Internet of Things (IoT) devices are becoming increasingly commonplace in numerous public and semi-private settings. Currently, most such devices lack mechanisms to facilitate their discovery by casual (nearby) users who are not owners or operators. However, these users are potentially being sensed, and/or actuated upon, by these devices, without their knowledge or consent. This naturally triggers privacy, security, and safety issues. To address this problem, some recent work explored device transparency in the IoT ecosystem. The intuitive approach is for each device to periodically and securely broadcast (announce) its presence and capabilities to all nearby users. While effective, when no new users are present, this push-based approach generates a substantial amount of unnecessary network traffic and needlessly interferes with normal device operation. In this work, we construct DB-PAISA which addresses these issues via a pull-based method, whereby devices reveal their presence and capabilities only upon explicit user request. Each device guarantees a secure timely response (even if fully compromised by malware) based on a small active Root-of-Trust (RoT). DB-PAISA requires no hardware modifications and is suitable for a range of current IoT devices. To demonstrate its feasibility and practicality, we built a fully functional and publicly available prototype. It is implemented atop a commodity MCU (NXP LCP55S69) and operates in tandem with a smartphone-based app. Using this prototype, we evaluate energy consumption and other performance factors.

翻译：物联网设备在众多公共和半私有场景中正变得越来越普遍。目前，大多数此类设备缺乏便于非所有者或非操作者的临时（附近）用户发现其存在的机制。然而，这些用户可能在不知情或未同意的情况下被这些设备感知和/或执行操作。这自然引发了隐私、安全和可靠性问题。为解决此问题，近期一些研究探索了物联网生态系统中的设备透明度。直观的方法是让每个设备定期且安全地向所有附近用户广播（宣告）其存在与功能。虽然有效，但在没有新用户出现时，这种基于推送的方法会产生大量不必要的网络流量，并无谓地干扰设备的正常运行。在本工作中，我们构建了DB-PAISA，它通过一种基于拉取的方法解决这些问题，即设备仅在收到用户明确请求时才揭示其存在与功能。每个设备基于一个轻量级主动信任根，保证提供安全且及时的响应（即使设备完全被恶意软件入侵）。DB-PAISA无需硬件修改，适用于多种现有物联网设备。为证明其可行性与实用性，我们构建了一个功能完整且公开可用的原型系统。该原型基于商用微控制器实现，并与智能手机应用程序协同运行。通过此原型，我们评估了能耗及其他性能指标。