Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Systems-Level Attack Surface of Edge Agent Deployments on IoT

Zhonghao Zhan, Krinos Li, Yefan Zhang, Hamed Haddadi

TL;DR

The measurements show that edge-local deployments eliminate routine cloud data exposure but silently degrade sovereignty when fallback mechanisms trigger, with boundary crossings invisible at the application layer, and deployment architecture is a primary determinant of security risk in agent-controlled IoT systems.

Abstract

Edge deployment of LLM agents on IoT hardware introduces attack surfaces absent from cloud-hosted orchestration. We present an empirical security analysis of three architectures (cloud-hosted, edge-local swarm, and hybrid) using a multi-device home-automation testbed with local MQTT messaging and an Android smartphone as an edge inference node. We identify five systems-level attack surfaces, including two emergent failures observed during live testbed operation: coordination-state divergence and induced trust erosion. We frame core security properties as measurable systems metrics: data egress volume, failover window exposure, sovereignty boundary integrity, and provenance chain completeness. Our measurements show that edge-local deployments eliminate routine cloud data exposure but silently degrade sovereignty when fallback mechanisms trigger, with boundary crossings invisible at the application layer. Provenance chains remain complete under cooperative operation yet are trivially bypassed without cryptographic enforcement. Failover windows create transient blind spots exploitable for unauthorised actuation. These results demonstrate that deployment architecture, not just model or prompt design, is a primary determinant of security risk in agent-controlled IoT systems.

Systems-Level Attack Surface of Edge Agent Deployments on IoT

TL;DR

The measurements show that edge-local deployments eliminate routine cloud data exposure but silently degrade sovereignty when fallback mechanisms trigger, with boundary crossings invisible at the application layer, and deployment architecture is a primary determinant of security risk in agent-controlled IoT systems.

Abstract

Edge deployment of LLM agents on IoT hardware introduces attack surfaces absent from cloud-hosted orchestration. We present an empirical security analysis of three architectures (cloud-hosted, edge-local swarm, and hybrid) using a multi-device home-automation testbed with local MQTT messaging and an Android smartphone as an edge inference node. We identify five systems-level attack surfaces, including two emergent failures observed during live testbed operation: coordination-state divergence and induced trust erosion. We frame core security properties as measurable systems metrics: data egress volume, failover window exposure, sovereignty boundary integrity, and provenance chain completeness. Our measurements show that edge-local deployments eliminate routine cloud data exposure but silently degrade sovereignty when fallback mechanisms trigger, with boundary crossings invisible at the application layer. Provenance chains remain complete under cooperative operation yet are trivially bypassed without cryptographic enforcement. Failover windows create transient blind spots exploitable for unauthorised actuation. These results demonstrate that deployment architecture, not just model or prompt design, is a primary determinant of security risk in agent-controlled IoT systems.
Paper Structure (44 sections, 2 figures, 7 tables)

This paper contains 44 sections, 2 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Threat Model and Architecture
  3. Deployment Architectures
  4. Cloud-Hosted Orchestration.
  5. Edge-Local Swarm.
  6. Hybrid (Edge + Cloud).
  7. Testbed
  8. MQTT as coordination backbone.
  9. Attack Surfaces
  10. S1a: Provenance forgery.
  11. S1b: Coordination-state divergence.
  12. S1c: Induced trust erosion.
  13. S2: Silent sovereignty degradation.
  14. S3: Actuation-audit temporal gap.
  15. Empirical Analysis
  16. ...and 29 more sections

Figures (2)

  • Figure 1: Testbed topology. Inter-agent traffic traverses the Tailscale mesh via MQTT pub/sub on the Mac mini. The NUC bridges MQTT to Home Assistant for IoT actuation. WAN links carry only LLM inference and Telegram traffic.
  • Figure 2: MQTT message flow and supervision architecture. Agents communicate via per-agent inbox topics (agents/inbox/{id}), with all messages streamed to agents/mirror for real-time human monitoring via Telegram. A rogue client (bottom-left) can publish directly to agent inboxes, bypassing the supervision layer---illustrating the provenance gap measured in Table \ref{['tab:adversarial']}.