Search

US-12621153-B2 - Methods, systems, and devices for association of internet-of-things (IoT) devices to anonymized households

US12621153B2US 12621153 B2US12621153 B2US 12621153B2US-12621153-B2

Abstract

Techniques for enabling the association of client devices to anonymized households during an authorization process is performed at a server including processor(s) and non-transitory memory. The server receives a request for a service or content from a client device that specifies a device identifier, a first hash value approximating a unit in which the client device is deployed, and a second hash value representing a connection to the unit. The server records and evaluates the request based on the device identifier, the first hash value, and the second hash value so that an access token is generated for the client device and bound to the first hash value. The server sends the access token to the client device for access to the service or content via the connection to the unit upon validating the request or reports an anomaly determined based on the recorded data.

Inventors

  • Itai Ephraim Zilbershtein
  • Thomas Paul Burnley

Assignees

  • SYNAMEDIA LIMITED

Dates

Publication Date
20260505
Application Date
20230907

Claims (20)

  1. 1 . A method comprising: at a server including one or more processors and non-transitory memory: receiving a request for a service or content from an Internet of Things (IoT) device deployed within a unit, wherein the request includes a device identifier corresponding to the IoT device, a first hash value approximating the unit, and a second hash value, different from the first hash value, representing a unique connection of the IoT device to the unit among a plurality of IoT devices deployed within the unit, and wherein the first hash is calculated based on a deployment-specific identifier (ID) of the unit shared by the plurality of IoT devices; recording and evaluating the request based on the device identifier, the first hash value, and the second hash value; generating an access token for the IoT device, binding the access token to the first hash value, and sending the access token to the IoT device for access to the service or content via the connection to the unit upon validating the request; and reporting an anomaly associated with one or more of the unit and the connection to the unit upon detecting the anomaly based on the device identifier, the first hash value, and the second hash value.
  2. 2 . The method of claim 1 , wherein the unit is a household with one or more network access points connecting the plurality of IoT devices to the unit.
  3. 3 . The method of claim 2 , wherein: the first hash value is computed based on a tuple of an identifier associated with the one or more network access points and an access credential used by the IoT device to connect to the one or more network access points.
  4. 4 . The method of claim 3 , wherein the second hash value is computed based on a unique identifier for the IoT device connecting to the one or more network access points.
  5. 5 . The method of claim 1 , wherein the first hash value is computed based on one or more a location, a network configuration, and environmental characteristics of the unit at time of deploying the IoT device.
  6. 6 . The method of claim 1 , wherein the non-transitory memory includes a database, and recording and evaluating the request based on the device identifier, the first hash value, and the second hash value include: creating a first record in the database with a first set of fields corresponding to the device identifier, the first hash value, the second hash value, and timestamps; and initializing a second set of fields of the first record representing changes to the first record.
  7. 7 . The method of claim 6 , wherein evaluating the request includes: locating a second record in the database corresponding to the device identifier; determining whether or not the first hash value and the second hash value match fields in the second record; and updating the second record in accordance with a determination of the first hash value or the second hash value not matching the fields in the second record.
  8. 8 . The method of claim 6 , wherein: detecting the anomaly includes identifying the anomaly based on the changes; and reporting the anomaly includes forgoing sending the access token to the IoT device.
  9. 9 . The method of claim 8 , wherein identifying the anomaly based on the changes includes identifying abnormal changes to the unit based on one or more of a number of changes and a frequency of changes to the first hash value.
  10. 10 . The method of claim 8 , wherein identifying the anomaly based on the changes includes identifying abnormal changes to the connection to the unit based on one or more of a number of changes and a frequency of changes to the second hash value.
  11. 11 . The method of claim 8 , wherein identifying the anomaly based on the changes includes identifying a frequency of changes to the second hash value exceeding a second threshold indicating the abnormal changes to the connection to the unit.
  12. 12 . The method of claim 1 , further comprising: receiving an access request for the service or content from the IoT device, wherein the access request includes the access token binding to the device identifier and the first hash value; and authorizing the access request for the service or content base on the access token, the device identifier, and the first hash value.
  13. 13 . The method of claim 1 , further comprising: receiving multiple requests for authentication to the service or content from the plurality of IoT devices, wherein a respective one of the multiple requests includes a respective device identifier corresponding to a respective plurality of IoT device, the first hash value, and a respective second hash value representing a respective connection within the unit; and deriving a size of the unit based on the respective device identifier, first hash value, and the respective second hash value.
  14. 14 . The method of claim 1 , wherein the service or content includes one or more of over-the-top (OTT) video streaming services, security services, and remote camera services.
  15. 15 . A server comprising: one or more processors; non-transitory memory; and one or more programs stored in the non-transitory memory, which, when executed by the one or more processors, cause the server to: receive a request for a service or content from an Internet of Things (IoT) device deployed within a unit, wherein the request includes a device identifier corresponding to the IoT device, a first hash value approximating the unit, and a second hash value, different from the first hash value, representing a unique connection of the IoT device to the unit among a plurality of IoT devices deployed within the unit, and wherein the first hash is based on a deployment-specific identifier (ID) of the unit shared by the plurality of IoT devices; record and evaluate the request based on the device identifier, the first hash value, and the second hash value; generate an access token for the IoT device, bind the access token to the first hash value, and send the access token to the IoT device for access to the service or content via the connection to the unit upon validating the request; and report an anomaly associated with one or more of the unit and the connection to the unit upon detecting the anomaly based on the device identifier, the first hash value, and the second hash value.
  16. 16 . The server of claim 15 , wherein the unit is a household with one or more network access points connecting the plurality of IoT devices to the unit.
  17. 17 . The server of claim 16 , wherein: the first hash value is computed based on a tuple of an identifier associated with the one or more network access points and an access credential used by the IoT device to connect to the one or more network access points.
  18. 18 . The server of claim 17 , wherein the second hash value is computed based on a unique identifier for the IoT device connecting to the one or more network access points.
  19. 19 . The server of claim 15 , wherein the first hash value is computed based on one or more a location, a network configuration, and environmental characteristics of the unit at time of deploying the IoT device.
  20. 20 . A non-transitory memory storing one or more programs, which, when executed by a server, cause the server to: receive a request for a service or content from an Internet of Things (IoT) device deployed within a unit, wherein the request includes a device identifier corresponding to the IoT device, a first hash value approximating the unit, and a second hash value, different from the first hash value, representing a unique connection of the IoT device to the unit among a plurality of IoT devices deployed within the unit, and wherein the first hash is calculated based on a deployment-specific identifier (ID) of the unit shared by the plurality of IoT devices; record and evaluate the request based on the device identifier, the first hash value, and the second hash value; generate an access token for the IoT device, bind the access token to the first hash value, and send the access token to the IoT device for access to the service or content via the connection to the unit upon validating the request; and report an anomaly associated with one or more of the unit and the connection to the unit upon detecting the anomaly based on the device identifier, the first hash value, and the second hash value.

Description

TECHNICAL FIELD The present disclosure relates generally to security and, more specifically, to methods, devices, and systems of tracking deployed Internet-of-Things (IoT) devices. BACKGROUND Many low-cost Internet of Things (IoT) devices are provided to end-users free of charge or without a managed subscription. Using these low-cost IoT devices, a high-level service provider can offer various high-level services, e.g., using an IoT service from an IoT vendor built on top of the distributed IoT devices to offer high-level over-the-top (OTT) video services. In many cases, IoT device(s) are self-installed by users, thus providing no information to the IoT vendor regarding the association of the IoT device(s) with a particular high-level service account (e.g., an account representing a household), even though the IoT vendor offers operational and communication services through the IoT device(s) to support the high-level services. To avoid the additional cost and complexity of managing the associations between unique device instances and accounts (e.g., accounts associated with households), some high-level service providers choose a model where each device is treated as a separate account. Some other high-level service providers consider multiple IoT devices from the same IoT vendor as a single household when being used by a single user. In such cases, the IoT vendors may not be aware of the deployment of these multiple devices. Despite the high-level service provider knowing the association between IoT devices and households, they may not share the knowledge with the IoT vendor due to business and/or privacy concerns, as the IoT vendor and the high-level service provider are typically separate entities. BRIEF DESCRIPTION OF THE DRAWINGS So that the present disclosure can be understood by those of ordinary skill in the art, a more detailed description may be had by reference to aspects of some illustrative embodiments, some of which are shown in the accompanying drawings. FIG. 1 is a block diagram of an exemplary service or multimedia content delivery system for delivering services or content to multiple households, in accordance with some embodiments; FIG. 2 is a diagram illustrating the deployment of client devices to households in the exemplary service or multiple content delivery system, in accordance with some embodiments; FIG. 3 is a diagram illustrating subcomponents in the exemplary service or multimedia content delivery system for associating deployed client devices to pseudo-households, in accordance with some embodiments; FIG. 4 is a flowchart illustrating authentication and authorization in the exemplary service or multiple content delivery system, in accordance with some embodiments; FIG. 5 is a sequence diagram illustrating associating client devices to pseudo-households during the authorization process, in accordance with some embodiments; FIGS. 6A and 6B are diagrams illustrating change analysis and anomaly determination in the service or multiple content delivery system, in accordance with some embodiments; and FIG. 7 is a flowchart illustrating an authorization method for enabling the association of client devices to anonymized households, in accordance with some embodiments. In accordance with common practice the various features illustrated in the drawings may not be drawn to scale. Accordingly, the dimensions of the various features may be arbitrarily expanded or reduced for clarity. In addition, some of the drawings may not depict all of the components of a given system, method, or device. Finally, like reference numerals may be used to denote like features throughout the specification and figures. DESCRIPTION OF EXAMPLE EMBODIMENTS Numerous details are described in order to provide a thorough understanding of the example embodiments shown in the drawings. However, the drawings merely show some example aspects of the present disclosure and are therefore not to be considered limiting. Those of ordinary skill in the art will appreciate that other effective aspects and/or variants do not include all of the specific details described herein. Moreover, well-known systems, methods, components, devices, and circuits have not been described in exhaustive detail so as not to obscure more pertinent aspects of the example embodiments described herein. Overview In accordance with some embodiments, methods, devices, and systems described herein allow Internet of Things (IoT) vendors to track the association of IoT devices to anonymized households by utilizing deployment-specific information to emulate a household identifier (ID). In some embodiments, an IoT device generates a deployment hash based on the credentials used for an IoT device to connect to the household network so it can connect to the IoT vendor's services, e.g., the WiFi service set identifier (SSID) and user-provided WiFi credential(s) during IoT device setup. The deployment hash serves as an approximate unique household ID and is sent