sok security evaluation
play

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi - PowerPoint PPT Presentation

Jun 19, 2023 •342 likes •1.12k views

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 Internet of Things 4 Internet of Things 4 Internet of Things

  1. SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1

  2. 2

  3. Alexa, unlock the front door. 3

  4. Internet of Things 4

  5. Internet of Things 4

  6. Internet of Things 4

  7. Internet of Things 4

  8. Internet of Things 4

  9. Internet of Things 4

  10. Internet of Things 4

  11. Internet of Things 4

  12. 5

  13. Prior Work 6

  14. Prior Work • Security Analysis of Emerging Smart Home Applications 6

  15. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands 6

  16. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis 6

  17. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis • Skill Squatting Attacks on Amazon Alexa 6

  18. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis • Skill Squatting Attacks on Amazon Alexa • Rethinking Access Control and Authentication for the Home Internet of Things 6

  19. Wouldn ’ t be nice to know

  20. • Cloud endpoints Wouldn ’ t be nice to know

  21. • Cloud endpoints • Exposed services Wouldn ’ t be nice to know

  22. • Cloud endpoints • Exposed services • Mobile App Wouldn ’ t be nice to know

  23. • Cloud endpoints • Exposed services • Mobile App Wouldn ’ t be nice to • Network know

  24. • Cloud endpoints • Exposed services • Mobile App Wouldn ’ t be nice to • Network know • Consumer report evaluation?

  25. Overview of Prior Work Studied Components Mitigations Unexplored Directions Devices Patching bugs Mobile app Cloud integration services Vendor responsibility Cloud services Network (by association) Network discovery protocols User control and visibility 8

  26. Device Mobile App IoT Components Cloud Endpoints Network 9

  27. Evaluating Off The Shelf Devices 10

  28. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible 10

  29. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible • Device Representation • Media devices vs appliances 10

  30. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible • Device Representation • Media devices vs appliances • Easy to understand • Consumer oriented 10

  31. Lab Setup 11

  32. IoT Lab Evaluation Device 12

  33. IoT Lab Evaluation Device • Internet pairing 12

  34. IoT Lab Evaluation Device • Internet pairing • Configuration 12

  35. IoT Lab Evaluation Device • Internet pairing • Configuration • Updateable 12

  36. IoT Lab Evaluation Device • Internet pairing • Configuration • Updateable • Exposed services 12

  37. IoT Lab Evaluation Device • Internet pairing • Configuration • Updateable • Exposed services • Vulnerable Services 12

  38. IoT Lab Evaluation Device UPnP services RCE vulnerability • Internet pairing CVE-2012-5958-65 Dropbear SSH RCE vulnerability • Configuration CVE-2013-4863 • Updateable • Exposed services • Vulnerable Services 12

  39. IoT Lab Evaluation Cloud Backends 13

  40. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid 13

  41. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version 13

  42. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols 13

  43. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols • Vulnerable software • Services 13

  44. IoT Lab Evaluation • 12 different backends, 1 st Party Cloud Backends • Supports SSL v2/v3 • CVE-2013-4810 – RCE JBoss Server • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols • Vulnerable software • Services 13

  45. IoT Lab Evaluation Mobile App 14

  46. IoT Lab Evaluation Mobile App • Permissions • Requested unused 14

  47. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto 14

  48. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto • Hardcoded secrets • API keys for cloud services 14

  49. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto • Hardcoded secrets • API keys for cloud services • Hardcoded Crypto key • uLi4/f4+Pb39.T19 • UMENG_MESSAGE_SECRET: … 14

  50. IoT Lab Evaluation Network 15

  51. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols 15

  52. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud 15

  53. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud • MITM Attack on • Device to Cloud • Device to Mobile App • Mobile App to Cloud 15

  54. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud • MITM Attack on • Device to Cloud • Partial Encryption Across the Internet • Device to Mobile App • No Encryption on the LAN • Mobile App to Cloud 15

  55. Scoring The Components Scorecard Rating Independent system components scoring Documented Modular 16

  56. Component Framework 17

  57. Component Framework 17

  58. Component Framework 17

  59. Component Framework 17

  60. Component Framework 17

  61. Component Framework 17

  62. Component Framework 17

  63. Component Framework 17

  64. Component Framework 17

  65. Component Framework 17

  66. Component Framework 17

  67. Component Framework 17

  68. Component Framework 17

  69. 18

  70. 18

  71. 19

  72. Evaluation Takeaways 20

  73. Evaluation Takeaways • Cloud managed • Auto update • Encrypted local traffic with authenticated services 20

  74. 21 What's Next?

  75. 21 What's Next? • Longitudinal analysis • Do updates improve the Things?

  76. 21 What's Next? • Longitudinal analysis • Do updates improve the Things? • Accurate representation • Inducing device activities

  77. How Can You Access/Contribute? • Evaluation data is public • Feel free to reach out: • Request specific device evaluation • Sponsor devices for evaluation • Additional questions • Download our data • https://YourThings.info • Contact email: • contact@YourThings.info 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn

Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn

Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 8 Dr Hans Georg Schaathun Security Evaluation Autumn 2008 Week 8 1 / 21 Overview Session objectives Discuss advantages and

436 views • 41 slides
A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

908 views • 68 slides
Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam July 3, 2018 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 1 /

286 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0

Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0

Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 22-1 Outline Goals of formal evaluation Trusted Computer Security Evaluation Criteria (TCSEC), 19831999 International Efforts and

1.32k views • 101 slides
Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila,

Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila,

Deep Learning For Embedded Security Evaluation Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila, Eleonora Cagli (CEA LETI), C ecile Dumas (CEA LETI), Houssem Maghrebi (UL), Loic Masure (CEA LETI),

932 views • 71 slides
Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware

Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware

Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware Routing Protocols Security for Clustered Mobile Ad Hoc for Clustered Mobile Ad Hoc Networks Networks Gregory S. Yovanof - - Kerem Kerem Ericsi

1.16k views • 26 slides
SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose,

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose,

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 5 Prior Work Security Analysis of Emerging Smart Home

592 views • 22 slides
Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Omar Alrawi Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech We specialize in Network Security Measurements Work is presented on behalf of my team Omar Alrawi PhD Student (me) About

340 views • 33 slides
User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation When does UI evaluation happen? Design Testing and Implementation Development evaluation Testing 2 CS 349 - UI evaluation Types of tests

820 views • 20 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When

Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When

Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When to evaluate Systems What kinds of evaluation are possible Predictive evaluations Robert Villa Traditional user experiments

551 views • 10 slides
A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

[ICCSA 2004] 2004] [ICCSA A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation Criteria for Side Channel Attacks Side Channel Attacks Presented at the workshop ICCSA ICCSA 200 2004 4, ,

404 views • 26 slides
Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing local network and Internet access for IoT devices Cloud-managed network-access authoriza=on Bootstrapping security between device and cloud

328 views • 20 slides
Outline 1 Organisation Context M oise + 2 Reorganisation Group Phases 3 Programming with

Outline 1 Organisation Context M oise + 2 Reorganisation Group Phases 3 Programming with

Organisation Reorganisation Programming with (re)organisation Programming MAS reorganisation with M oise + ubner 1 Olivier Boissier 2 Jaime S. Sichman 3 Jomi F. H 1 Department of Computer Science University of Blumenau 2 Multi-Agent Systems

659 views • 50 slides
Public Goods, Bounded Attention Spans and Equilibrium in the Internet Economy John P. Conley

Public Goods, Bounded Attention Spans and Equilibrium in the Internet Economy John P. Conley

Public Goods, Bounded Attention Spans and Equilibrium in the Internet Economy John P. Conley Vanderbilt University Paul J. Healy Ohio State University SWET14 - Paris - June 2014 1 Introduction The only justification for thinking about

586 views • 43 slides
Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike

Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike

Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike Curtis, Kapil Arya, Dan Osborne, Connor Doyle, Niklas Nielsen, Tarak Parekh, Alex Pollitt The State of Mesos Networking Containers share the slave

285 views • 25 slides
Aging in Place with an Internet of Things CCC Aging in Place Workshop

Aging in Place with an Internet of Things CCC Aging in Place Workshop

Images: Clker.com, Junklads.com Aging in Place with an Internet of Things CCC Aging in Place Workshop September, 2014 Howard Wactlar Computer Science Department Carnegie

279 views • 11 slides
Clusters Running Hadoop Dr. Renato Figueiredo ACIS Lab - University of Florida Advanced

Clusters Running Hadoop Dr. Renato Figueiredo ACIS Lab - University of Florida Advanced

Plug-and-play Virtual Appliance Clusters Running Hadoop Dr. Renato Figueiredo ACIS Lab - University of Florida Advanced Computing and Information Systems laboratory Introduction You have so far learned about how to use Hadoop clusters

642 views • 45 slides
An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit,

An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit,

An Internet-Wide View of ICS Devices A. Mirian, Zane Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. Halderman, M. Bailey Industrial Control Systems (ICS) Operational control and monitoring for

729 views • 37 slides
Chapter 5 Local Area Networks Computer Concepts 2013 5 Chapter Contents Section A: Network

Chapter 5 Local Area Networks Computer Concepts 2013 5 Chapter Contents Section A: Network

13-10-11 Chapter 5 Local Area Networks Computer Concepts 2013 5 Chapter Contents Section A: Network Building Blocks Section B: Wired and Wireless Technologies Section C: Network Setup Section D: Sharing Files Section

357 views • 16 slides

More recommend