automatic fingerprinting of vulnerable ble iot devices
play

Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static - PowerPoint PPT Presentation

Jan 03, 2024 •433 likes •1.19k views

Computer Security Laboratory Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun Zuo, Haohuang Wen , Zhiqiang Lin, and Yinqian Zhang Department of Computer Science and Engineering The Ohio State

  1. Computer Security Laboratory Automatic Fingerprinting Of Vulnerable BLE IoT Devices With Static UUIDs From Mobile Apps Chaoshun Zuo, Haohuang Wen , Zhiqiang Lin, and Yinqian Zhang Department of Computer Science and Engineering The Ohio State University CCS 2019 T HE O HIO S TATE U NIVERSITY

  2. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Bluetooth Low Energy and IoT 2 / 37

  3. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References BLE IoT Devices and Companion Apps BLE IoT Devices 3 / 37

  4. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References BLE IoT Devices and Companion Apps Companion Mobile Apps BLE IoT Devices 3 / 37

  5. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 4 / 37

  6. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 4 / 37

  7. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 2. <Request, 192.168.1.1, port 443> 4 / 37

  8. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 2. <Request, 192.168.1.1, port 443> 3. Connect 4 / 37

  9. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of Device Communication in TCP/IP Setting Device OS App 1. Listen to port 443 2. <Request, 192.168.1.1, port 443> 3. Connect 4. Communication 4 / 37

  10. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  11. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  12. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  13. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  14. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  15. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  16. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References General Workflow of BLE IoT Devices and Companion Apps 5 / 37

  17. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Observations A BLE Broadcast Packet 6 / 37

  18. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Observations A BLE Broadcast Packet Decompiled Code in a Companion App 6 / 37

  19. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Observations Key Insights 1 UUIDs are broadcasted by BLE IoT devices to nearby smartphones. 2 UUIDs are static. 3 Mobile apps contain UUIDs. 4 Mobile apps identify target BLE IoT devices based on their broadcast UUIDs. 7 / 37

  20. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Hierarchy of UUIDs Service name: KINSA_SERVICE uuid: 00000000-006a-746c-6165… characteristics: name: REQUEST_CHARACTERISTIC uuid: 00000004-006a-746c-6165… descriptors: […] name: RESPONSE_CHARACTERISTIC uuid: 00000002-006a-746c-6165… descriptors: […] Service name: BATTERY_SERVICE uuid: 180F characteristics: […] … 8 / 37

  21. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Hierarchy of UUIDs Service name: KINSA_SERVICE uuid: 00000000-006a-746c-6165… characteristics: name: REQUEST_CHARACTERISTIC uuid: 00000004-006a-746c-6165… descriptors: […] name: RESPONSE_CHARACTERISTIC uuid: 00000002-006a-746c-6165… descriptors: […] Service name: BATTERY_SERVICE uuid: 180F characteristics: […] … 8 / 37

  22. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References How to Fingerprint a BLE IoT Device with Static UUIDs Static Analysis Static UUIDs 9 / 37

  23. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References How to Fingerprint a BLE IoT Device with Static UUIDs Static Analysis Static UUIDs Sniff Advertised Sniffed UUIDs BLE Packets 9 / 37

  24. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References How to Fingerprint a BLE IoT Device with Static UUIDs Static Analysis Static UUIDs Fingerprinting BLE IoT Sniff Advertised Device Sniffed UUIDs BLE Packets 9 / 37

  25. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Application of BLE IoT Device Fingerprinting Static Analysis Static UUIDs Fingerprinting Vulnerabilities Sniff Advertised Sniffed UUIDs BLE Packets 10 / 37

  26. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Application of BLE IoT Device Fingerprinting Static Analysis Static UUIDs Fingerprinting Vulnerabilities Vulnerable Sniff Advertised Device Sniffed UUIDs BLE Packets 10 / 37

  27. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Our Contributions 1 Novel Discovery . We are the first to discover BLE IoT devices can be fingerprinted with static UUIDs. 2 Effective Techniques . We have implemented an automatic tool BLEScope to harvest UUIDs and detect vulnerabilities from mobile apps. 3 Evaluation . We have tested our tool with 18 , 166 BLE mobile apps from Google Play store, and found 168 , 093 UUIDs and 1 , 757 vulnerable BLE IoT apps. 4 Countermeasures. We present channel-level protection, app-level protection, and protocol-level protection (with dynamic UUID generation). 11 / 37

  28. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Overview of BLEScope Android APKs 1 Value-set Analysis UUID & Hierarchy 12 / 37

  29. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Overview of BLEScope Android APKs 1 Value-set Analysis UUID & Hierarchy Sniffed UUID Fingerprinting Advertisement UUIDs 2 Fingerprint-able Devices 12 / 37

  30. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Overview of BLEScope Android APKs 1 Value-set Analysis UUID & Hierarchy Sniffed App-level Vulnerability 2 UUID Fingerprinting Advertisement Identification UUIDs 3 2 Fingerprint-able Unauthorized Sniffable- Devices Accessible Devices Devices 12 / 37

  31. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Challenges and Insights Challenges 1 How to extract UUIDs from mobile apps 2 How to reconstruct UUID hierarchy 3 How to identify flawed authentication vulnerability 13 / 37

  32. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Challenges and Insights Challenges 1 How to extract UUIDs from mobile apps 2 How to reconstruct UUID hierarchy 3 How to identify flawed authentication vulnerability Solutions 1 Resolving UUIDs using context and value-set analysis 2 Reconstructing UUID hierarchy with control dependence 3 Identifying flawed authentication with data dependence 13 / 37

  33. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Value Set Analysis Android APKs 1 Value-set Analysis UUID & Hierarchy Sniffed App-level Vulnerability 2 UUID Fingerprinting Advertisement Identification UUIDs 3 2 Fingerprint-able Unauthorized Sniffable- Devices Accessible Devices Devices 14 / 37

  34. Introduction Our Discovery BLEScope Evaluation Countermeasure Related Work Summary References Value Set Analysis Android APKs Category API Name 1 BluetoothGatt: BluetoothGattService getService BluetoothGattService: BluetoothGattCharacteristic getCharacteristic Value-set Analysis UUID & Hierarchy BluetoothGattCharacteristic: BluetoothGattDescriptor getDescriptor UUID ScanFilter.Builder: ScanFilter.Builder setServiceUuid ScanFilter.Builder: ScanFilter.Builder setServiceUuid ScanFilter.Builder: ScanFilter.Builder setServiceData Sniffed App-level Vulnerability 2 UUID Fingerprinting Advertisement Identification ScanFilter.Builder: ScanFilter.Builder setServiceData UUIDs 3 2 Table: APIs for UUID extraction and hierarchy reconstruction Fingerprint-able Unauthorized Sniffable- Devices Accessible Devices Devices 14 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using clock-skewing Renaud Lifchitz renaud.lifchitz@gmail.com #HES2010 8,9,10 April 2010 Paris, France Presenter's bio French computer security

644 views • 35 slides
Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the

Using Guided Missiles in Drive-bys Automatic browser fingerprinting and exploitation with the Metasploit Framework James Lee # whoami James Lee egypt Developer, Metasploit Project Co-Founder, Teardrop Security Member,

738 views • 35 slides
A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

Introduction Overview Detailed Design Evaluation Related Work Conclusion References A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services Chaoshun Zuo, Qingchuan Zhao , Zhiqiang Lin University of Texas at

1.4k views • 103 slides
k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes University College London August 12, 2016 1/24 How does website fingerprinting work? - Training Tor network Relay 2 Adversary Relay 1

988 views • 24 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC

BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC

BAYES AT 10+GBPS: IDENTIFYING MALICIOUS AND VULNERABLE PROCESSES FROM PASSIVE TRAFFIC FINGERPRINTING DAVID McGREW, PhD CISCO FELLOW mcgrew@cisco.com FLOCON 2020 PEOPLE David McGrew Blake Anderson Brandon Enright Adam Weller Lucas

561 views • 23 slides
Inverse Design and Automatic Differentiation for Optical Devices Ian Williamson and Momchil Minkov

Inverse Design and Automatic Differentiation for Optical Devices Ian Williamson and Momchil Minkov

Inverse Design and Automatic Differentiation for Optical Devices Ian Williamson and Momchil Minkov Stanford University Optical Society Workshop Nov 21, 2019 https:// github.com / fancompute / workshop-invdesign 2 Workshop outline Brief

800 views • 38 slides
Do You Hear What I Hear? Fingerprintin Smart Devices Through Embedded Acoustic Components A.Das,

Do You Hear What I Hear? Fingerprintin Smart Devices Through Embedded Acoustic Components A.Das,

Do You Hear What I Hear? Fingerprintin Smart Devices Through Embedded Acoustic Components A.Das, N.Borisov, M.Caesar CCS 2014 Presented by Siddharth Murali Fingerprinting smartphones Being able to uniquely identify a smartphone Why is

416 views • 14 slides
Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas Qualys 7/28/10 Outline Web Apps &amp; Security Existing Fingerprinting Approaches Static File Approach Observations From A Net Survey

832 views • 69 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019 Vulnerable Devices Pacemakers / implantable defibrillators Insulin pumps Infusion pumps Mobile health technologies (mHealth

613 views • 40 slides
Bayes, not Nave Security Bounds on Website Fingerprinting Defenses Giovanni Cherubin Privacy

Bayes, not Nave Security Bounds on Website Fingerprinting Defenses Giovanni Cherubin Privacy

Bayes, not Nave Security Bounds on Website Fingerprinting Defenses Giovanni Cherubin Privacy Enhancing Technologies Symposium Minneapolis, Minnesota, USA 19 July, 2017 @gchers Website Fingerprinting (WF) Encrypted Tunnel Victim

400 views • 20 slides
Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

795 views • 31 slides
Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web Sites Fingerprinting OS FingerPrinting IP Stacks Share Scans Chapter 14 SNMP Vulnerabilities FingerPrinting TCP/IP Services

439 views • 8 slides
Clock Around the Clock Time-Based Device Fingerprinting Iskander Sanchez-Rola, Igor Santos,

Clock Around the Clock Time-Based Device Fingerprinting Iskander Sanchez-Rola, Igor Santos,

Clock Around the Clock Time-Based Device Fingerprinting Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti Device Fingerprinting Exploits different features to uniquely identify a machine. The entity interested in computing the fingerprint is

2.42k views • 62 slides
Fingerprinting Requirements for Increased Controls Licensees Chris Einberg, Senior Project

Fingerprinting Requirements for Increased Controls Licensees Chris Einberg, Senior Project

United States Nuclear Regulatory Commission Fingerprinting Requirements for Increased Controls Licensees Chris Einberg, Senior Project Manager Office of Federal and State Materials and Environmental Management Programs Tim Harris, Team Leader

729 views • 45 slides
Visualization for Biometric Evaluation Romain Giot &lt;romain.giot@u-bordeaux.fr&gt; Romain

Visualization for Biometric Evaluation Romain Giot &lt;romain.giot@u-bordeaux.fr&gt; Romain

Visualization for Biometric Evaluation Romain Giot &lt;romain.giot@u-bordeaux.fr&gt; Romain Giot &lt;romain.giot@u-bordeaux.fr&gt; Introduction Who am I ? Work place University of Bordeaux IUT Bordeaux Computer Science

910 views • 63 slides
Feature Selection in Website Fingerprinting Junhua Yan Advisor: Prof. Jasleen Kaur July 24,

Feature Selection in Website Fingerprinting Junhua Yan Advisor: Prof. Jasleen Kaur July 24,

Feature Selection in Website Fingerprinting Junhua Yan Advisor: Prof. Jasleen Kaur July 24, 2019 1/23 Website Fingerprinting Goal: determine the visited website by inspecting network traffic on client side client web Figure: Attacker

831 views • 59 slides
Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers Nikos

Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers Nikos

Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers Nikos Kostopoulos, Dimitris Kalogeras and Vasilis Maglaris NET work M anagement &amp; O ptimal De sign ( NETMODE ) Laboratory School of Electrical &amp; Computer

309 views • 17 slides
Picasso: Light-weight device class fingerprinting for web clients Elie Bursztein , Artem Malyshev,

Picasso: Light-weight device class fingerprinting for web clients Elie Bursztein , Artem Malyshev,

Picasso: Light-weight device class fingerprinting for web clients Elie Bursztein , Artem Malyshev, Tadek Pietraszek, Kurt Thomas Title Interesting story here Subpoint g.co/research/protect Keeping online interactions meaningful

641 views • 32 slides
BIAS BIAS Biometric Identity Assurance Services 6 March 2009 Catherine Tilton W3C Workshop on

BIAS BIAS Biometric Identity Assurance Services 6 March 2009 Catherine Tilton W3C Workshop on

BIAS BIAS Biometric Identity Assurance Services 6 March 2009 Catherine Tilton W3C Workshop on SIV Biometric services Whats missing? Biometric Applications Biometric Resources ? ANSI/NIST-ITL 1-2000/6 ? BioAPI/BIP ? Other ?

257 views • 13 slides
Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 ,

Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 ,

Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 , Moises Goldszmidt 3 , Armando Fox 1 , Dawn Woodard 4 , Hans Andersen 2 1 RAD Lab, UC Berkeley 2 Microsoft 3 Research 4 Cornell University Crisis

664 views • 19 slides
Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest Classification of Internet Traffic To treat special types of traffic in a different manner Some types of classification already seen in Alok

371 views • 9 slides

More recommend