Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Privacy-Preserving IoT in Connected Aircraft Cabin

Nilesh Vyas, Benjamin Zhao, Aygün Baltaci, Gustavo de Carvalho Bertoli, Hassan Asghar, Markus Klügel, Gerrit Schramm, Martin Kubisch, Dali Kaafar

TL;DR

This work tackles the privacy gap at the application layer in privacy-conscious, multi-vendor aircraft cabin IoT by integrating a configurable PETs layer with a CSMIM-like architecture. It empirically evaluates two pragmatic PETs, Local/Global Differential Privacy and an Additive Secret Sharing scheme, on a high-fidelity hardware testbed to quantify privacy, utility, and performance trade-offs. The results show that PET overhead is often small compared to network and broker latencies, and that architectural decisions such as on-device versus virtualization dominate end-to-end performance. The paper provides a practical roadmap for system architects to configure PETs, balancing privacy, regulatory compliance, IP protection, and real-time requirements in avionics and other critical IoT domains.

Abstract

The proliferation of IoT devices in shared, multi-vendor environments like the modern aircraft cabin creates a fundamental conflict between the promise of data collaboration and the risks to passenger privacy, vendor intellectual property (IP), and regulatory compliance. While emerging standards like the Cabin Secure Media-Independent Messaging (CSMIM) protocol provide a secure communication backbone, they do not resolve data governance challenges at the application layer, leaving a privacy gap that impedes trust. This paper proposes and evaluates a framework that closes this gap by integrating a configurable layer of Privacy-Enhancing Technologies (PETs) atop a CSMIM-like architecture. We conduct a rigorous, empirical analysis of two pragmatic PETs: Differential Privacy (DP) for statistical sharing, and an additive secret sharing scheme (ASS) for data obfuscation. Using a high-fidelity testbed with resource-constrained hardware, we quantify the trade-offs between data privacy, utility, and computing performance. Our results demonstrate that the computational overhead of PETs is often negligible compared to inherent network and protocol latencies. We prove that architectural choices, such as on-device versus virtualized processing, have a far greater impact on end-to-end latency and computational performance than the PETs themselves. The findings provide a practical roadmap for system architects to select and configure appropriate PETs, enabling the design of trustworthy collaborative IoT ecosystems in avionics and other critical domains.

Privacy-Preserving IoT in Connected Aircraft Cabin

TL;DR

This work tackles the privacy gap at the application layer in privacy-conscious, multi-vendor aircraft cabin IoT by integrating a configurable PETs layer with a CSMIM-like architecture. It empirically evaluates two pragmatic PETs, Local/Global Differential Privacy and an Additive Secret Sharing scheme, on a high-fidelity hardware testbed to quantify privacy, utility, and performance trade-offs. The results show that PET overhead is often small compared to network and broker latencies, and that architectural decisions such as on-device versus virtualization dominate end-to-end performance. The paper provides a practical roadmap for system architects to configure PETs, balancing privacy, regulatory compliance, IP protection, and real-time requirements in avionics and other critical IoT domains.

Abstract

The proliferation of IoT devices in shared, multi-vendor environments like the modern aircraft cabin creates a fundamental conflict between the promise of data collaboration and the risks to passenger privacy, vendor intellectual property (IP), and regulatory compliance. While emerging standards like the Cabin Secure Media-Independent Messaging (CSMIM) protocol provide a secure communication backbone, they do not resolve data governance challenges at the application layer, leaving a privacy gap that impedes trust. This paper proposes and evaluates a framework that closes this gap by integrating a configurable layer of Privacy-Enhancing Technologies (PETs) atop a CSMIM-like architecture. We conduct a rigorous, empirical analysis of two pragmatic PETs: Differential Privacy (DP) for statistical sharing, and an additive secret sharing scheme (ASS) for data obfuscation. Using a high-fidelity testbed with resource-constrained hardware, we quantify the trade-offs between data privacy, utility, and computing performance. Our results demonstrate that the computational overhead of PETs is often negligible compared to inherent network and protocol latencies. We prove that architectural choices, such as on-device versus virtualized processing, have a far greater impact on end-to-end latency and computational performance than the PETs themselves. The findings provide a practical roadmap for system architects to select and configure appropriate PETs, enabling the design of trustworthy collaborative IoT ecosystems in avionics and other critical domains.

Paper Structure

This paper contains 51 sections, 1 theorem, 3 equations, 2 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. State-of-the-Art in Cabin IoT and CSMIM
  4. Survey of Privacy-Enhancing Technologies for IoT
  5. Established Cryptographic Techniques
  6. Privacy-Preserving Machine Learning Paradigms
  7. Anonymization and Obfuscation Techniques
  8. Positioning Our Work: The Research Gap
  9. System Model and Problem Statement
  10. System Architecture and Parties
  11. Physical Layer
  12. Communication Layer
  13. Security Layer
  14. Threat Model
  15. Honest-but-Curious Aggregator/Vendor
  16. ...and 36 more sections

Key Result

Theorem 1

Let each sensor $S_i$ split its encoded value $x'_i$ into $m$ shares over a finite field $\mathbb{Z}_Q$ where $Q > nq$. Let the server C collect all $nm$ shares, sum them modulo $Q$, divide by $n$, and decode. If $\widehat{ave}$ is the computed average and $(\sum x_i)/n$ is the true average, then where $k$ is the precision level of the initial encoding.

Figures (2)

  • Figure 1: Diagrammatic connections of the ESP32, message broker and RPI for data over MQTTv5 and a physical timing flag used in our timing measurement methodology.
  • Figure 2: Relationship between $\epsilon$ and error against the true weight sum. In a high privacy setting (low $\epsilon$, e.g., 0.05), the error is substantial, on the order of 100 Kg. As the privacy guarantee is relaxed (higher $\epsilon$), the error decays exponentially, falling to 10 Kg for just before $\epsilon = 0.5$.

Theorems & Definitions (2)

  • Theorem 1
  • proof