More Web Proxy on the site http://driver.im/

research-article

Security Analysis of Devolo HomePlug Devices

Authors:

Christian WressneggerAuthors Info & Claims

EuroSec '19: Proceedings of the 12th European Workshop on Systems Security

Article No.: 7, Pages 1 - 6

https://doi.org/10.1145/3301417.3312499

Published: 25 March 2019 Publication History

Abstract

Vulnerabilities in smart devices often are particular severe from a privacy point of view. If these devices form central components of the underlying infrastructure, such as Wifi repeaters, even an entire network may be compromised. The devastating effects of such a compromise recently became evident in light of the Mirai botnet. In this paper, we conduct a thorough security analysis of so-called HomePlug devices, which are used to establish network communication over power lines. We identify multiple security issues and find that hundreds of vulnerable devices are openly connected to the Internet across Europe. 87 % run an outdated firmware, showing the deficiency of manual updates in comparison to automatic ones. However, even the default configurations of updated devices lack basic security mechanisms.

References

[1]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In Proc. of the IEEE Symposium on Security and Privacy. 208--226.

[2]

Sumayah Alrwais, Kan Yuan, Eihal Alowaisheq, Xiaojing Liao, Alina Oprea, XiaoFeng Wang, and Zhou Li. 2016. Catching Predators at Watering Holes: Finding and Understanding Strategically Compromised Websites. In Proc. of the Annual Computer Security Applications Conference (ACSAC). 153--166.

Digital Library

[3]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proc. of the USENIX Security Symposium. 1093--1110.

Digital Library

[4]

Atheros Communications Inc. 2010. AR9331 Highly-Integrated and Cost Effective IEEE 802.11n 1x1 2.4 GHz SoC for AP and Router Platforms. Technical Report. Atheros Communications Inc.

[5]

Z. Berkay Celik, Leonardo Babun, Amit K. Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluaga. 2018. Sensitive Information Tracking in Commodity IoT. In Proc. of the USENIX Security Symposium. 1687--1704.

Digital Library

[6]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang.2018. IOTFUZZER: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Proc. of the Network and Distributed System Security Symposium (NDSS).

[7]

Tamara Denning, Tadayoshi Kohno, and Henry M. Levy. 2013. Computer Security and the Modern Home. Commun. ACM 56, 1 (2013), 94--103.

Digital Library

[8]

devolo AG. 2002--2019. dLAN Powerline adapters. Internet and Wi-Fi in any room. https://www.devolo.com/. visited January 2019.

[9]

Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-Wide Scanning and its Security Applications. In Proc. of the USENIX Security Symposium. 605--619.

Digital Library

[10]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In Proc. of the IEEE Symposium on Security and Privacy. 636--654.

[11]

Robert David Graham. 2013-2018. MASSCAN: Mass IP port scanner. https://github.com/robertdavidgraham/masscan. visited January 2019.

[12]

Jeremiah Grossman. 2007. Hacking Intranet Websites from the Outside (Take 2). In Proc. of Black Hat USA.

[13]

Jeremiah Grossman and T.C. Niedzialkowski. 2006. Hacking Intranet Websites from the Outside. In Proc. of Black Hat USA.

[14]

IEEE Working Group: BPLPHMAC Broadband Over Power Lines PHY/-MAC Working Group. 2010. IEEE Standard for Broadband over Power Line Networks: Medium Access Control and Physical Layer Specifications. Standard. IEEE.

[15]

Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. 2017. Detecting Credential Spearphishing Attacks in Enterprise Settings. In Proc. of the USENIX Security Symposium. 469--485.

Digital Library

[16]

Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh. 2007. Protecting Browsers from DNS Rebinding Attacks. 421--431.

Digital Library

[17]

Marek Jawurek, Martin Johns, and Konrad Rieck. 2011. Smart Metering De-Pseudonymization. In Proc. of the Annual Computer Security Applications Conference (ACSAC). 227--236.

Digital Library

[18]

Jun Young Kim, Ralph Holz, Wen Hu, and Sanjay Jha. 2017. Automated Analysis of Secure Internet of Things Protocols. In Proc. of the Annual Computer Security Applications Conference (ACSAC). 238--249.

Digital Library

[19]

Marius Muench, Jan Stijohann, Frank Kargl, Aurélien Francillon, and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. In Proc. of the Network and Distributed System Security Symposium (NDSS).

[20]

Nethys SA. 2006-2019. VOO. http://www.voo.be/en/. visited January 2019.

[21]

Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian Rossow. 2017. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs. In Proc. of the ACM Conference on Computer and Communications Security (CCS). 1757--1771.

Digital Library

[22]

J. Postel and J.K. Reynolds. 1983. Telnet Option Specifications. RFC 855 (INTERNET STANDARD). http://www.ietf.org/rfc/rfc855.txt

Digital Library

[23]

Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi-Or Weingarten. 2017. IoT Goes Nuclear: Creating a Zigbee Chain Reaction. In Proc. of the IEEE Symposium on Security and Privacy. 195--212.

[24]

Ishtiaq Rouf, Hossen Mustafa, Rob Miller, and Marco Gruteser. 2012. Neighborhood Watch: Security and Privacy Analysis of Automatic Meter Reading Systems. In Proc. of the ACM Conference on Computer and Communications Security (CCS). 462--473.

Digital Library

[25]

Bruce Schneier. 2017. Security and the Internet of Things. Technical Report. Schneier on Security.

[26]

Thomas Schreiber. 2004. Session Riding -- A Widerspread Vulnerability in Today's Web Applications. Technical Report. SecureNet GmbH.

[27]

Jörg Schwenk, Marcus Niemietz, and Christian Mainka. 2017. Same-Origin Policy: Evaluation in Modern Browsers. In Proc. of the USENIX Security Symposium. 713--727.

Digital Library

[28]

TrendLabs APT Research Team. 2012. Spear-Phishing Email: Most Favored APT Attack Bait. Technical Report. Trend Micro Inc.

Cited By

Tan SSamsudin A(2021)Recent Technologies, Security Countermeasure and Ongoing Challenges of Industrial Internet of Things (IIoT): A SurveySensors10.3390/s2119664721:19(6647)Online publication date: 6-Oct-2021
https://doi.org/10.3390/s21196647
Zagi LAziz B(2020)Privacy Attack On IoT: a Systematic Literature Review2020 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS50791.2020.9307568(1-8)Online publication date: 19-Nov-2020
https://doi.org/10.1109/ICISS50791.2020.9307568
Hoffmann SMüller JSchwenk JBumiller G(2020)Powerless SecurityApplied Cryptography and Network Security10.1007/978-3-030-57878-7_11(213-232)Online publication date: 29-Aug-2020
https://doi.org/10.1007/978-3-030-57878-7_11

Recommendations

Exploitation and threat analysis of open mobile devices
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

The increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as ...
Security Vulnerability Analysis for IoT Devices Raspberry Pi using PENTEST
Abstract
IoT device security is vital due to their involvement in collecting sensitive information from our environment. This study proves that IoT devices lack a defense mechanism to identify malicious or virus-infected files, making them vulnerable to ...
Management of security policies for mobile devices
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum development

This paper discusses management of security policies for mobile devices. The increasing use of mobile devices in the workplace is covered, as well as new software applications that allow employees to use their mobile devices to increase their ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSec '19: Proceedings of the 12th European Workshop on Systems Security

March 2019

59 pages

ISBN:9781450362740

DOI:10.1145/3301417

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Bundesministerium für Bildung und Forschung

Conference

EuroSys '19

Sponsor:

SIGOPS

EuroSys '19: Fourteenth EuroSys Conference 2019

March 25 - 28, 2019

Dresden, Germany

Acceptance Rates

EuroSec '19 Paper Acceptance Rate 9 of 25 submissions, 36%;

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
187
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tan SSamsudin A(2021)Recent Technologies, Security Countermeasure and Ongoing Challenges of Industrial Internet of Things (IIoT): A SurveySensors10.3390/s2119664721:19(6647)Online publication date: 6-Oct-2021
https://doi.org/10.3390/s21196647
Zagi LAziz B(2020)Privacy Attack On IoT: a Systematic Literature Review2020 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS50791.2020.9307568(1-8)Online publication date: 19-Nov-2020
https://doi.org/10.1109/ICISS50791.2020.9307568
Hoffmann SMüller JSchwenk JBumiller G(2020)Powerless SecurityApplied Cryptography and Network Security10.1007/978-3-030-57878-7_11(213-232)Online publication date: 29-Aug-2020
https://doi.org/10.1007/978-3-030-57878-7_11

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents