implementations of smart home
play

Implementations of Smart Home Integrations ICECCS18, 12 December - PowerPoint PPT Presentation

HomeScan: Scrutinizing Implementations of Smart Home Integrations ICECCS18, 12 December 2018 Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang 1 Background IoT-enhanced smart home is getting popular


  1. HomeScan: Scrutinizing Implementations of Smart Home Integrations ICECCS’18, 12 December 2018 Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang 1

  2. Background IoT-enhanced smart home is getting popular 1 https://www.statista.com/study/42112/smart-home-report/ 2 https://www.juniperresearch.com/press/press-releases/smart-home-revenues-to-reach-$100-billion-by-2020 2

  3. Smart Home Vulnerable to Attacks ! “The biggest DDoS attack in history “KRACK, the attack on WPA2 protocol could powered by 150,000 hacked IoT cripple smart home Wi- Fi.” 2 devices.” 1 Network Network Attacker Attacker Handshake Victim Control Home Wi-Fi Point Victim Server 2017 2016 (e.g., Twitter, GitHub) IoT Devices 1 http://www.bbc.com/news/technology-37738823 3 2 http://www.bbc.com/news/av/technology-41641814/krack-wi-fi-security-flaw-explained

  4. Existing Work on Smart Home Security Application Frameworks Security Hardening in System Flaw Identification Design and Implementation Authorization model of IFTTT , Securing data from malicious apps on Platforms Permission model of frameworks (e.g. IoT Protocols control points, Secure platforms SmartThings) ZigBee, Z-Wave, BLE, Customized Securing home Wi-Fi from malicious Security in Protocols protocols on IEEE 802.15.4 control points Integration ?? Smart Devices Smart Secure smart devices from malware, Smart locks, smart lights, smart secure BLE IoTs presence meters, thermostats, wearables Devices 4

  5. Security of Smart Home Integration ▪ Causes of insecurity when integrating a smart home system. 1) Incompatibilities 2) Invalidated assumptions 5

  6. Incompatibilities in Integration (1) Wide assortments of technologies and devices manufactured by diverse vendors. Smart Devices Bulb Control Point Hubs Hub Bulb 6

  7. Incompatibilities in Integration (2) E.g. Smart bulb cannot verify the identity of the control point. Control Point Malicious App on Unauthorize control Control Point Bulb Hub Authentication: ZigBee touch-link Authentication: Customized 7

  8. Invalidated Assumptions Manufactures make assumptions to reduce complexity and cost in building smart home systems. ➢ Home Wi-Fi is secure. ➢ Implicit trust on other components in the integrated system. Benign bulb Benign hub Benign control app Unauthorize control 8 Malicious hub

  9. Our Solution: HomeScan Extract the abstract specification of application-layer protocols and security-relevant internal behaviours from the implementation, and analysing security of the specification. Challenges: Partial availability of the implementations. • Unavailability of source code, and only executables/libraries provided by the vendors available. Communication is not clear due to use of cryptographic protocols. • 9

  10. Running Example – Chromecast HTTPS Have source code No source code Control Point (CP) YouTube Server (YS) Communicate Communicate over SSL over TLS Chromecast Receiver (CR) plugged into TV’s HDMI port No source code 10

  11. Our Approach Pre-processing Initial Knowledge Input Implementation Test Cases 11

  12. Pre-processing Extract values Capture Traces Transactions E.g. msg HTTPS YouTube Server (YS) Control Point (CP) message on trace POST https://www.youtube.com/api/lounge/pairing/get_lounge_token_batch HTTP/1.1 Host: www.youtube.com Chrome/63.0.3239.132 Safari/537.36 screen_ids=fsti0e72vuamj9p8b26h5j08ug Transaction = ( sender: CP , receiver: YS, channel: Wi- Fi, Message: {“ fsti0e72vuamj9p8b26h5j08ug ”} 12

  13. Our Approach Pre-processing Initial Knowledge Input Implementation Test Cases Transactions Specification Extraction 13

  14. Specification Extraction Transactions Whitebox Analysis Trace Analysis 14

  15. Specification Extraction Program Whitebox Analysis Trace Analysis Transactions msg* E.g. msg Chromecast Receiver Program of CP over SSL No source code HTTPS msg = Receive(msg*) YouTube Control Point Server (YS) (CP) Have source code No source code send(msg) Transaction = ( HTTPS sender: CP , receiver: YS, channel: Wi-Fi, Message: {“ fsti0e72vuamj9p8b26h5j08ug ”} msg 15 YouTube Server (YS)

  16. Specification Extraction Whitebox Analysis Trace Analysis Transactions 1. Known msg* msg 1 2 Configuration - (1) over SSL HTTPS YouTube Server (YS) Chromecast Receiver (CR) Control Point (CP) Trace 1 Before reset of CR Trace 2 After reset of CR Analyse the difference in the values in msg before and after the reset of CR. Semantics of the msg = CR’s session identity 16

  17. Specification Extraction Whitebox Analysis Trace Analysis Transactions s 1. Known 2 1 Configuration - (2) Encrypted HTTP Philips Hue Bulb Hub Control Point (CP) Trace 1 Before replace of Hub Trace 2 After replace of Hub Analyse the difference in “s” before and after the reset of CR. Semantics of the String “s” = Hub specific value 17

  18. Specification Extraction Whitebox Analysis Trace Analysis Transactions Packet Turn On 1 2. Control 2 E.g.2 Command Encrypted HTTP Philips Hue Bulb Hub Control Point (CP) Packet Data(37) Data(37) Turn On command over Zigbee 18 Heartbeat With Turn On cmd Remove Heartbeat

  19. Specification: LTS Representation Chromecast Receiver (CR) CR CP YS Control Point (CP) YouTube Server (YS) 19

  20. Our Approach Pre-processing Initial Knowledge Input Implementation Test Cases Transactions Specification Extraction LTS Representation Flaw Identification Output Vulnerabilities 20

  21. Flaw Identification LTS Extracted Security Representa- Participants Attack Properties tion e.g. CP||YS||CR 21

  22. Attack Models and Security Properties Network Attacker Malicious Participant • Eavesdropping Collect information illegally • Intercept and modify • • Send unauthorized commands Security Properties Data Level Association Level Access Level Confidentiality Integrity A Authentication Authorization 22

  23. Approach LTS Extracted Security Representa- Participants Attack Properties tion e.g. CP||YS||CR Execution Rules Model 23

  24. Generate the System Model Extracted Participants Attack CR Malicious CP CP YS System Model Init K = {} 24 … …

  25. Approach LTS Extracted Security Representati Participants Attack Properties on e.g. CP||YS||CR Execution Rules Model Verification Output Algorithm Vulnerabilities 25

  26. Flaw Identification Extracted Participants Attack CR Malicious CP CP Mis-response to discovery request YS Attack Trace bad state: The attacker sent a casting video request to 26 the YS.

  27. Evaluation: Vulnerabilities Chromecast Philips Hue LIFX Mis-response to discovery request: Misuse of ZigBee Light Link Unprotected Wi-Fi hotspot on the Vulnerability Mis-response Flawed Lack of Use of Insecure Unprotected Lack of User or Vulnerable to Total allows a malicious control point to protocol: allows a malicious hub to bulb: allows a malicious bulb with a to Discovery Authentication Authentication Underlying SD’s Wi -Fi Device Network Traffic obtain the identity of the TV screen and Request Protocol hijack the bulb. Protocols Hotspot fake hotspot to steal the password Authentication Replay casting a video to the TV . of the victim’s home Wi-Fi. Philips Hue 2 1 1 1 0 0 0 5 Lack of device or user authentication: Lack of control to administration LIFX 0 0 0 0 2 1 1 4 allows a malicious control point to commands: results in uncontrolled Chromecast 1 0 0 0 1 1 0 3 obtain the identity of a private YouTube authentication. Total video of the victim. 3 1 1 1 3 2 1 12 Benign System Benign System Send home Wi-Fi Discover and connect Participants credentials with malicious bulb bulb bulb hub control app control app Hijack the connection Initialize ZLL protocol 27 Malicious bulb Malicious hub

  28. Conclusion and Future Work Conclusion • Propose hybrid techniques to extract the specification of the smart home integration. • Analyse the security of the extracted specification using formal verification techniques. • Applied the approach for three existing smart home systems. • Found twelve vulnerabilities in them. Future Work • Plan to propose new attack models to find vulnerabilities in similar IoT systems. 28

  29. Thank You Questions? 29

  30. Reference 1. Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets. https://arxiv.org/abs/1702.03681. 2. M. Vanhoef and F . Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017. 3. N.Apthorpe, D.Reisman, S.Sundaresan, A.Narayanan, and N.Feamster, 2017. Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. arXiv preprint arXiv:1708.05044 . 4. https://hometheaterreview.com/attack-of-the-smart-home-devices/ 5. S. Majumder, E. Aghayi, M. Noferesti, H. Memarzadeh-Tehran, T . Mondal, Z. Pang, & M. J. Deen (2017). Smart Homes for Elderly Healthcare — Recent Advances and Research Challenges. Sensors , 17 (11), 2496. 30

Recommend


More recommend