IoT Phantom-Delay Attacks: Demystifying and Exploiting IoT Timeout Behaviors

This paper unveils a set of new attacks against Internet of Things (IoT) automation systems. We first propose two novel IoT attack primitives: Event Message Delay and Command Message Delay (event messages are generated by IoT devices to report device states, and command messages are used to control IoT devices). Our insight is that timeout detection in the TCP layer is decoupled from data protection in the Transport Layer Security (TLS) layer. As a result, even when a session is protected by TLS, its IoT event and/or command messages can still be significantly delayed without triggering alerts. It is worth highlighting that, by compromising/controlling one WiFi device in a smart environment, the attacker can delay the IoT messages of other non-compromised IoT devices; we thus call the attacks IoT Phantom-Delay Attacks. Our study shows the attack primitives can be used to build rich attacks and some of them can induce persistent effects. The presented attacks are very different from jamming. 1) Unlike jamming, our attacks do not discard any packets and thus do not trigger re-transmission. 2) Our attacks do not cause disconnection or timeout alerts. 3) Unlike reactive jamming, which usually relies on special hardware, our attacks can be launched from an ordinary WiFi device. Our evaluation involves 50 popular IoT devices and demonstrates that they are all vulnerable to the phantom-delay attacks. Finally, we discuss the countermeasures. We have contacted multiple IoT platforms regarding the vulnerable IoT timeout behaviors, and Google, Ring and SimpliSafe have acknowledged the problem.