US-AID: Unattended Scalable Attestation of IoT Devices

Embedded devices, personal gadgets and networks thereof are becoming increasingly pervasive, mainly due the advent of, and hype surrounding, the so-called Internet of Things (IoT). Such devices often perform critical actuation tasks, as well as collect, store and process sensitive data. Therefore, as confirmed by recent examples (such as the Mirai botnet), they also represent very attractive attack targets. To mitigate attacks, remote attestation (RA) has emerged as a distinct security service that aims at detecting malware presence on an embedded device. Most prior RA schemes focus on attesting a single devices and do not scale. In recent years, schemes for collective (group or swarm) RA have been designed. However, none is applicable to autonomous and dynamic network settings. This paper presents US-AID – the first collective attestation schemes for large autonomous dynamic networks of embedded devices. AID verifies overall network integrity by combining continuous in-network attestation with a key exchange mechanism and Proofs-of-non-Absence. Using device absence detection US-AID defends against physical attacks that require disconnecting attacked devices form the network for a non-negligible time. We demonstrate feasibility of US-AID with proof-of-concept implementation on state-of-the-art security architectures for low-end embedded devices and on an autonomous testbed formed of six drones. We also assess its scalability and practicality via extensive simulations.