To address this issue, remote attestation techniques can be used to verify the integrity of smart speakers. Within the DFG Collaborative Research Center CROSSING, the systems security group in collaboration with researchers from the Technical University of Darmstadt have developed a method called "SCAtt-man" that allows users to use their smartphones to determine if the software of their smart speakers has been altered or infected with malware. The prototype has been found to be highly usable in a user study, and users reported increased confidence in their smart speakers after using the process.

The project will be presented at the ACM Conference on Data and Application Security and Privacy (CODASPY) in Charlotte, NC, in April.

Publication:

Surminski, Sebastian; Niesler, Christian; Linsner, Sebastian; Davi, Lucas; Reuter, Christian: SCAtt-man: Side-Channel-Based Remote Attestation for Embedded Devices that Users Understand. In: Proc. of the 13th ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, Charlotte, NC, United States 2023.

From the perspective of end-users, IoT devices behave like a black box: As long as they work as intended, the user will not detect any compromise. The user has minimal control over the software. Hence, it is very likely that the user misses that illegal recordings and transmissions occur if a security camera or a smart speaker is hacked. In this paper, we present SCAtt-man, the first remote attestation scheme that is specifically designed with the user in mind. SCAtt-man deploys software-based attestation to check the integrity of remote devices, allowing users to verify the integrity of IoT devices with their smartphone. The key novelty of SCAtt-man resides in the utilization of user-observable side-channels such as light or sound in the attestation protocol. Our proof-of-concept implementation targets a smart speaker and an attestation protocol that is based on a data-over-sound protocol. Our evaluation demonstrates the effectiveness of SCAtt-man against a variety of attacks and its usability based on a comprehensive user study with 20 participants.