Characterizing the Security Facets of IoT Device Setup
Authors: 
Han Yang, Carson Kuzniar, Chengyan Jiang, Ioanis Nikolaidis, Israat HaqueAuthors Info & Claims
Pages 612 - 621
Abstract
In this work, we characterize the potential information leakage from IoT platforms during their setup phase. Setup involves an IoT device, its ''app'', and a cloud-based service. We assume that the on-device firmware is inaccessible, e.g., read-protected. We focus on the combination of information that can be extracted from analyzing the app and the local communication between the app and the IoT device. An attacker can trivially obtain the app, analyze its operation, and potentially eavesdrop on the wireless communication occurring during the setup phase. We develop a semi-automated general methodology involving off-the-shelf tools to examine information disclosure during the setup phase. We tested our methodology on twenty commodity-grade IoT devices. The outcome reveals a wide range of device-dependent choices for encryption at various layers and the potential for exposure of, among other things, device-identifying information and local networking (WiFi) credentials. Our methodology contributes towards a means to assess and ''certify'' IoT devices.
References
[1]
Anand Agrawal and Rajib Ranjan Maiti. 2023. iTieProbe: Is Your IoT Setup Secure against (Modern) Evil Twin? https://doi.org/10.48550/ARXIV.2304.12041 Publisher: arXiv Version Number: 2.
[2]
Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In 2019 IEEE Symposium on Security and Privacy (SP). 1362--1380. https://doi.org/10.1109/SP.2019.00013
[3]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Notices, Vol. 49, 6 (June 2014), 259--269. https://doi.org/10.1145/2666356.2594299
[4]
Bluetooth Special Interest Group. 2014. Bluetooth Core Specification Version 4.2. https://www.bluetooth.com/specifications/specs/core-specification-4--2/
[5]
Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluagac. 2018. Sensitive Information Tracking in Commodity IoT. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 1687--1704. https://www.usenix.org/conference/usenixsecurity18/presentation/celik
[6]
Jiongyi Chen, Menghan Sun, and Kehuan Zhang. 2019. Security Analysis of Device Binding for IP-based IoT Devices. In 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops). 900--905. https://doi.org/10.1109/PERCOMW.2019.8730580
[7]
Jiongyi Chen, Chaoshun Zuo, Wenrui Diao, Shuaike Dong, Qingchuan Zhao, Menghan Sun, Zhiqiang Lin, Yinqian Zhang, and Kehuan Zhang. 2019. Your IoTs Are (Not) Mine: On the Remote Binding Between IoT Devices and Users. In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, Portland, OR, USA, 222--233. https://doi.org/10.1109/DSN.2019.00034
[8]
Aldo Cortesi, Maximilian Hils, Thomas Kriechbaumer, and contributors. 2010--. mitmproxy: A free and open source interactive HTTPS proxy. https://mitmproxy.org/ [Version 10.3].
[9]
Rostand A. K. Fezeu, Timothy J. Salo, Amy Zhang, and Zhi-Li Zhang. 2023. Dissecting IoT Device Provisioning Process. http://arxiv.org/abs/2310.14125 arXiv:2310.14125 [cs].
[10]
Frida. 2012. Frida: A dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. https://github.com/frida.
[11]
Dennis Giese and Guevara Noubir. 2021. Amazon echo dot or the reverberating secrets of IoT devices. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21). Association for Computing Machinery, New York, NY, USA, 13--24. https://doi.org/10.1145/3448300.3467820
[12]
Google. 2023. KeyStore (Java Platform SE). https://developer.android.com/reference/java/security/KeyStore.
[13]
Google. 2024. Shrink, obfuscate, and optimize your app. https://developer.android.com/build/shrink-code.
[14]
Hex-Rays SA. 2008. IDA Pro. https://hex-rays.com/ida-pro/.
[15]
Texas Instruments. 2019. provisioning_smartconfig README. https://software-dl.ti.com/ecs/CC3200SDK/1_5_0/exports/cc3200-sdk/example/provisioning_smartconfig/README.html.
[16]
Umar Iqbal, Pouneh Nikkhah Bahrami, Rahmadi Trimananda, Hao Cui, Alexander Gamero-Garrido, Daniel J. Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, and Zubair Shafiq. 2023. Tracking, Profiling, and Ad Targeting in the Alexa Echo Smart Speaker Ecosystem. In Proceedings of the 2023 ACM on Internet Measurement Conference. ACM, Montreal QC Canada, 569--583. https://doi.org/10.1145/3618257.3624803
[17]
Jadx. 2004. jadx: Dex to Java decompiler. https://github.com/skylot/jadx.
[18]
Christopher Lentzsch, Sheel Jayesh Shah, Benjamin Andow, Martin Degeling, Anupam Das, and William Enck. 2021. Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem. In Proceedings 2021 Network and Distributed System Security Symposium. Internet Society, Virtual. https://doi.org/10.14722/ndss.2021.23111
[19]
Changyu Li, Quanpu Cai, Juanru Li, Hui Liu, Yuanyuan Zhang, Dawu Gu, and Yu Yu. 2018. Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, Stockholm Sweden, 1--11. https://doi.org/10.1145/3212480.3212496
[20]
Hui Liu, Juanru Li, and Dawu Gu. 2020. Understanding the security of app-in-the-middle IoT. Computers & Security, Vol. 97 (Oct. 2020), 102000. https://doi.org/10.1016/j.cose.2020.102000
[21]
Jouni Malinen. 2013. hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/WPA3/EAP/RADIUS Authenticator. https://w1.fi/hostapd/.
[22]
The netsniff-ng team. 2013. netsniff-ng. https://github.com/netsniff-ng/netsniff-ng.
[23]
Oberlo. 2024. US Smart Home Statistics (2019--2028). https://www.oberlo.com/statistics/smart-home-statistics.
[24]
Protoscope. 2022. Protoscope: An interactive tool for analyzing protocol buffers. https://github.com/protocolbuffers/protoscope.
[25]
R0capture. 2020. r0capture: A universal SSL/HTTPS interception for most Android applications. https://github.com/r0ysue/r0capture.
[26]
ReFirmLabs. 2015. Binwalk: Firmware Analysis Tool. https://github.com/ReFirmLabs/binwalk.
[27]
Nordic Semiconductor. 2019. nRF Sniffer for 802.15.4. https://github.com/NordicSemiconductor/nRF-Sniffer-for-802.15.4.
[28]
Maurizio Siddu. 2020. Frida multiple unpinning. https://gist.github.com/akabe1/5632cbc1cd49f0237cbd0a93bc8e4452.
[29]
Yuan Tian, Nan Zhang, Yueh-Hsun Lin, XiaoFeng Wang, Blase Ur, Xianzheng Guo, and Patrick Tague. 2017. SmartAuth: User-Centered Authorization for the Internet of Things. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 361--378. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tian
[30]
Mengmei Ye, Nan Jiang, Hao Yang, and Qiben Yan. 2017. Security analysis of Internet-of-Things: A case study of august smart lock. In 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, Atlanta, GA, 499--504. https://doi.org/10.1109/INFCOMW.2017.8116427
[31]
Yiwei Zhang, Siqi Ma, Tiancheng Chen, Juanru Li, Robert H. Deng, and Elisa Bertino. 2024. EvilScreen Attack: Smart TV Hijacking via Multi-Channel Remote Control Mimicry. IEEE Transactions on Dependable and Secure Computing, Vol. 21, 4 (2024), 1544--1556. https://doi.org/10.1109/TDSC.2023.3286182
[32]
Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1133--1150. https://www.usenix.org/conference/usenixsecurity19/presentation/zhou
[33]
Qingsong Zou, Qing Li, Ruoyu Li, Yucheng Huang, Gareth Tyson, Jingyu Xiao, and Yong Jiang. 2022. IoTBeholder: A Privacy Snooping Attack on User Habitual Behaviors from Smart Home Wi-Fi Traffic. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, Vol. 7, 1 (March 2022), 1--26. https://doi.org/10.1145/3580890
[34]
Chaoshun Zuo, Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2019. Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, London United Kingdom, 1469--1483. https://doi.org/10.1145/3319535.3354240
Index Terms
- Characterizing the Security Facets of IoT Device Setup
Recommendations
Who's In Control? On Security Risks of Disjointed IoT Device Management Channels
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityAn IoT device today can be managed through different channels, e.g., by its device manufacturer's app, or third-party channels such as Apple's Home app, or a smart speaker. Supporting each channel is a management framework integrated in the device and ...
Landscape of IoT security
AbstractThe last two decades have experienced a steady rise in the production and deployment of sensing-and-connectivity-enabled electronic devices, replacing “regular” physical objects. The resulting Internet-of-Things (IoT) will soon become ...
Secure IoT framework and 2D architecture for End-To-End security
In this paper, we proposed an secure IoT framework to ensure an End-To-End security from an IoT application to IoT devices. The proposed IoT framework consists of the IoT application, an IoT broker and the IoT devices. The IoT devices can be deployed ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2024
812 pages
ISBN:9798400705922
DOI:10.1145/3646547
- General Chairs:
- Narseo Vallina-Rodríguez,
- Guillermo Suarez-Tángil,
- Program Chairs:
- Dave Levin,
- Cristel Pelsser
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
IMC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 118Total Downloads
- Downloads (Last 12 months)118
- Downloads (Last 6 weeks)47
Reflects downloads up to 11 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in