The CROSSING Collaboration Award 2023 was given to the collaboration on the papers “SCAtt-man: Side-Channel Based Remote Attestation for Embedded Devices that Users Understand“ and ”Building Trust in Remote Attestation through Transparency – A Qualitative User Study on Observable Attestation" by the projects S2 (Christian Niesler and Sebastian Surminski from University Duisburg-Essen), and E7 (Sebastian Linsner and Kilian Demuth from TU Darmstadt).
From the perspective of end-users, IoT devices behave like a black box: As long as they work as intended, the user will not detect any compromise. The user has minimal control over the software. Hence, it is very likely that the user misses when for instance illegal recordings and transmissions occur if a security camera or a smart speaker gets hacked. Therefore, we developed SCAtt-man, the first remote attestation scheme that is specifically designed with the user in mind. SCAtt-man deploys software-based attestation to check the integrity of remote devices allowing users to verify the integrity of IoT devices with their smartphone.
However, software-based remote attestation inherently suffers from the root-of-trust problem: the verifier cannot identify the device that is being attested, allowing an attacker to replace the attested device with another device or a simulation, so-called offloading attacks. To tackle this problem, SCAtt-man utilizes user-observable side-channels like light or sound in the attestation protocol, so that the user can observe the attestation process and identify the attested device to detect offloading attacks.
Besides the technical challenges to implement a secure attestation scheme, the involvement of the user also demands for a good usability and user experience to make SCAtt-man usable in practice.
Our proof-of-concept implementation targets a smart speaker and an attestation protocol that is based on a data-over-sound protocol. Our evaluation demonstrates the effectiveness of SCAtt-man against a variety of attacks and its usability based on a comprehensive user study with 20 participants. Our user study not only showed that SCAtt-man has good usability, but participants also stated that they actually believe that attestation can detect a device’s compromise and that they would use such functionality if their own devices featured such an attestation functionality.
This user study leads us to a more fundamental question addressing remote attestation: Do users understand and trust remote attestation? Can transparency assist users in understanding remote attestation? And do users trust formerly compromised devices that have been restored and verified with remote attestation? These questions are neglected in research on remote attestation, but very relevant for a practical usage. To answer these questions, we performed an extensive user study with 35 participants. The participants were provided with a smart home setup and state-of-the-art smart speakers, which they could attest using a smartphone app. We simulated compromised smart speakers and asked the participants to conduct a process to resolve the compromise.
We discovered that trust increases when additional explanations of the technical process are provided and thus the understanding of the attestation process is improved. The enhanced understanding of the process also decreases the false trust many users have in devices or processes which they do not understand. Observable attestation via the audio channel also strengthens trust in the attestation process. We also found that the process of the observable attestation increases the trust in the device and the sense of security positively. Thus, increased transparency in security mechanisms increases not only the understanding but also the trust of users and reduces false assumptions about the own security.
Link to the Paper
SCAtt-man: Side-Channel Based Remote Attestation for Embedded Devices that Users Understand
The paper has been published the Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy (CODASPY'23).