Method and apparatus for compromised IoT device detection

Abstract

A method and apparatus for determining one or more first devices that are Internet devices meeting all of the following conditions: residing at a given location; equipped with one or more ambience sensing capable sensors; and operation mode being such that their ambience sensing capable sensors should not cause transmission of data. One or more second devices are determined that are Internet devices at the given location and equipped with one or more elements capable of causing an ambient stimulation detectable by the sensors of one or more first devices. Data transmissions of the first devices are monitored. Issuing of the ambient stimulation is caused by a subset of the one or more second devices. It is determined whether the issuing of the ambient stimulation caused a significant change in the monitored data transmissions of the first devices.

Claims

1. An apparatus comprising at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: determine one or more first devices that are Internet devices meeting the following conditions: residing at a given location; equipped with one or more ambience sensing capable sensors; and operation mode being such that their ambience sensing capable sensors should not cause transmission of data; determine one or more second devices that are Internet devices at the given location and equipped with one or more elements capable of causing an ambient stimulation detectable by the sensors of one or more first devices; monitor data transmissions of the first devices; cause issuing of the ambient stimulation by a subset of the one or more second devices; and determine whether the issuing of the ambient stimulation caused a change in the monitored data transmissions of the first devices.

2. The apparatus of claim 1, wherein the apparatus is further caused to perform: maintain capability and status information of one or more of the first Internet devices, the status information comprising location and current operation mode; and perform the determining of the one or more first devices based on the capability and status information.

3. The apparatus of claim 1, wherein the apparatus is further caused to perform: maintain capability and status information of one or more of the second Internet devices, the status information comprising location and current operation mode; and perform the determining of the one or more second devices based on the capability and status information.

4. The apparatus of claim 1, wherein the monitoring of the data transmissions of the first devices is performed continually.

5. The apparatus of claim 1, wherein the monitoring of the data transmission of the first devices is performed at given periods of time.

6. The apparatus of claim 1, wherein the ambient stimulation comprises an audio signal.

7. The apparatus of claim 6, wherein the audio signal comprises a portion with a frequency in a non-audible frequency.

8. The apparatus of claim 1, wherein the ambient stimulation comprises a light signal.

9. The apparatus of claim 8, wherein the light signal comprises a portion with a frequency in a non-visible frequency.

10. The apparatus of claim 1, wherein the ambient stimulation comprises a vibration signal.

11. The apparatus of claim 1, wherein the ambient stimulation comprises movement of an object detectable by movement detection.

12. The apparatus of claim 1, wherein the ambient stimulation comprises an electromagnetic signal.

13. The apparatus of claim 1, wherein the ambient stimulation comprises a series of changes in the ambient properties.

14. The apparatus of claim 1, wherein the determining of the one or more first devices is based on past activity of the Internet devices.

15. A method comprising: determining one or more first devices that are Internet devices meeting all of the following conditions: residing at a given location; equipped with one or more ambience sensing capable sensors; and operation mode being such that their ambience sensing capable sensors should not cause transmission of data; determining one or more second devices that are Internet devices at the given location and equipped with one or more elements capable of causing an ambient stimulation detectable by the sensors of one or more first devices; monitoring data transmissions of the first devices using the communication interface; causing issuing of the ambient stimulation by a subset of the one or more second devices, using the communication interface; and determining whether the issuing of the ambient stimulation caused a significant change in the monitored data transmissions of the first devices.

16. The method of claim 15, further comprising: maintaining capability and status information of one or more of the first Internet devices, the status information comprising location and current operation mode; and performing the determining of the one or more first devices based on the capability and status information.

17. The method of claim 15, further comprising: maintaining capability and status information of one or more of the second Internet devices, the status information comprising location and current operation mode; and performing the determining of the one or more second devices based on the capability and status information.

18. The method of claim 15, wherein the monitoring of the data transmissions of the first devices is performed continually.

19. The method of claim 15, wherein the monitoring of the data transmission of the first devices is performed at given periods of time.

20. The method of claim 15, wherein the ambient stimulation comprises an audio signal.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) For a more complete understanding of example embodiments of the present invention, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:

(2) FIG. 1 shows an architectural drawing of a system of an example embodiment;

(3) FIG. 2 shows a block diagram of a first device of an example embodiment;

(4) FIG. 3 shows a block diagram of a second device of an example embodiment; and

(5) FIGS. 4a to 4d show a flow chart of a process of an example embodiment.

DETAILED DESCRIPTION OF THE DRAWINGS

(6) An example embodiment of the present invention and its potential advantages are understood by referring to FIGS. 1 through 4d of the drawings. In this document, like reference signs denote like parts or steps.

(7) FIG. 1 shows an architectural drawing of a system of an example embodiment. FIG. 1 shows some local environment such as an office or home environment with various first devices 110 or network devices, second devices 112 (possibly identical to first devices but just used in another role as will become apparent in the following), one or more second devices 120 for monitoring the operation of the first devices 110, and a schematic drawing of some walls 130 and other space limiting structures. The first devices 110, the second devices 112 and the third devices 120 are connected to a local subnet 140 that provides access to the Internet 150. The local subnet may comprise one or more continuous or disjoint network address spaces. The network address space of one example embodiment is such as 192.168.0.0 . . . 192.168.0.255 and 192.168.4.40 . . . 192.168.4.200 (417 addresses), or 192.168.x.y, wherein x is 0 to 20 and y is 0 to 255 (5376 addresses), or 192.168.a.b and 10.c.d.e and 172.16.f.g, wherein parameters a to g are freely selected between 0 and 255.

(8) The space limiting structures have varying extent of suppressing propagation of different ambient signals. For example, thick stone walls may effectively block both light and sound, whereas low office cubicle walls may only partly block light and have little or no blocking impact on sound propagation.

(9) In an embodiment, the first devices 110 and the second devices 112 are various Internet employing devices such as Internet enabled fridges; television sets; gaming devices; person scales; cleaning robots; assisting robots; computers; electric books; vacuum cleaners; burglar alarm devices; liquid leak monitors; gas leak monitors; temperature sensors or water meters. The first devices 110 and the second devices 112 may be Internet of Things (IoT) devices i.e. devices that meet the following definition: Interrelated physical things each having a unique identifier and capability of transferring data over a network without need of human-to-human or human-to-computer interaction. The second devices 120 can also comprise one or more first devices 110 and/or second devices 112. In an embodiment, the second device 120 is combined with a local network device that supervises network traffic in the local subnet 140. The local network device is or comprises, for example, any one or more of the following: a firewall; a router; a network analyzer.

(10) FIG. 1 shows two schematic rooms each with one window 132 and otherwise continuous walls 130 closed by doors (not shown). Dashed lines illustrate imaginary propagation of ambient stimulation, such as audio and light signals. From the left hand side room, the ambient stimulation passes through the windows 130, as would be the case with light signals. From the right-hand side room, the ambient stimulation is blocked by the window 132 of respective room, as would be the case with an audio signal and well sound proofed windows. This exemplifies that how different types of signals may pass or be hindered by different types of structures. Notably, some structures do not absolutely stop a signal: a sound may just attenuate below a level detectable by some sensors, as well as the light may be dimmed enough to no longer be detectable.

(11) FIG. 2 shows a block diagram of a first device 110 according to an embodiment of the invention. The first device 110 comprises a user interface for user interfacing and a memory 240 including a persistent computer program code 250. The first device 110 further comprises a processor 220 for controlling the operation of the first device 110 using the computer program code 240 and a communication unit 210 for communicating with network data packets. The communication unit 210 comprises, for example, a local area network (LAN) port; a wireless local area network (WLAN) unit; Bluetooth unit; cellular data communication unit; or satellite data communication unit. The processor 220 comprises, for example, any one or more of: a master control unit (MCU); a microprocessor; a digital signal processor (DSP); an application specific integrated circuit (ASIC); a field programmable gate array; and a microcontroller.

(12) The first device 110 further comprises one or more sensors 260 capable of measuring physical properties such as any one or more of the following properties: sound; light; movement; pressure; air composition; location sensor such as satellite based location sensor; WLAN based location sensor; radio frequency identity (RFID) based location sensor; a location tag sensor for reading proximate radio frequency or visual location tag.

(13) The first device 110 further comprises in an embodiment one or more elements 270 capable of causing emission of one or more ambient signals. Such elements 270 comprise, for example, any one or more of the following items: a motor; a valve; a loudspeaker; a vibrator.

(14) In an example embodiment, the second device 112 has the structure of the first device 110. However, while the first devices 110 need not have the actuators 270 capable of causing emission of ambient signals, the second devices 112 are capable of causing ambient signals. On the other hand, the second devices 112 need not have a capability of sensing ambient signals so the second devices 112 may lack the sensors 260.

(15) Examples of equipment enabling the second devices to cause ambient signals include at least one of the following:

(16) network controllable washing machine;

(17) network controllable dish washer;

(18) network controllable coffee maker;

(19) network controllable speakers;

(20) network controllable alarm system;

(21) network controllable cleaning robot;

(22) network controllable printer;

(23) network controllable air conditioning;

(24) network controllable blinds;

(25) network controllable illumination.

(26) FIG. 3 shows a block diagram of a third device 120 according to an embodiment of the invention. The third device 120 comprises a user interface 330, a memory 340 including a persistent computer program code 350. The third device 120 further comprises a processor 320 for controlling the operation of the third device 120 using the computer program code 340 and a communication unit 310 for communicating with network data packets. The communication unit 310 comprises, for example, a local area network (LAN) port; a wireless local area network (WLAN) unit; Bluetooth unit; cellular data communication unit; or satellite data communication unit. The processor 320 comprises, for example, any one or more of: a master control unit (MCU); a microprocessor; a digital signal processor (DSP); an application specific integrated circuit (ASIC); a field programmable gate array; and a microcontroller.

(27) In an example embodiment, the third device 120 further comprises a status detector 360 configured to detect expected communication status of one or more of the first devices 110 connected to the subnet 140. The status detector 360 comprises, for example, a circuitry configured to determine current operational status of the first devices 110 (such as on/off/idle). In an example embodiment, status detector enquires the current status from first devices 110 that are capable of providing their status in response to a query from the third device 120. In an example embodiment, the status detector 360 further or alternatively comprises a schedule that describes when the first devices 110 are expected to send data or when the first devices 110 are expected not to send data. It should be appreciated that the third device 120 need not operate in a same way with each of the first devices 110.

(28) The third device 120 further comprises a location detector 370 configured to detect which first devices 110 and second devices 112 reside at a given location. The location detector 370 may comprise a user input 372 configured to receive the location of some or all of the first devices 110 and second devices 112 from a person; a robot 374 configured to move and detect locations of proximate first devices 110 and second devices 112; and a location query circuitry 376 configured to query the locations of the first devices 110 and second devices 112 from the respective first devices 110 and second devices themselves or from a location data repository.

(29) FIGS. 4a to 4d illustrate a flow chart of a process of an example embodiment, showing:

(30) 402. determining one or more first devices 110 that are Internet devices meeting all of the following conditions: residing at a given location; equipped with one or more ambience sensing capable sensors 260; and operation mode being such that their ambience sensing capable sensors 260 should not cause transmission of data;

(31) 404. determining one or more second devices 112 that are Internet devices at the given location and equipped with one or more elements capable of causing an ambient stimulation detectable by the sensors of one or more first devices (e.g., by triggering a noisy or visually notable operation by one or more controllable other first devices 110);

(32) 406. monitoring data transmissions of the first devices 110;

(33) 408. causing issuing of the ambient stimulation by a subset (e.g., some or all) of the one or more second devices 112; and

(34) 410. determining whether the issuing of the ambient stimulation caused a significant change in the monitored data transmissions of the first devices.

(35) In some embodiments, the process further comprises any one or more of the following:

(36) 412. maintaining capability and status information of one or more of the first Internet devices 110, the status information comprising location and current operation mode;

(37) 414. performing the determining of the one or more first devices 110 based on the capability and status information;

(38) 416. performing the determining of the one or more first devices 110 based on a device discovery;

(39) 418. maintaining capability and status information of one or more of the second Internet devices 112, the status information comprising location and current operation mode;

(40) 420. performing the determining of the one or more of the second devices 112 based on the capability and status information;

(41) 422 performing the determining of the one or more second devices 112 based on a device discovery;

(42) 424. in the device discovery, discovering devices meeting set criteria;

(43) 426. in the device discovery, sending one or more messages to a plurality of Internet devices that potentially include some first and second devices;

(44) 428. in the device discovery, querying capability and/or status information from one or more network entities, wherein he one or more network entities may be other than a network entity that performs the method of the first example aspect and/or the network entities may comprise one or more entities selected from a group consisting of: a server; a virtual server; a cloud computing function; a distributed server;

(45) 430. performing continually the monitoring of the data transmissions of the first devices;

(46) 432. performing at given periods of time the monitoring of the data transmission of the first devices, wherein said periods of time may be selected based on random timing; status of the first devices 110; status of the second devices 112;

(47) 434. selecting said periods of time with an attempt to avoid interfering normal use of the first devices;

(48) 436. selecting said periods of time with an attempt to avoid interfering normal use of the second devices;

(49) 438. indicating to a user when the second devices issue the ambient stimulation;

(50) 440. allowing a user to determine one or more periods of time when the second devices issue the ambient stimulation;

(51) 442. performing the method in one or more of: a private network; a control entity such as a router or a firewall;

(52) 444. the ambient stimulation being or comprising an audio signal for detecting which first devices 110 start transmitting data with an audio triggering, wherein the audio signal may comprise a portion of an audible frequency and/or a portion with a frequency in a non-audible frequency;

(53) 446. the ambient stimulation being or comprising a light signal for detecting which first devices 110 start transmitting data with a light triggering, wherein the light signal may comprise a portion of a visible frequency and/or a portion with a frequency in a non-visible frequency;

(54) 448. the ambient stimulation being or comprising a vibration signal for detecting which first devices 110 start transmitting data with a vibration triggering, wherein the vibration signal may be a haptic signal;

(55) 450. the ambient stimulation being or comprising an ambient stimulation that is or comprises movement of an object detectable by movement detection, e.g., ultrasound based sonar sensors; 3D camera sensors; LIDAR sensors;

(56) 452. The ambient stimulation being or comprising ambient stimulation that may be or comprise an electromagnetic signal, such as a radio communication signal;

(57) wherein the ambient stimulation being detectable in an example embodiment by the first devices 110 at a given range of at least 1 m; 2 m; 5 m; 10 m; or 20 m;

(58) 454. Issuing the ambient stimulation by causing an increase or decrease in one or more ambient properties detectable by the one or more first devices 110, wherein the ambient stimulation may comprise a series of changes in one or more ambient properties detectable by the one or more first devices 110; the ambient stimulation may comprise a transmission with a combination of power and frequency distribution that is safe to human beings at a distance of at least 1 cm; 10 cm; or 1 m from each of the second devices 112; the ambient stimulation may comprise reducing one or more ambient properties detectable by the first devices 110; the ambient stimulation may comprise switching off a sound source; the ambient stimulation may comprise switching off a light source; and/or the ambient stimulation may comprise switching off a vibration source.

(59) 456. determining the significant change based on an estimated physical relationship between the first devices 110 to the stimulation;

(60) 458. determining the estimated physical relationship between using a distance between the first devices 110 and the second devices 112;

(61) 460. determining the distance between the first devices 110 and the second devices 112 may be determined based on positions indicated by the first devices 110 and the second devices 112 in question;

(62) 462. receiving the distance of at least some first devices 110 and the second devices 112 from a user;

(63) 464. controlling the first devices 110 to use their sensors 260 to measure ambient signals and signal in a predetermined manner with the second signal to controllably perform the estimating of the physical relationship between the sensors 260 of the first devices 110.

(64) 466. determining the significant change in the monitored data transmissions based on changes in data rate;

(65) 468. determining the significant change in the monitored data transmissions based on changes in recipients;

(66) 470. determining the significant change in the monitored data transmissions based on changes in communication protocols, such as transport protocols, streaming protocols and/or Quality of Service;

(67) 472. determining the one or more first devices 110 based on past activity of the Internet devices.

(68) As mentioned in connection with step 448, the ambient stimulation may comprise a series of changes in one or more properties. Such a series can be formed, for example, by forming a sound and/or light signal comprising different periods of different frequencies and/or power. For example, a test stimulus may comprise turn a smart light A with 100% power and generating a given tone at 75% power from smart speaker B.

(69) In an example embodiment, any one or more of steps 402 to 472 are performed or caused by the third device 120.

(70) As used in this application, the term “circuitry” may refer to one or more or all of the following:

(71) (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and;

(72) (b) combinations of hardware circuits and software, such as (as applicable):

(73) (i) a combination of analog and/or digital hardware circuit(s) with software/firmware; and

(74) (ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions); and

(75) (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.

(76) This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

(77) Without in any way limiting the scope, interpretation, or application of the claims appearing below, a technical effect of one or more of the example embodiments disclosed herein is that undesired monitoring of local premises can be detected from network traffic and knowledge of ambient stimulation. Another technical effect of one or more of the example embodiments disclosed herein is that the undesired monitoring may be detected even from encrypted communications. Yet another technical effect of one or more of the example embodiments disclosed herein is that the undesired monitoring may be detected without disturbing persons in or near the premises when using stimulation not perceivable to a human being, such as infrared or ultraviolet light and/or infra sound or ultrasound audio. Yet another technical effect of one or more of the example embodiments disclosed herein is that the undesired monitoring may be detected without need for new or additional equipment by using existing network controllable equipment to cause the ambient stimulus.

(78) Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic. The software, application logic and/or hardware may reside on the first network device 110, the second network device 112 or the third network device 120. In an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media. In the context of this document, a “computer-readable medium” may be any non-transitory media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in FIG. 2. A computer-readable medium may comprise a computer-readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.

(79) If desired, the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the before-described functions may be optional or may be combined.

(80) Although various aspects of the invention are set out in the independent claims, other aspects of the invention comprise other combinations of features from the described embodiments and/or the dependent claims with the features of the independent claims, and not solely the combinations explicitly set out in the claims.

(81) It is also noted herein that while the foregoing describes example embodiments of the invention, these descriptions should not be viewed in a limiting sense. Rather, there are several variations and modifications which may be made without departing from the scope of the present invention as defined in the appended claims.