside the network looking for LSK messages,” Lundrigan said. “Knocking and LSK work because the outsider can affect something about the physical environment that the insider can 'hear' and measure. In the case of knocking, it’s the sound it makes; in the case of LSK, it’s the latency.”
The method creates an air gap for safety between the untrusted IoT devices and a secured network. It allows communication to only go one direction and only when the trusted WiFi network needs to receive data. The full technical details can be found in a paper recently accepted for presentation at the 2024 International Conference on Mobile Computing and Networking (MobiCom).
Lundrigan said that while other solutions to this problem exist (such as network partitioning using separate WiFi networks), they usually require additional hardware or advanced network configuration, which usually requires some advanced knowledge. Lundrigan’s software-based solution requires no additional hardware and utilizes the main WiFi network.
Read more about Lundrigan's work here: https://netlab.byu.edu/projects/
