DB-PAISA: Discovery-Based Privacy-Agile IoT Sensing+Actuation
Authors: Isita Bagayatkar (University of California, Irvine), Youngil Kim (University of California, Irvine), Gene Tsudik (University of California, Irvine)
Volume: 2025
Issue: 2
Pages: 434–449
DOI: https://doi.org/10.56553/popets-2025-0070
Abstract: Internet of Things (IoT) devices are becoming increasingly commonplace in both public and semi-private settings. Currently, most such devices lack mechanisms that allow for their discovery by casual (nearby) users who are not owners or operators. However, these users are potentially being sensed, and/or actuated upon, by these devices, without their knowledge or consent. This triggers privacy, security, and safety issues. To address this problem, some recent work explored device transparency in the IoT ecosystem. The intuitive approach is for each device to periodically and securely broadcast (announce) its presence and capabilities to all nearby users. While effective, when no new users are present, this 𝑃𝑢𝑠ℎ-based approach generates a substantial amount of unnecessary network traffic and needlessly interferes with normal device operation. In this work, we construct DB-PAISA which addresses these issues via a 𝑃𝑢𝑙𝑙-based method, whereby devices reveal their presence and capabilities only upon explicit user request. Each device guarantees a secure timely response (even if fully compromised by malware) based on a small active Root-of-Trust (RoT). DB-PAISA requires no hardware modifications and is suitable for a range of current IoT devices. To demonstrate its feasibility and practicality, we built a fully functional and publicly available prototype. It is implemented atop a commodity MCU (NXP LCP55S69) and operates in tandem with a smartphone-based app. Using this prototype, we evaluate energy consumption and other performance factors.
Keywords: IoT Privacy, Malware and its mitigation, Mobile and wireless security
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
