sok security evaluation of home based iot deployments
play

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi - PowerPoint PPT Presentation

Sep 17, 2023 •357 likes •592 views

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 5 Prior Work Security Analysis of Emerging Smart Home

  1. SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1

  2. 2

  3. Alexa, unlock the front door. 3

  4. Internet of Things 4

  5. 5

  6. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis • Skill Squatting Attacks on Amazon Alexa • Rethinking Access Control and Authentication for the Home Internet of Things 6

  7. • Cloud endpoints • Exposed services • Mobile App Wouldn’t be nice to • Network know • Consumer report evaluation? 7

  8. Overview of Prior Work Studied Components Mitigations Unexplored Directions Devices Patching bugs Mobile app Cloud integration services Vendor responsibility Cloud services Network (by association) Network discovery protocols User control and visibility 8

  9. Device Mobile App IoT Components Cloud Endpoints Network 9

  10. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible • Device Representation • Media devices vs appliances • Easy to understand • Consumer oriented 10

  11. Lab Setup 11

  12. IoT Lab Evaluation Device UPnP services RCE vulnerability • Internet pairing CVE-2012-5958-65 Dropbear SSH RCE vulnerability • Configuration CVE-2013-4863 • Updateable • Exposed services • Vulnerable Services 12

  13. IoT Lab Evaluation • 12 different backends, 1 st Party Cloud Backends • Supports SSL v2/v3 • CVE-2013-4810 – RCE JBoss Server • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols • Vulnerable software • Services 13

  14. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto • Hardcoded secrets • API keys for cloud services • Hardcoded Crypto key • uLi4/f4+Pb39.T19 • UMENG_MESSAGE_SECRET: … 14

  15. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud • MITM Attack on • Device to Cloud • Partial Encryption Across the Internet • Device to Mobile App • No Encryption on the LAN • Mobile App to Cloud 15

  16. Scoring The Components Scorecard Rating Independent system components scoring Documented Modular 16

  17. Component Framework 17

  18. 18

  19. 19

  20. Evaluation Takeaways • Cloud managed • Auto update • Encrypted local traffic with authenticated services 20

  21. 21 What's Next? • Longitudinal analysis • Do updates improve the Things? • Accurate representation • Inducing device activities

  22. How Can You Access/Contribute? • Evaluation data is public • Feel free to reach out: • Request specific device evaluation • Sponsor devices for evaluation • Additional questions • Download our data • https://YourThings.info • Contact email: • contact@YourThings.info 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Omar Alrawi Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech We specialize in Network Security Measurements Work is presented on behalf of my team Omar Alrawi PhD Student (me) About

340 views • 33 slides
SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 Internet of Things 4 Internet of Things 4 Internet of Things

1.12k views • 77 slides
IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
Cognitive Radio and Networks in coalition deployments through the dual use of IEEE 802.11h

Cognitive Radio and Networks in coalition deployments through the dual use of IEEE 802.11h

Cognitive Radio and Networks in coalition deployments through the dual use of IEEE 802.11h Lorenza Giupponi, Jos Nuez, Iaki Pascual, Josep Mangues Workshop on Network Performance Evaluation, Seattle, 17 of June 2016 1 Outline

585 views • 33 slides
US Federal IPv6 Deployments ION San Diego 11 Dec, 2012

US Federal IPv6 Deployments ION San Diego 11 Dec, 2012

US Federal IPv6 Deployments ION San Diego 11 Dec, 2012 San Diego, CA Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager Federal

459 views • 9 slides
Home Security and Automation On The Road And At Home Eric McHenry (#2242) Region 12 // Greater

Home Security and Automation On The Road And At Home Eric McHenry (#2242) Region 12 // Greater

Home Security and Automation On The Road And At Home Eric McHenry (#2242) Region 12 // Greater Bay Area Airstream Club eric.mchenry@airstreamclub.net Topics Security and automation objectives Traditional vs. emerging home security and

594 views • 31 slides
Health Starts at Home Evaluation Findings from the First Six Months of Follow-up February 25,

Health Starts at Home Evaluation Findings from the First Six Months of Follow-up February 25,

Health Starts at Home Evaluation Findings from the First Six Months of Follow-up February 25, 2020 Evaluation Background Collaborative evaluation development during the planning phase The Boston Foundation Urban Institute

524 views • 17 slides
Home Office Security and Productivity Gary Micander Sierra Computer Group Cybersecurity at

Home Office Security and Productivity Gary Micander Sierra Computer Group Cybersecurity at

Home Office Security and Productivity Gary Micander Sierra Computer Group Cybersecurity at Home Topics WiFi Optimization and Home Networking Creating a productive Home Office Cybersecurity at Home How secure is your WFH setup? Do you

495 views • 21 slides
Nebraskas State Transition Plan Plan Home and Community Home and Community-Based Based

Nebraskas State Transition Plan Plan Home and Community Home and Community-Based Based

Nebraskas State Transition Plan Plan Home and Community Home and Community-Based Based Service Services Governor Pete Ricketts Vision: Priorities: We Value: Grow Nebraska Efficiency and Effectiveness The Taxpayer

397 views • 17 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Home is Where Your Phone is: Usability Evaluation of Mobile Phone UI for a Smart Home Tiiu

Home is Where Your Phone is: Usability Evaluation of Mobile Phone UI for a Smart Home Tiiu

Home is Where Your Phone is: Usability Evaluation of Mobile Phone UI for a Smart Home Tiiu Koskela, Kaisa Vnnen-Vainio-Mattila & Lauri Lehti Tampere University of Technology Tiiu.Koort@nokia.com Kaisa.Vaananen-Vainio-Mattila@tut.fi

312 views • 5 slides
Incentives for Home and Community Based Care Under the Affordable Care Act Implications for

Incentives for Home and Community Based Care Under the Affordable Care Act Implications for

Incentives for Home and Community Based Care Under the Affordable Care Act Implications for Supplemental Security Income Receipt Mary K. Hamman, University of Wisconsin-La Crosse Brooke Helppie-McFall, University of Michigan Daniela

746 views • 27 slides
Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, Brad Hill and Scott Stender

Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, Brad Hill and Scott Stender

Attacking Kerberos Deployments Breaking the Intranet Rachel Engel, Brad Hill and Scott Stender Black Hat USA 2010 https://www.isecpartners.com About Us Who are you? Security Consultants at iSEC Partners Work in our application

713 views • 53 slides
Safe at Home ANROWS Project 3.1: National mapping and meta -evaluation outlining key

Safe at Home ANROWS Project 3.1: National mapping and meta -evaluation outlining key

Safe at Home ANROWS Project 3.1: National mapping and meta -evaluation outlining key features of effective safe at home programs that enhance safety and prevent homelessness Associate Professor Jan Breckenridge, Convener

330 views • 22 slides
How much will the platform learn about consumers in the end? \begin{theorem} In the long run,

How much will the platform learn about consumers in the end? \begin{theorem} In the long run,

Dynamic Privacy Choices (Shota Ichihashi, Bank of Canada) In each period Activity produces Consumer data on persistent type uses platform Platform monetizes info Privacy cost (e.g., data leakage) How much will the

412 views • 4 slides
GJGNY Advisory Council Meeting May 13, 2016 2 Principles Three principles need to be

GJGNY Advisory Council Meeting May 13, 2016 2 Principles Three principles need to be

GJGNY Advisory Council Meeting May 13, 2016 2 Principles Three principles need to be maintained. The program should: Preserve On-Bill Recovery loans Preserve access to funding for all market segments Focus attention on access

372 views • 8 slides
Set 5: Perl and Database Connections Assumptions You know Perl Well review Can use

Set 5: Perl and Database Connections Assumptions You know Perl Well review Can use

IT452 Advanced Web and Internet Systems Set 5: Perl and Database Connections Assumptions You know Perl Well review Can use PHP instead (maybe??) You know how to use SQL Help to be provided 1 Perl Basics Scalar

578 views • 8 slides
Meromorphic connections and the Stokes groupoids Brent Pym (Oxford) Based on arXiv:1305.7288 (

Meromorphic connections and the Stokes groupoids Brent Pym (Oxford) Based on arXiv:1305.7288 (

Meromorphic connections and the Stokes groupoids Brent Pym (Oxford) Based on arXiv:1305.7288 ( Crelle 2015) with Marco Gualtieri and Songhao Li 1 / 34 Warmup Exercise Find the flat sections of the connection 1 dz z = d 0

846 views • 38 slides
Engineering Privacy By Design Seda Grses COSIC, ESAT K.U. Leuven Belgium 1 Outline -

Engineering Privacy By Design Seda Grses COSIC, ESAT K.U. Leuven Belgium 1 Outline -

Engineering Privacy By Design Seda Grses COSIC, ESAT K.U. Leuven Belgium 1 Outline - Introduction and Approach - Privacy Requirements Definition Problem - Privacy Requirements Analysis Problem - Policy and Compliance - Privacy By Design -

1.48k views • 63 slides
CRITICAL INFORMATICS Our stuff keeps your stuff from becoming their stuff CRITICAL INFORMATICS

CRITICAL INFORMATICS Our stuff keeps your stuff from becoming their stuff CRITICAL INFORMATICS

CRITICAL INFORMATICS www.criticalinformatics.com January 31, 2018 CRITICAL INFORMATICS Our stuff keeps your stuff from becoming their stuff CRITICAL INFORMATICS www.criticalinformatics.com Page 2 UW UW T Tec ech h Co Conn nnec ect

585 views • 21 slides
How to change the world with content strategy a Contentious workshop Laura Robertson @laurazoee

How to change the world with content strategy a Contentious workshop Laura Robertson @laurazoee

How to change the world with content strategy a Contentious workshop Laura Robertson @laurazoee Julius Honnor @juliushonnor contentious.ltd What will we be covering during the day? 1. What is good content? Good content... Why doesnt it

824 views • 67 slides
How to get the most out of T A R A M A I T R I Who are you? I am Tara Parashar, the ethical

How to get the most out of T A R A M A I T R I Who are you? I am Tara Parashar, the ethical

How to get the most out of T A R A M A I T R I Who are you? I am Tara Parashar, the ethical digital marketing strategist. These days I go by Tara Maitr. Maitr is a Buddhist word meaning 'compassion'. I structure all of my work around

986 views • 64 slides

More recommend