Implementations of Smart Home Integrations ICECCS18, 12 December - - PowerPoint PPT Presentation

implementations of smart home
SMART_READER_LITE
LIVE PREVIEW

Implementations of Smart Home Integrations ICECCS18, 12 December - - PowerPoint PPT Presentation

Mar 30, 2024 382 likes •705 views

HomeScan: Scrutinizing Implementations of Smart Home Integrations ICECCS18, 12 December 2018 Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang 1 Background IoT-enhanced smart home is getting popular

slide-1
SLIDE 1

HomeScan: Scrutinizing Implementations of Smart Home Integrations

Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang

1

ICECCS’18, 12 December 2018

slide-2
SLIDE 2

2

IoT-enhanced smart home is getting popular

Background

1 https://www.statista.com/study/42112/smart-home-report/ 2 https://www.juniperresearch.com/press/press-releases/smart-home-revenues-to-reach-$100-billion-by-2020

slide-3
SLIDE 3

3

Network Attacker Victim Server (e.g., Twitter, GitHub) IoT Devices Network Attacker Home Wi-Fi Victim Control Point

Handshake

“The biggest DDoS attack in history powered by 150,000 hacked IoT devices.”1 “KRACK, the attack on WPA2 protocol could cripple smart home Wi-Fi.”2 2016 2017

Smart Home Vulnerable to Attacks !

1 http://www.bbc.com/news/technology-37738823 2 http://www.bbc.com/news/av/technology-41641814/krack-wi-fi-security-flaw-explained

slide-4
SLIDE 4

Existing Work on Smart Home Security

4

Flaw Identification

Smart locks, smart lights, smart meters, thermostats, wearables ZigBee, Z-Wave, BLE, Customized protocols on IEEE 802.15.4 Authorization model of IFTTT , Permission model of frameworks (e.g. SmartThings)

Security Hardening in System Design and Implementation

Secure smart devices from malware, secure BLE IoTs presence Securing home Wi-Fi from malicious control points Securing data from malicious apps on control points, Secure platforms

Smart Devices Protocols Platforms Application Frameworks IoT Protocols Smart Devices Security in Integration ??

slide-5
SLIDE 5

Security of Smart Home Integration

▪ Causes of insecurity when integrating a

smart home system.

1) Incompatibilities 2) Invalidated assumptions

5

slide-6
SLIDE 6

Incompatibilities in Integration (1)

6

Wide assortments of technologies and devices manufactured by diverse vendors.

Bulb Control Point Hubs Bulb Hub Smart Devices

slide-7
SLIDE 7

7

E.g. Smart bulb cannot verify the identity of the control point.

Hub Control Point Authentication: ZigBee touch-link Authentication: Customized Bulb Malicious App on Control Point Unauthorize control

Incompatibilities in Integration (2)

slide-8
SLIDE 8

Invalidated Assumptions

8

Manufactures make assumptions to reduce complexity and cost in building smart home systems.

➢ Home Wi-Fi is secure. ➢ Implicit trust on other components in the integrated system.

Benign bulb Benign hub Benign control app Malicious hub Unauthorize control

slide-9
SLIDE 9

Our Solution: HomeScan

9

Extract the abstract specification of application-layer protocols and security-relevant internal behaviours from the implementation, and analysing security of the specification. Challenges: Partial availability of the implementations.

  • Unavailability of source code, and only executables/libraries provided by the

vendors available.

  • Communication is not clear due to use of cryptographic protocols.
slide-10
SLIDE 10

Running Example – Chromecast

10

Chromecast Receiver (CR) plugged into TV’s HDMI port Control Point (CP) YouTube Server (YS)

HTTPS Communicate

  • ver SSL

Communicate

  • ver TLS

Have source code No source code No source code

slide-11
SLIDE 11

11

Input

Pre-processing

Our Approach

Implementation Initial Knowledge Test Cases

slide-12
SLIDE 12

Pre-processing

12

Capture Traces Transactions Extract values E.g. msg

Control Point (CP) YouTube Server (YS)

HTTPS POST https://www.youtube.com/api/lounge/pairing/get_lounge_token_batch HTTP/1.1 Host: www.youtube.com Chrome/63.0.3239.132 Safari/537.36 screen_ids=fsti0e72vuamj9p8b26h5j08ug message on trace Transaction = ( sender: CP , receiver: YS, channel: Wi-Fi, Message: {“fsti0e72vuamj9p8b26h5j08ug”}

slide-13
SLIDE 13

13

Input

Pre-processing

Our Approach

Implementation Initial Knowledge Test Cases

Specification Extraction

Transactions

slide-14
SLIDE 14

Specification Extraction

14

Transactions

Whitebox Analysis Trace Analysis

slide-15
SLIDE 15

Specification Extraction

15

Transactions

Whitebox Analysis Trace Analysis

Program Transaction = ( sender: CP , receiver: YS, channel: Wi-Fi, Message: {“fsti0e72vuamj9p8b26h5j08ug”} E.g. msg

Control Point (CP) YouTube Server (YS)

HTTPS Program of CP send(msg) msg = Receive(msg*)

YouTube Server (YS)

msg HTTPS

Chromecast Receiver

msg*

  • ver SSL

No source code Have source code No source code

slide-16
SLIDE 16
  • 1. Known

Configuration - (1)

Specification Extraction

16

Transactions

Whitebox Analysis Trace Analysis

Before reset of CR Trace 1

Chromecast Receiver (CR) Control Point (CP) YouTube Server (YS)

msg* msg 1 2 After reset of CR Trace 2 Analyse the difference in the values in msg before and after the reset of CR. HTTPS

  • ver SSL

Semantics of the msg = CR’s session identity

slide-17
SLIDE 17
  • 1. Known

Configuration - (2)

Specification Extraction

17

Transactions

Whitebox Analysis Trace Analysis

Before replace of Hub Trace 1 After replace of Hub Trace 2 Analyse the difference in “s” before and after the reset of CR. Semantics of the String “s” = Hub specific value

Control Point (CP)

HTTP 1 2

Philips Hue Bulb Hub

s Encrypted

slide-18
SLIDE 18
  • 2. Control

Command

Specification Extraction

18

Transactions

Whitebox Analysis Trace Analysis

E.g.2

Control Point (CP)

HTTP 1 2

Philips Hue Bulb Hub

Packet Turn On

Heartbeat

Data(37)

With Turn On cmd

Packet

Data(37)

Remove Heartbeat

Turn On command over Zigbee

Encrypted

slide-19
SLIDE 19

19

Chromecast Receiver (CR) Control Point (CP) YouTube Server (YS)

Specification: LTS Representation

CR CP YS

slide-20
SLIDE 20

20

Input

Pre-processing

Our Approach

Implementation Initial Knowledge Test Cases

Specification Extraction

Transactions

Flaw Identification

LTS Representation Output Vulnerabilities

slide-21
SLIDE 21

Flaw Identification

21

Extracted Participants Attack Security Properties

e.g. CP||YS||CR LTS Representa- tion

slide-22
SLIDE 22

Attack Models and Security Properties

22

Malicious Participant A Network Attacker

  • Collect information illegally
  • Send unauthorized commands
  • Eavesdropping
  • Intercept and modify

Security Properties Data Level Association Level Access Level Confidentiality Integrity Authentication Authorization

slide-23
SLIDE 23

Approach

23

Extracted Participants Attack Security Properties

e.g. CP||YS||CR

Model

LTS Representa- tion Execution Rules

slide-24
SLIDE 24

24

Generate the System Model

Attack Malicious CP CR CP YS Extracted Participants System Model … …

Init K = {}

slide-25
SLIDE 25

Approach

25

Vulnerabilities

Extracted Participants Attack Security Properties Verification Algorithm

Output e.g. CP||YS||CR

Model

LTS Representati

  • n

Execution Rules

slide-26
SLIDE 26

26

Flaw Identification

Attack Trace Attack Malicious CP CR CP YS Extracted Participants

bad state: The attacker sent a casting video request to the YS.

Mis-response to discovery request

slide-27
SLIDE 27

Evaluation: Vulnerabilities

27 Vulnerability Mis-response to Discovery Request Flawed Authentication Protocol Lack of Authentication Use of Insecure Underlying Protocols Unprotected SD’s Wi-Fi Hotspot Lack of User or Device Authentication Vulnerable to Network Traffic Replay Total Philips Hue 2 1 1 1 5 LIFX 2 1 1 4 Chromecast 1 1 1 3 Total 3 1 1 1 3 2 1 12

Chromecast Philips Hue LIFX Mis-response to discovery request: allows a malicious control point to

  • btain the identity of the TV screen and

casting a video to the TV . Misuse of ZigBee Light Link protocol: allows a malicious hub to hijack the bulb. Unprotected Wi-Fi hotspot on the bulb: allows a malicious bulb with a fake hotspot to steal the password

  • f the victim’s home Wi-Fi.

Lack of device or user authentication: allows a malicious control point to

  • btain the identity of a private YouTube

video of the victim. Lack of control to administration commands: results in uncontrolled authentication.

Malicious hub Initialize ZLL protocol bulb hub control app Benign System Hijack the connection bulb control app Benign System Participants Malicious bulb Discover and connect with malicious bulb Send home Wi-Fi credentials

slide-28
SLIDE 28

Conclusion and Future Work

Conclusion

  • Propose hybrid techniques to extract the specification of the smart home

integration.

  • Analyse the security of the extracted specification using formal verification

techniques.

  • Applied the approach for three existing smart home systems.
  • Found twelve vulnerabilities in them.

Future Work

  • Plan to propose new attack models to find vulnerabilities in similar IoT systems.

28

slide-29
SLIDE 29

Thank You

Questions?

29

slide-30
SLIDE 30

Reference

  • 1. Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets.

https://arxiv.org/abs/1702.03681.

  • 2. M. Vanhoef and F

. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017.

  • 3. N.Apthorpe, D.Reisman, S.Sundaresan, A.Narayanan, and N.Feamster, 2017. Spying on the

Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. arXiv preprint arXiv:1708.05044.

  • 4. https://hometheaterreview.com/attack-of-the-smart-home-devices/
  • 5. S. Majumder, E. Aghayi, M. Noferesti, H. Memarzadeh-Tehran, T

. Mondal, Z. Pang, & M. J. Deen (2017). Smart Homes for Elderly Healthcare—Recent Advances and Research

  • Challenges. Sensors, 17(11), 2496.

30