Researchers propose ephemeral approach to IoT privacy

Josh Quicksall

Jul 6, 2022

IoT devices

Whether you are at the office, the gym, or even at a friend’s house for a BBQ this summer, chances are an IoT device is going to gather some sort of data about you. Compounding the fact that this data may be sensitive is the reality that many of these devices gather data on anyone within range, whether they are the owners of the device or not.

In new work presented at the 20th ACM International Conference on Mobile Systems, Applications and Services (MobiSys) last week, CyLab researchers aim to tackle precisely this problem. Authored by Han Zhang, a Ph.D. student in the Computer Science Department (CSD), alongside his advisors Yuvraj Agarwal, a professor in the Institute for Software Research (ISR), and Matt Fredrickson, a professor in CSD and ISR, “TEO: ephemeral ownership for IoT devices to provide granular data control” proposes a new model of ownership, IoT ephemeral ownership (TEO).

“Although smart devices and IoT, in general, have gained wide popularity over the past years, most existing systems and research efforts have been looking at a narrow use case—specifically, private smart homes,” says Zhang. “But IoT is increasingly present in shared spaces such as offices, conference rooms, and temporary residences. Management systems designed for smart homes are ill-suited to handle the complexity of these environments.”

And while smart device owners can currently create “guest” accounts, those owners still control access to the data generated, not the guests.

The goal is to protect ephemeral owners—actual device users—and give them exclusive control over the device and the data it captures while they use it.

Han Zhang, Ph.D. student, Computer Science Department

TEO addresses this issue by splitting the traditional holistic role of device owner. The model allows stakeholders to quickly register with an IoT device for a limited period of time, effectively claiming co-ownership over the sensitive data that the device generates. The sensitive data generated by the IoT device is encrypted and accessible only by individuals after seeking explicit permission from the data's co-owners.

“The goal is to protect ephemeral owners—actual device users—and give them exclusive control over the device and the data it captures while they use it,” Zhang says. “But it doesn’t end there. TEO addresses many other challenges in the IoT space that have plagued developers and consumers alike, such as minimizing the trust base, enabling group ownership and respecting everyone’s choices, and handling frequent user changes.”

Started in 2003 and sponsored by ACM SIGMOBILE, MobiSys seeks to present innovative and significant research on the design, implementation, usage, and evaluation of mobile computing and wireless systems, applications, and services. Their 2022 conference is to be held June 27 - July 1 in Portland, Oregon.

To learn more about TEO, the team invites you to check out their open-sourced prototype implementation, as well as the formal protocol model code on Github, build upon it, and improve it alongside them.