More Web Proxy on the site http://driver.im/

research-article

An attack scenario and mitigation mechanism for enterprise BYOD environments

Authors:

Shachar Siboni,

Yuval EloviciAuthors Info & Claims

ACM SIGAPP Applied Computing Review, Volume 18, Issue 2

Pages 5 - 21

https://doi.org/10.1145/3243064.3243065

Published: 26 July 2018 Publication History

Abstract

The recent proliferation of the Internet of Things (IoT) technology poses major security and privacy concerns. Specifically, the use of personal IoT devices, such as tablets, smartphones, and even smartwatches, as part of the Bring Your Own Device (BYOD) trend, may result in severe network security breaches in enterprise environments. Such devices increase the attack surface by weakening the digital perimeter of the enterprise network and opening new points of entry for malicious activities. In this paper we demonstrate a novel attack scenario in an enterprise environment by exploiting the smartwatch device of an innocent employee. Using a malicious application running on a suitable smartwatch, the device imitates a real Wi-Fi direct printer service in the network. Using this attack scenario, we illustrate how an advanced attacker located outside of the organization can leak/steal sensitive information from the organization by utilizing the compromised smartwatch as a means of attack. An attack mitigation process and countermeasures are suggested in order to limit the capability of the remote attacker to execute the attack on the network, thus minimizing the data leakage by the smartwatch.

References

[1]

Atzori, L., Iera, A., & Morabito, G. (2010). The internet of things: A survey. Computer networks, 54(15), 2787--2805.

Digital Library

[2]

Whitmore, A., Agarwal, A., & Da Xu, L. (2015). The Internet of Things---A survey of topics and trends. Information Systems Frontiers, 17(2), 261--274.

Digital Library

[3]

Weber, R. H. (2010). Internet of Things-New security and privacy challenges. Computer law & security review, 26(1), 23--30.

[4]

Sicari, S., Rizzardi, A., Grieco, L. A., & Coen-Porisini, A. (2015). Security, privacy and trust in Internet of Things: The road ahead. Computer Networks, 76, 146--164.

Digital Library

[5]

Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., & Chen, H. (2014, September). Uninvited connections: a study of vulnerable devices on the internet of things (IoT). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint (pp. 232--235). IEEE.

Digital Library

[6]

Swan, M. (2012). Sensor mania! The internet of things, wearable computing, objective metrics, and the quantified self 2.0. Journal of Sensor and Actuator Networks, 1(3), 217--253.

[7]

ForeScout, 2016, Know Your IoT Security Risk: How Hackable is Your Smart Enterprise? ForeScout IoT Enterprise Risk Report. Available on-line 16/9/2017. https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf

[8]

Singh, N. (2012). BYOD genie is out of the bottle-"Devil or angel". Journal of Business Management & Social Sciences Research, 1(3), 1--12.

[9]

Koh, E. B., Oh, J., & Im, C. (2014). A study on security threats and dynamic access control technology for BYOD, smart-work environment. In Proceedings of the International MultiConference of Engineers and Computer Scientists (Vol. 2, pp. 1--6).

[10]

Bi, Z., Da Xu, L., & Wang, C. (2014). Internet of things for enterprise systems of modern manufacturing. IEEE Transactions on industrial informatics, 10(2), 1537--1546.

[11]

Duncan, B., Happe, A., & Bratterud, A. (2016, December). Enterprise IoT security and scalability: how unikernels can improve the status Quo. In Utility and Cloud Computing (UCC), 2016 IEEE/ACM 9th International Conference on (pp. 292--297). IEEE.

Digital Library

[12]

Chang, S. I., Huang, A., Chang, L. M., & Liao, J. C. (2016). Risk factors of enterprise internal control: Governance refers to internet of things (iot) environment. RISK.

[13]

Duncan, B., Whittington, M., & Chang, V. Enterprise Security and Privacy: Why Adding IoT and Big Data Makes It So Much More Difficult.

[14]

Xiaohui, X., 2013, June. Study on security problems and key technologies of the internet of things. In Computational and Information Sciences (ICCIS), 2013 Fifth International Conference on (pp. 407--410). IEEE.

Digital Library

[15]

Myerson, J. M. (2002). Identifying enterprise network vulnerabilities. International Journal of Network Management, 12(3), 135--144.

Digital Library

[16]

Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015). Advanced social engineering attacks. Journal of Information Security and applications, 22, 113--122.

Digital Library

[17]

Yu, Y., & Chiueh, T. C. (2004). Enterprise digital rights management: Solutions against information theft by insiders. Research Proficiency Examination (RPE) report TR-169, Department of Computer Science, Stony Brook University.

[18]

Nurse, J. R., Erola, A., Agrafiotis, I., Goldsmith, M., & Creese, S. (2015, September). Smart insiders: exploring the threat from insiders using the internet-of-things. In Secure Internet of Things (SIoT), 2015 International Workshop on (pp. 5--14). IEEE.

Digital Library

[19]

Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y., 2016. Advanced security testbed framework for wearable IoT devices. ACM Transactions on Internet Technology (TOIT), 16(4), p.26.

Digital Library

[20]

Gordon Lyon. 2009. Nmap-Free security scanner for network exploration and security audits. https://nmap.org/.

[21]

Aircrack-ng, a complete suite of tools to assess Wi-Fi network security. https://www.aircrack-ng.org/.

[22]

Gerald Combs. 2007. Wireshark-A network protocol analyzer. https://www.wireshark.org/.

[23]

Toh, J., Hatib, M., Porzecanski, O. and Elovici, Y., 2017, April. Cyber security patrol: detecting fake and vulnerable wifi-enabled printers. In Proceedings of the Symposium on Applied Computing (pp. 535--542). ACM.

Digital Library

[24]

Homedale Wi-Fi/WLAN monitor tool, http://www.the-sz.com/products/homedale/.

[25]

Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 2012(12), 5--8.

[26]

Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: Security and privacy considerations. It Professional, 14(5), 53--55.

Digital Library

[27]

Nessus, a network vulnerability scanner, Tenable Network Security, http://www.tenable.com/products/nessus-vulnerability-scanner.

[28]

Retina, a network security scanner, BeyondTrust, https://www.beyondtrust.com/products/retina-network-security-scanner/.

[29]

NVD CVSS Calculator, https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator.

[30]

Beyah, R., & Venkataraman, A. (2011). Rogue-access-point detection: Challenges, solutions, and future directions. IEEE Security & Privacy, 9(5), 56--61.

Digital Library

[31]

Lewis, A., Li, Y., & Xie, M. (2016, October). Real time motion-based authentication for smartwatch. In Communications and Network Security (CNS), 2016 IEEE Conference on (pp. 380--381). IEEE.

[32]

Migicovsky, A., Durumeric, Z., Ringenberg, J., & Halderman, J. A. (2014, March). Outsmarting proctors with smartwatches: A case study on wearable computing security. In International Conference on Financial Cryptography and Data Security (pp. 89--96). Springer, Berlin, Heidelberg.

[33]

Denney, K., Uluagac, A. S., Akkaya, K., & Saputro, N. Demonstration of A Novel Storage Covert Channel on Android Smartwatch Using Status Bar Notifications.

[34]

Wang, H., Lai, T. T. T., & Roy Choudhury, R. (2015, September). Mole: Motion leaks through smartwatch sensors. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking (pp. 155--166). ACM.

Digital Library

[35]

Maiti, A., Jadliwala, M., He, J., & Bilogrevic, I. (2015, September). (Smart) watch your taps: side-channel keystroke inference attacks using smartwatches. In Proceedings of the 2015 ACM International Symposium on Wearable Computers (pp. 27--30). ACM.

Digital Library

[36]

Liu, X., Zhou, Z., Diao, W., Li, Z., & Zhang, K. (2015, October). When good becomes evil: Keystroke inference with smartwatch. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1273--1285). ACM.

Digital Library

[37]

Sarkisyan, A., Debbiny, R., & Nahapetian, A. (2015, November). WristSnoop: Smartphone PINs prediction using smartwatch motion sensors. In Information Forensics and Security (WIFS), 2015 IEEE International Workshop on (pp. 1--6). IEEE.

[38]

Torre, I., Koceva, F., Sanchez, O. R., & Adorni, G. (2016, December). Fitness trackers and wearable devices: how to prevent inference risks? In Proceedings of the 11th EAI International Conference on Body Area Networks (pp. 125--131). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).

Digital Library

[39]

Nahapetian, A. (2016, January). Side-channel attacks on mobile and wearable systems. In Consumer Communications & Networking Conference (CCNC), 2016 13th IEEE Annual (pp. 243--247). IEEE.

Digital Library

[40]

Suarez-Tangil, G., Tapiador, J. E., Peris-Lopez, P., & Ribagorda, A. (2014). Evolution, detection and analysis of malware for smart devices. IEEE Communications Surveys & Tutorials, 16(2), 961--987.

[41]

Liu, J., & Sun, W. (2016). Smart Attacks against Intelligent Wearables in People-Centric Internet of Things. IEEE Communications Magazine, 54(12), 44--49.

Digital Library

[42]

Vanhoef, M., & Piessens, F. (2014, December). Advanced Wi-Fi attacks using commodity hardware. In Proceedings of the 30th Annual Computer Security Applications Conference (pp. 256--265). ACM.

Digital Library

[43]

Mónica, D., & Ribeiro, C. (2011, September). Wifihopmitigating the evil twin attack through multi-hop detection. In European Symposium on Research in Computer Security (pp. 21--39). Springer, Berlin, Heidelberg.

Digital Library

[44]

Tokuyoshi, B. (2013). The security implications of BYOD. Network Security, 2013(4), 12--13.

[45]

Eslahi, M., Naseri, M. V., Hashim, H., Tahir, N. M., & Saad, E. H. M. (2014, April). BYOD: Current state and security challenges. In Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on (pp. 189--192). IEEE.

[46]

Rivera, D., George, G., Peter, P., Muralidharan, S., & Khanum, S. (2013). Analysis of security controls for BYOD (bring your own device).

[47]

Costantino, G., Martinelli, F., Saracino, A., & Sgandurra, D. (2013, December). Towards enforcing on-the-fly policies in BYOD environments. In Information Assurance and Security (IAS), 2013 9th International Conference on (pp. 61--65). IEEE.

[48]

Tanimoto, S., Yamada, S., Iwashita, M., Kobayashi, T., Sato, H., & Kanai, A. (2016, October). Risk assessment of BYOD: bring your own device. In Consumer Electronics, 2016 IEEE 5th Global Conference on (pp. 1--4). IEEE.

[49]

Ratchford, M., Wang, P., & Sbeit, R. O. (2018). BYOD Security Risks and Mitigations. In Information Technology-New Generations (pp. 193--197). Springer, Cham.

[50]

Uma, M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks and their Classification. IJ Network Security, 15(5), 390--396.

[51]

Chen, C. M., Yang, P. Y., Ou, Y. H., & Hsiao, H. W. (2014, May). Targeted Attack Prevention at Early Stage. In Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on (pp. 866--870). IEEE.

Digital Library

[52]

Le, T. M., Liu, R. P., & Hedley, M. (2012, September). Rogue access point detection and localization. In Personal Indoor and Mobile Radio Communications (PIMRC), 2012 IEEE 23rd International Symposium on (pp. 2489--2493). IEEE.

[53]

Anmulwar, S., Srivastava, S., Mahajan, S. P., Gupta, A. K., & Kumar, V. (2014, February). Rogue access point detection methods: A review. In Information Communication and Embedded Systems (ICICES), 2014 International Conference on (pp. 1--6). IEEE.

[54]

Conti, M., Delmastro, F., Minutiello, G., & Paris, R. (2013, November). Experimenting opportunistic networks with WiFi Direct. In Wireless Days (WD), 2013 IFIP (pp. 1--6). IEEE

[55]

SmartGeekWrist, 11 Best Standalone Smartwatch With Sim Card You Need to Check. Available on-line 23/9/2017. https://www.smartgeekwrist.com/standalone-smartwatch-sim-card/.

Cited By

Almubairik NAlam Khan F(2025)Systematic Literature Review on Wearable Digital Forensics: Acquisition Methods, Analysis Techniques, Tools, and Future DirectionsIEEE Internet of Things Journal10.1109/JIOT.2024.348502712:2(1320-1342)Online publication date: 15-Jan-2025
https://doi.org/10.1109/JIOT.2024.3485027
Hai Goh CPing Teoh A(2021)Determining Bring Your Own Device (Byod) Security Policy Compliance Among Malaysian Teleworkers: Perceived Cybersecurity Governance as Moderator2021 IEEE 5th International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE)10.1109/ICITISEE53823.2021.9655895(305-310)Online publication date: 24-Nov-2021
https://doi.org/10.1109/ICITISEE53823.2021.9655895
Meidan YSachidananda VPeng HSagron RElovici YShabtai A(2020)A novel approach for detecting vulnerable IoT devices connected behind a home NATComputers & Security10.1016/j.cose.2020.10196897(101968)Online publication date: Oct-2020
https://doi.org/10.1016/j.cose.2020.101968
Show More Cited By

Index Terms

An attack scenario and mitigation mechanism for enterprise BYOD environments
1. Security and privacy

Recommendations

Leaking data from enterprise networks using a compromised smartwatch device
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied Computing

The recent proliferation of the Internet of Things (IoT) technology poses major security and privacy concerns. Specifically, the use of personal IoT devices, such as tablets, smartphones, and even smartwatches, as part of the Bring Your Own Device (BYOD)...
A Lightweight Vulnerability Mitigation Framework for IoT Devices
IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy

Many of today's Internet of Things (IoT) devices are vulnerable due to the large amount of overhead incurred when their operating systems are patched against emerging vulnerabilities. In addition, legacy IoT devices are no longer supported by their ...
Securing MQTT: unveiling vulnerabilities and innovating cyber range solutions
Abstract
The Message Queuing Telemetry Transport (MQTT) protocol, widely used in various industries for Machine-to-Machine (M2M) communication, plays a central role in the IoT architecture. However, despite its widespread adoption, an analysis conducted on ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGAPP Applied Computing Review

ACM SIGAPP Applied Computing Review Volume 18, Issue 2

June 2018

52 pages

ISSN:1559-6915

EISSN:1931-0161

DOI:10.1145/3243064

Editor:
Sung Y. Shin

Issue’s Table of Contents

Copyright © 2018 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 July 2018

Published in SIGAPP Volume 18, Issue 2

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
497
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)2

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Almubairik NAlam Khan F(2025)Systematic Literature Review on Wearable Digital Forensics: Acquisition Methods, Analysis Techniques, Tools, and Future DirectionsIEEE Internet of Things Journal10.1109/JIOT.2024.348502712:2(1320-1342)Online publication date: 15-Jan-2025
https://doi.org/10.1109/JIOT.2024.3485027
Hai Goh CPing Teoh A(2021)Determining Bring Your Own Device (Byod) Security Policy Compliance Among Malaysian Teleworkers: Perceived Cybersecurity Governance as Moderator2021 IEEE 5th International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE)10.1109/ICITISEE53823.2021.9655895(305-310)Online publication date: 24-Nov-2021
https://doi.org/10.1109/ICITISEE53823.2021.9655895
Meidan YSachidananda VPeng HSagron RElovici YShabtai A(2020)A novel approach for detecting vulnerable IoT devices connected behind a home NATComputers & Security10.1016/j.cose.2020.10196897(101968)Online publication date: Oct-2020
https://doi.org/10.1016/j.cose.2020.101968
Harthy KShah N(2019)BYOD Security and Risk Challenges in Oman OrganisationsAdvances in E-Business Engineering for Ubiquitous Computing10.1007/978-3-030-34986-8_21(290-301)Online publication date: 28-Nov-2019
https://doi.org/10.1007/978-3-030-34986-8_21

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents