Stories

> Authentication Using Credentials Submitted by Your Smart Home

Authentication Using Credentials Submitted by Your Smart Home

poc/demo

August 29th, 2019

#smart home #authentication #security #dos #pods #iot


The IoT SCOE is supported by the Chief Security Office’s Research group. This team of innovators find novel solutions to security problems in an effort to find new ways of helping our customers. AT&T has a patent on the problem of Personal DoS and we are working to build products and services to deliver ideas like this into the real world.


Targeted attacks are becoming more and more common and individuals are experiencing a bewildering future. In a connected world of IoT devices, your exposure to attack is constant concern.


One specific form of attack is Personal Denial of Service (PDoS), a form of cybercrime to knock a person off their devices and lock them out of their personal connected world. Our researchers Wei Wang and Cristina Serban propose a solution against Personal Denial of Service using an unlikely ally. They propose using smart home security features to save the day.


Victims are often specifically targeted by the attacker in a PdoS attack. The goal is to block the user from gaining access to the service or resource that they need to reach, especially within a deadline. This might be to conceal a more nefarious purpose such as locking them out so that they can’t check bank accounts or credit cards for fraudulent activity. Or in a simpler but critical example, prevent a student from submitting homework online by the required deadline.


So how does the smart home help? By providing an independent method for authenticating the user. The end-user’s smart home has mechanisms to verify a home resident’s identity, such as presence at home, facial recognition, fingerprint, voice print, and so on. Who-you-are and where-you-are as factors for authentication allow us to solve this challenge. Using these mechanisms, the smart home can issue an “ID verified” attestation for the end-user when needed, providing an alternate way of logging in. Just shout help and wave your phone and you’re in!


Even without an attack, this also makes for an improved customer experience. The end-user can also utilize the smart home for identity attestation to accounts, even without presence of attacks. There is no need for end-users to know or use passwords, or an extra factor for authentication for critical accounts (e.g., for online banking), as the smart home can handle all these on their behalf.


Similar ideas have been proposed for authentication to connected cars via proximity of both the user and their phone. We are building a proof-of-concept at the Middletown Hacking corner to prove this idea in a practical demonstration. Check back for updates on our progress!