Delay-based Automation Interference Attacks（DAI Attacks）

Delay-based Automation Interference Attacks（DAI Attacks）

By selectively delaying IoT messages,our study finds that two issues, inconsistency and disorder,can be exacerbated by attackers significantly。 Unlike jamming or discarding packets, the attacks do not trigger alarms at any layers of the IoT protocol stack

7种攻击方式

When users cannot find a single platform to work with all their devices, they need to use multiple platforms.

The communication paths are different and thus have different transmission delays。via an IoT hub, vendor’s cloud B, which then delegates access。
不同平台在condition的定义上有不同。比如有的允许conditon设置为设备状态或时间，有的只允许时间，所以用户在某些规则上会选择能设置更多的平台

HA里控制开关，米家里也会更新

将智能家居系统分为三类:single-platform single-path (SPSP) systems, single-platform multi-path (SPMP) systems, and multi-platform (MP) systems。这种攻击只存在于SPMP和MP平台中

disorder：events (or commands) 以与其实际发生顺序不同的顺序到达平台（或设备）

inconsistency。两个平台对同一设备状态的观察结果不一致。This is because a new event from the device may have different delays when transmitted to the platforms (via different paths)

We utilize two attack primitives [16], selective event delaying and selective command delaying (which leverage
TCP hijacking attacks

跨层得分析各组件的沟通方式，如下图

This work utilizes side-channel attacks to infer smart home configuration information and build attacks。从加密的流量推断家庭配置

events and commands are typically transmitted using the SSL/TLS protocol及这种传输在IOT中的特点及存在的问题

The attacker selectively delays events/commands transmitted over a hijacked TCP session. To evade detection, the attacker does not discard any events/commands or delay them for an excessive period.

攻击者delay分两类，delay trigger event、delay整条command

Appendices B and C是具体的形式化过程

给出了Observation equivalence的定义。满足Observation equivalence的系统是CRI-resistant的

正常情况下，condition互斥不会overlap，但是如果推迟一者的condition check过程，就可能会在同时check导致overlap

请注意，无论一个人是进入还是离开，所产生的门事件序列都是相同的（例如，“解锁→打开→关闭→锁定”），因此不能用来推断房主是进入还是离开家，可能可以用于动态。

里面的TAP规则可以借鉴