Vijay Sivaraman
ABSTRACT
The explosion in Internet-connected household devices, such as light-bulbs, smoke-alarms, power-switches, and webcams, is creating new vectors for attacking "smart-homes" at an unprecedented scale. Common perception is that smart-home IoT devices are protected from Internet attacks by the perimeter security offered by home routers. In this paper we demonstrate how an attacker can infiltrate the home network via a doctored smart-phone app. Unbeknownst to the user, this app scouts for vulnerable IoT devices within the home, reports them to an external entity, and modifies the firewall to allow the external entity to directly attack the IoT device. The ability to infiltrate smart-homes via doctored smart-phone apps demonstrates that home routers are poor protection against Internet attacks and highlights the need for increased security for IoT devices.
- IEEE P2413 Standard for an Architectural Framework for IoT. http://grouper.ieee.org/groups/2413/Intro-to-IEEE-P2413.pdf.Google Scholar
- M2I Security Framework. http://www.m2isf.com/.Google Scholar
- Online Trust Alliance. https://otalliance.org/.Google Scholar
- DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks. http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/dd4bc-group-targets-companies-with-ransom-driven-ddos-attacks/, Jun 2015.Google Scholar
- Google's first Brillo and Weave partners introduced at CES. http://www.digitaltrends.com/home/google-iot-brillo-weave-partners/, Jan 2016.Google Scholar
- Arxan Technologies. State of Application Security Report. https://www.arxan.com/wp-content/uploads/2015/06/State-of-Application-Security-Report-Vol-4-2015.pdf, Jun 2015.Google Scholar
- C. Ellison. UPnP Device Security: Service Template. http://upnp.org/specs/sec/UPnP-sec-DeviceSecurity-v1-Service.pdf, Nov 2003.Google Scholar
- Claud Xiao. More Details on the XcodeGhost Malware and Affected iOS Apps. http://researchcenter. paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware-and-affected-ios-apps/, Sep 2015.Google Scholar
- ExtremeTech. Philips Hue LED smart lights hacked, home blacked out by security researcher. http://www.extremetech.com/electronics/163972-philips-hue-led-smart-lights-hacked-whole-homes-blacked-out-by-security-researcher, 2013.Google Scholar
- Forbes. Baby Monitor Hacker Still Terrorizing Babies And Their Parents. http://www.forbes.com/sites/kashmirhill/2014/04/29/baby-monitor-hacker-still-terrorizing-babies-and-their-parents/#7784ae4817e2, 2014.Google Scholar
- Gartner. Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015. http://www.gartner.com/newsroom/id/2905717, Nov 2014.Google Scholar
- S. Grover and N. Feamster. The Internet of Unpatched Things. In Proc. FTC PrivacyCon, Jan 2016.Google Scholar
- A. A. M. M. Haque. UPnP Networking: Architecture and Security Issues. In Proc. TKK Seminar on Network Security, Nov 2007.Google Scholar
- iControl. State of the Smart Home. http://www.icontrol.com/docs/pdf/2014 State of the Smart Home-Final.pdf, 2014.Google Scholar
- Isaac Kelly. Hacking the WeMo Switch. https://github.com/issackelly/wemo, 2012.Google Scholar
- NetworkWorld. 500,000 Belkin WeMo users could be hacked; CERT issues advisory. http://www.networkworld.com/article/2226371/microsoft-subnet/500-000-belkin-wemo-users-could-be-hacked--cert-issues-advisory.html, 2014.Google Scholar
- B. News. Fridge Sends Spam Emails as Attack Hits Smart Gadgets. http://www.bbc.com/news/technology-25780908, 2014.Google Scholar
- Nokia. Threat Intelligence Report. http://resources.alcatel-lucent.com/asset/193174, H2 2015.Google Scholar
- S. Notra, M. Siddiqi, H. H. Gharakheili, V. Sivaraman, and R. Boreli. An Experimental Study of Security and Privacy Risks with Emerging Household Appliances. In Proc. International Workshop on Security and Privacy in Machine-to-Machine Communications (M2MSec), Oct 2014.Google ScholarCross Ref
- T. Sales, L. Sales, H. Almeida, and A. Perkusich. A UPnP extension for enabling user authentication and authorization in pervasive systems. Journal of the Brazilian Computer Society, 16(4):261--277, Nov 2010.Google ScholarCross Ref
- V. Sivaraman, H. H. Gharakheili, A. Vishwanath, R. Boreli, and O. Mehani. Network-Level Security and Privacy Control for Smart-Home IoT Devices. In Proc. IEEE WiMoB Workshop on Internet of Things Communications and Technologies (IoT-CT), Oct 2015.Google ScholarCross Ref
- T. Yu, V. Sekar, S. Sheshan, Y. Agarwal, and C. Xu. Handling a Trillion (Unfiable) Flaws on a Billion Devices: Rethinking Network Security for the Internet-of-Things. In Proc. ACM HotNets, Nov 2015. Google ScholarDigital Library
Index Terms
- Smart-Phones Attacking Smart-Homes
Recommendations
Secure Smart Homes: Opportunities and Challenges
The Smart Home concept integrates smart applications in the daily human life. In recent years, Smart Homes have increased security and management challenges due to the low capacity of small sensors, multiple connectivity to the Internet for efficient ...
Survey on smart homes: Vulnerabilities, risks, and countermeasures
AbstractOver the last few years, the explosive growth of Internet of Things (IoT) has revolutionized the way we live and interact with each other as well as with various types of systems and devices which form part of the Information ...
Attacking and Protecting Tunneled Traffic of Smart Home Devices
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and PrivacyThe number of smart home IoT (Internet of Things) devices has been growing fast in recent years. Along with the great benefits brought by smart home devices, new threats have appeared. One major threat to smart home users is the compromise of their ...
Comments