sok security evaluation
play

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi - PowerPoint PPT Presentation

Jun 19, 2023 •342 likes •1.12k views

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 Internet of Things 4 Internet of Things 4 Internet of Things

  1. SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1

  2. 2

  3. Alexa, unlock the front door. 3

  4. Internet of Things 4

  5. Internet of Things 4

  6. Internet of Things 4

  7. Internet of Things 4

  8. Internet of Things 4

  9. Internet of Things 4

  10. Internet of Things 4

  11. Internet of Things 4

  12. 5

  13. Prior Work 6

  14. Prior Work • Security Analysis of Emerging Smart Home Applications 6

  15. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands 6

  16. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis 6

  17. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis • Skill Squatting Attacks on Amazon Alexa 6

  18. Prior Work • Security Analysis of Emerging Smart Home Applications • DolphinAttack: Inaudible Voice Commands • Soteria: Automated IoT Safety and Security Analysis • Skill Squatting Attacks on Amazon Alexa • Rethinking Access Control and Authentication for the Home Internet of Things 6

  19. Wouldn ’ t be nice to know

  20. • Cloud endpoints Wouldn ’ t be nice to know

  21. • Cloud endpoints • Exposed services Wouldn ’ t be nice to know

  22. • Cloud endpoints • Exposed services • Mobile App Wouldn ’ t be nice to know

  23. • Cloud endpoints • Exposed services • Mobile App Wouldn ’ t be nice to • Network know

  24. • Cloud endpoints • Exposed services • Mobile App Wouldn ’ t be nice to • Network know • Consumer report evaluation?

  25. Overview of Prior Work Studied Components Mitigations Unexplored Directions Devices Patching bugs Mobile app Cloud integration services Vendor responsibility Cloud services Network (by association) Network discovery protocols User control and visibility 8

  26. Device Mobile App IoT Components Cloud Endpoints Network 9

  27. Evaluating Off The Shelf Devices 10

  28. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible 10

  29. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible • Device Representation • Media devices vs appliances 10

  30. Evaluating Off The Shelf Devices • Evaluation of IoT devices should be: • Objective • Transparent • Measurable • Reproducible • Device Representation • Media devices vs appliances • Easy to understand • Consumer oriented 10

  31. Lab Setup 11

  32. IoT Lab Evaluation Device 12

  33. IoT Lab Evaluation Device • Internet pairing 12

  34. IoT Lab Evaluation Device • Internet pairing • Configuration 12

  35. IoT Lab Evaluation Device • Internet pairing • Configuration • Updateable 12

  36. IoT Lab Evaluation Device • Internet pairing • Configuration • Updateable • Exposed services 12

  37. IoT Lab Evaluation Device • Internet pairing • Configuration • Updateable • Exposed services • Vulnerable Services 12

  38. IoT Lab Evaluation Device UPnP services RCE vulnerability • Internet pairing CVE-2012-5958-65 Dropbear SSH RCE vulnerability • Configuration CVE-2013-4863 • Updateable • Exposed services • Vulnerable Services 12

  39. IoT Lab Evaluation Cloud Backends 13

  40. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid 13

  41. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version 13

  42. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols 13

  43. IoT Lab Evaluation Cloud Backends • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols • Vulnerable software • Services 13

  44. IoT Lab Evaluation • 12 different backends, 1 st Party Cloud Backends • Supports SSL v2/v3 • CVE-2013-4810 – RCE JBoss Server • Types of cloud backends • 1 st , 3 rd , or hybrid • TLS/SSL • Self-signed • Name mismatch • Vulnerable TLS/SSL version • Insecure protocols • Vulnerable software • Services 13

  45. IoT Lab Evaluation Mobile App 14

  46. IoT Lab Evaluation Mobile App • Permissions • Requested unused 14

  47. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto 14

  48. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto • Hardcoded secrets • API keys for cloud services 14

  49. IoT Lab Evaluation Mobile App • Permissions • Requested unused • Programming errors • Incorrect use of crypto • Hardcoded secrets • API keys for cloud services • Hardcoded Crypto key • uLi4/f4+Pb39.T19 • UMENG_MESSAGE_SECRET: … 14

  50. IoT Lab Evaluation Network 15

  51. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols 15

  52. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud 15

  53. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud • MITM Attack on • Device to Cloud • Device to Mobile App • Mobile App to Cloud 15

  54. IoT Lab Evaluation Network • Protocols in use • Insecure Protocols • Custom Protocols • Encryption between • Device to Cloud • Device to Mobile App • Mobile App to Cloud • MITM Attack on • Device to Cloud • Partial Encryption Across the Internet • Device to Mobile App • No Encryption on the LAN • Mobile App to Cloud 15

  55. Scoring The Components Scorecard Rating Independent system components scoring Documented Modular 16

  56. Component Framework 17

  57. Component Framework 17

  58. Component Framework 17

  59. Component Framework 17

  60. Component Framework 17

  61. Component Framework 17

  62. Component Framework 17

  63. Component Framework 17

  64. Component Framework 17

  65. Component Framework 17

  66. Component Framework 17

  67. Component Framework 17

  68. Component Framework 17

  69. 18

  70. 18

  71. 19

  72. Evaluation Takeaways 20

  73. Evaluation Takeaways • Cloud managed • Auto update • Encrypted local traffic with authenticated services 20

  74. 21 What's Next?

  75. 21 What's Next? • Longitudinal analysis • Do updates improve the Things?

  76. 21 What's Next? • Longitudinal analysis • Do updates improve the Things? • Accurate representation • Inducing device activities

  77. How Can You Access/Contribute? • Evaluation data is public • Feel free to reach out: • Request specific device evaluation • Sponsor devices for evaluation • Additional questions • Download our data • https://YourThings.info • Contact email: • contact@YourThings.info 22

Recommend

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn

Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn

Security Evaluation CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 8 Dr Hans Georg Schaathun Security Evaluation Autumn 2008 Week 8 1 / 21 Overview Session objectives Discuss advantages and

436 views • 41 slides
A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi

A Security Evaluation of Industrial Radio Remote Controllers Federico Maggi, Marco Balduzzi Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, and Rainer Vosseler TL;DR SECURITY ANALYSIS FINDINGS TL;DR SECURITY ANALYSIS FIN

908 views • 68 slides
Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam July 3, 2018 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 1 /

286 views • 15 slides
Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Formal Analysis of the Entropy / Security Trade-off in First-Order Masking Countermeasures

Introduction RSM: Rotating Sboxes Masking Information Theoretic Evaluation of RSM Security Evaluation of RSM against CPA and 2O-CPA Conclusions and Perspectives Formal Analysis of the Entropy / Security Trade-off in First-Order Masking

539 views • 38 slides
Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0

Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0

Evaluating Systems Chapter 22 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 22-1 Outline Goals of formal evaluation Trusted Computer Security Evaluation Criteria (TCSEC), 19831999 International Efforts and

1.32k views • 101 slides
Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila,

Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila,

Deep Learning For Embedded Security Evaluation Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint work with Ryad Benadjila, Eleonora Cagli (CEA LETI), C ecile Dumas (CEA LETI), Houssem Maghrebi (UL), Loic Masure (CEA LETI),

932 views • 71 slides
Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware

Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware

Performance Evaluation of Performance Evaluation of Security- -Aware Routing Protocols Aware Routing Protocols Security for Clustered Mobile Ad Hoc for Clustered Mobile Ad Hoc Networks Networks Gregory S. Yovanof - - Kerem Kerem Ericsi

1.16k views • 26 slides
SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose,

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose,

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 5 Prior Work Security Analysis of Emerging Smart Home

592 views • 22 slides
Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech

Omar Alrawi Security Evaluation of Home-based IoT Deployments Astrolavos Research Lab at Georgia Tech We specialize in Network Security Measurements Work is presented on behalf of my team Omar Alrawi PhD Student (me) About

340 views • 33 slides
User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation When does UI evaluation happen? Design Testing and Implementation Development evaluation Testing 2 CS 349 - UI evaluation Types of tests

820 views • 20 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When

Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When

Evaluation DEMMS: Evaluation of Multimedia What are the Evaluation lectures about: When to evaluate Systems What kinds of evaluation are possible Predictive evaluations Robert Villa Traditional user experiments

551 views • 10 slides
A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation

[ICCSA 2004] 2004] [ICCSA A Study on Smart Card Security A Study on Smart Card Security Evaluation Criteria for Evaluation Criteria for Side Channel Attacks Side Channel Attacks Presented at the workshop ICCSA ICCSA 200 2004 4, ,

404 views • 26 slides
Cyber Security Evaluation for Nuclear I&C Systems Corresponding to V-Model Jiye Jeong ,

Cyber Security Evaluation for Nuclear I&C Systems Corresponding to V-Model Jiye Jeong ,

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Cyber Security Evaluation for Nuclear I&C Systems Corresponding to V-Model Jiye Jeong , Gyunyoung Heo Department of Nuclear Engineering, Kyung Hee

399 views • 3 slides
A Security Evaluation of AIS Automated Identification System Marco Balduzzi, Kyle Wilhoit

A Security Evaluation of AIS Automated Identification System Marco Balduzzi, Kyle Wilhoit

A Security Evaluation of AIS Automated Identification System Marco Balduzzi, Kyle Wilhoit @ Trend Micro Research Alessandro Pasta @ Independent Researcher {name_surname}@trendmicro.com 12/12/2014, New

993 views • 42 slides
HECTOS Harmonized Evaluation, Certification and Testing of Security Products Coordinator: FOI

HECTOS Harmonized Evaluation, Certification and Testing of Security Products Coordinator: FOI

HECTOS Harmonized Evaluation, Certification and Testing of Security Products Coordinator: FOI HECTOS at a glance HECTOS is a project under the EUs seventh framework (FP7) September 2014 August 2017 (3 years) Total: 287 PM, 3.5 M

301 views • 9 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
I nform ation security in health care Evaluation w ith health professionals Robin Krens, Utrecht

I nform ation security in health care Evaluation w ith health professionals Robin Krens, Utrecht

I nform ation security in health care Evaluation w ith health professionals Robin Krens, Utrecht University Marco Spruit, Utrecht University Nathalie Urbanus-van Laar, UMC Utrecht 1 Agenda Introduction to information security Research

357 views • 15 slides
Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for

Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for

Security Evaluation of Physical RNGs Werner Schindler, Workshop on Randomness and Arithmetics for Cryptography on Hardware Roscoff, April 16, 2019 Overview Introduction and motivation Classification of random number generators (RNGs)

779 views • 49 slides
Security Evaluation and Enhancement of Bistable Ring PUFs RFIDSec, June 23, 2015 (1) , Ulrich

Security Evaluation and Enhancement of Bistable Ring PUFs RFIDSec, June 23, 2015 (1) , Ulrich

Security Evaluation and Enhancement of Bistable Ring PUFs RFIDSec, June 23, 2015 (1) , Ulrich Rhrmair (2) Xiaolin Xu (1) and Wayne Burleson (1) Daniel Holcomb (1) UMass Amherst (2) HGI, U Bochum This material is based upon work supported

257 views • 23 slides
Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra

Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra

Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra Stagkopoulou, Gianluca Dini Software Defined Networking - Overview Key concepts Separation of Control plane and Data plane Centralized SDN

386 views • 22 slides

More recommend