Matthew Wynn, Kyle Tillotson, Ryan Kao, Andrea Calderon, A. Murillo, Javier Camargo, Rafael Mantilla, Brahian Rangel, A. Cárdenas, S. Rueda
Sexual preferences are one of our most intimate and private choices, and new IoT devices, while facilitating and expanding the ways in which partners can enjoy sexual intimacy, can also put at risk the privacy and safety of their users. In this paper we analyze smart vibrators and show systematic privacy and security problems that can put owners of these devices at risk of privacy breaches and sexual assault. We discuss the role these sexual IoT devices play in the larger liberty and morals legislation discussion and emphasize that the security and privacy of these devices should be held at a higher standard than other IoT tools because of the potential consequences of security breaches.
{"title":"Sexual Intimacy in the Age of Smart Devices: Are We Practicing Safe IoT?","authors":"Matthew Wynn, Kyle Tillotson, Ryan Kao, Andrea Calderon, A. Murillo, Javier Camargo, Rafael Mantilla, Brahian Rangel, A. Cárdenas, S. Rueda","doi":"10.1145/3139937.3139942","DOIUrl":"https://doi.org/10.1145/3139937.3139942","url":null,"abstract":"Sexual preferences are one of our most intimate and private choices, and new IoT devices, while facilitating and expanding the ways in which partners can enjoy sexual intimacy, can also put at risk the privacy and safety of their users. In this paper we analyze smart vibrators and show systematic privacy and security problems that can put owners of these devices at risk of privacy breaches and sexual assault. We discuss the role these sexual IoT devices play in the larger liberty and morals legislation discussion and emphasize that the security and privacy of these devices should be held at a higher standard than other IoT tools because of the potential consequences of security breaches.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"143 3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129431861","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper introduces a method to capture network traffic from medical IoT devices and automatically detect cleartext information that may reveal sensitive medical conditions and behaviors. The research follows a three-step approach involving traffic collection, cleartext detection, and metadata analysis. We analyze four popular consumer medical IoT devices, including one smart medical device that leaks sensitive health information in cleartext. We also present a traffic capture and analysis system that seamlessly integrates with a home network and offers a user-friendly interface for consumers to monitor and visualize data transmissions of IoT devices in their homes.
{"title":"Cleartext Data Transmissions in Consumer IoT Medical Devices","authors":"Daniel Wood, Noah J. Apthorpe, N. Feamster","doi":"10.1145/3139937.3139939","DOIUrl":"https://doi.org/10.1145/3139937.3139939","url":null,"abstract":"This paper introduces a method to capture network traffic from medical IoT devices and automatically detect cleartext information that may reveal sensitive medical conditions and behaviors. The research follows a three-step approach involving traffic collection, cleartext detection, and metadata analysis. We analyze four popular consumer medical IoT devices, including one smart medical device that leaks sensitive health information in cleartext. We also present a traffic capture and analysis system that seamlessly integrates with a home network and offers a user-friendly interface for consumers to monitor and visualize data transmissions of IoT devices in their homes.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"32 9","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120820060","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The fragility of the Internet of Things (iot) ecosystem poses serious threats to Internet security, and the proliferation of iot devices only exacerbates this situation by providing vulnerable end-points to be exploited and used as attack sources. While industry and academia are working hard on designing innovative solutions to detect, mitigate and thwart massive botnet-based ddos attacks, the space of solutions appears disjoint and fragmented. The lack of cooperation between the iot device manufacturers, network operators, content providers, end users, and other players precipitates in point solutions which offer at best a veneer of security. In this paper we alert the community to the security challenges posed by the fragile iot ecosystem, discuss the space of solutions, and present the need for a distributed, concerted effort, e.g., among end users, ISPs, and CDNs, to improve Internet security. We do not claim to solve the problem, but offer design guidelines and discuss the key implementation challenges to inform the debates on iot security.
{"title":"Sounding the Bell for Improving Internet (of Things) Security","authors":"Theophilus A. Benson, B. Chandrasekaran","doi":"10.1145/3139937.3139946","DOIUrl":"https://doi.org/10.1145/3139937.3139946","url":null,"abstract":"The fragility of the Internet of Things (iot) ecosystem poses serious threats to Internet security, and the proliferation of iot devices only exacerbates this situation by providing vulnerable end-points to be exploited and used as attack sources. While industry and academia are working hard on designing innovative solutions to detect, mitigate and thwart massive botnet-based ddos attacks, the space of solutions appears disjoint and fragmented. The lack of cooperation between the iot device manufacturers, network operators, content providers, end users, and other players precipitates in point solutions which offer at best a veneer of security. In this paper we alert the community to the security challenges posed by the fragile iot ecosystem, discuss the space of solutions, and present the need for a distributed, concerted effort, e.g., among end users, ISPs, and CDNs, to improve Internet security. We do not claim to solve the problem, but offer design guidelines and discuss the key implementation challenges to inform the debates on iot security.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126454148","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Keigo Nagara, Katsunori Aoki, Yutaka Matsubara, H. Takada
In the recent years, internet-of-things (IoT) devices have attracted an increasing share of attention, and the vulnerability of IoT devices has been clarified. For example, the IoT malware {¥it Mirai} constructs a bot using the vulnerability of IoT equipment embedded with Linux and exploits it for distributed denial of service (DDoS) attacks. Meanwhile, as reported in papers, examples of denial of service (DoS) attacks targeting IoT/embedded devices have emerged. Therefore, the DoS test at the stage of product design and development stage is very important. We then created an open source software (OSS) based portable DoS test tool for IoT devices.
{"title":"Portable DoS Test Tool for IoT Devices","authors":"Keigo Nagara, Katsunori Aoki, Yutaka Matsubara, H. Takada","doi":"10.1145/3139937.3139950","DOIUrl":"https://doi.org/10.1145/3139937.3139950","url":null,"abstract":"In the recent years, internet-of-things (IoT) devices have attracted an increasing share of attention, and the vulnerability of IoT devices has been clarified. For example, the IoT malware {¥it Mirai} constructs a bot using the vulnerability of IoT equipment embedded with Linux and exploits it for distributed denial of service (DDoS) attacks. Meanwhile, as reported in papers, examples of denial of service (DoS) attacks targeting IoT/embedded devices have emerged. Therefore, the DoS test at the stage of product design and development stage is very important. We then created an open source software (OSS) based portable DoS test tool for IoT devices.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"33 18","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133426261","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
With an increasing number of Internet of Things (IoT) devices also the number of proprietary wireless protocols raised. Meanwhile manufacturers save resources wherever they can, having size and energy constraints in mind. Consequently, there are security flaws that hackers demonstrate by silently breaking in a house or stealing a car. Revealing IoT security flaws requires expertise in Digital Signal Processing (DSP), coding theory, protocol design and cryptography. We contribute a software that addresses research groups and security analysts without strong DSP and coding theoretic background: Universal Radio Hacker (URH). This software is a complete suite to investigate wireless protocols including (1) Software Defined Radio interface for sending and receiving, (2) DSP abstraction, (3) easy customizable encodings, (4) logic analysis assistance and (5) fuzzing. Using our software researchers can focus on breaking the cryptography or analyzing protocol logic without worrying about hardware configuration or DSP specifics.
{"title":"Universal Radio Hacker: A Suite for Wireless Protocol Analysis","authors":"Johannes Pohl, A. Noack","doi":"10.1145/3139937.3139951","DOIUrl":"https://doi.org/10.1145/3139937.3139951","url":null,"abstract":"With an increasing number of Internet of Things (IoT) devices also the number of proprietary wireless protocols raised. Meanwhile manufacturers save resources wherever they can, having size and energy constraints in mind. Consequently, there are security flaws that hackers demonstrate by silently breaking in a house or stealing a car. Revealing IoT security flaws requires expertise in Digital Signal Processing (DSP), coding theory, protocol design and cryptography. We contribute a software that addresses research groups and security analysts without strong DSP and coding theoretic background: Universal Radio Hacker (URH). This software is a complete suite to investigate wireless protocols including (1) Software Defined Radio interface for sending and receiving, (2) DSP abstraction, (3) easy customizable encodings, (4) logic analysis assistance and (5) fuzzing. Using our software researchers can focus on breaking the cryptography or analyzing protocol logic without worrying about hardware configuration or DSP specifics.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129315581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The Internet of Things (IoT) revolution has brought millions of small, low-cost, connected devices into our homes, cities, infrastructure, and more. However, these devices are often plagued by security vulnerabilities that pose threats to user privacy or can threaten the Internet architecture as a whole. Home networks can be particularly vulnerable to these threats as they typically have no network administrator and often contain unpatched or otherwise vulnerable devices. In this paper, we argue that the unique security challenges of home networks require a new network-layer architecture to both protect against external threats and mitigate attacks from compromised devices. We present initial findings based on traffic analysis from a small-scale IoT testbed toward identifying predictable patterns in IoT traffic that may allow construction of a policy-based framework to restrict malicious traffic. Based on our observations, we discuss key features for the design of this architecture to promote future developments in network-layer security in smart home networks.
{"title":"Toward Usable Network Traffic Policies for IoT Devices in Consumer Networks","authors":"Nicholas DeMarinis, Rodrigo Fonseca","doi":"10.1145/3139937.3139949","DOIUrl":"https://doi.org/10.1145/3139937.3139949","url":null,"abstract":"The Internet of Things (IoT) revolution has brought millions of small, low-cost, connected devices into our homes, cities, infrastructure, and more. However, these devices are often plagued by security vulnerabilities that pose threats to user privacy or can threaten the Internet architecture as a whole. Home networks can be particularly vulnerable to these threats as they typically have no network administrator and often contain unpatched or otherwise vulnerable devices. In this paper, we argue that the unique security challenges of home networks require a new network-layer architecture to both protect against external threats and mitigate attacks from compromised devices. We present initial findings based on traffic analysis from a small-scale IoT testbed toward identifying predictable patterns in IoT traffic that may allow construction of a policy-based framework to restrict malicious traffic. Based on our observations, we discuss key features for the design of this architecture to promote future developments in network-layer security in smart home networks.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"23 3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125926864","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F. Loi, Arunan Sivanathan, H. Gharakheili, Adam Radford, V. Sivaraman
Internet-of-Things (IoT) devices such as smart bulbs, cameras, and health monitors are being enthusiastically adopted by consumers, with numbers projected to rise to the billions. However, such devices are also easily attacked, or used for launching attacks, at large scale and at increasing frequency. This paper is an attempt at developing a systematic method to identify the security and privacy shortcomings of various IoT devices, with a view towards alerting consumers, manufacturers, and regulators to the associated risks. We categorize the threats along four dimensions: confidentiality of private data sent to/from the IoT device; integrity of data from the IoT device to internal/external entities; access control of the IoT device; and reflective attacks that can be launched from an IoT device. We develop scripts to automate the security testing along each of these dimensions, subject twenty market-ready consumer IoT devices to our test suite, and reveal findings that give a fairly comprehensive picture of the security/privacy posture of these devices. Our methodology can be used as a basis for a star-based security ratings system for IoT devices being brought to market.
{"title":"Systematically Evaluating Security and Privacy for Consumer IoT Devices","authors":"F. Loi, Arunan Sivanathan, H. Gharakheili, Adam Radford, V. Sivaraman","doi":"10.1145/3139937.3139938","DOIUrl":"https://doi.org/10.1145/3139937.3139938","url":null,"abstract":"Internet-of-Things (IoT) devices such as smart bulbs, cameras, and health monitors are being enthusiastically adopted by consumers, with numbers projected to rise to the billions. However, such devices are also easily attacked, or used for launching attacks, at large scale and at increasing frequency. This paper is an attempt at developing a systematic method to identify the security and privacy shortcomings of various IoT devices, with a view towards alerting consumers, manufacturers, and regulators to the associated risks. We categorize the threats along four dimensions: confidentiality of private data sent to/from the IoT device; integrity of data from the IoT device to internal/external entities; access control of the IoT device; and reflective attacks that can be launched from an IoT device. We develop scripts to automate the security testing along each of these dimensions, subject twenty market-ready consumer IoT devices to our test suite, and reveal findings that give a fairly comprehensive picture of the security/privacy posture of these devices. Our methodology can be used as a basis for a star-based security ratings system for IoT devices being brought to market.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114277286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The focus of this short paper has been to use a Raspberry Pi device to perform certain network attacks and exploit vulnerabilities in existing systems. To this end, we developed a new attack tool that can be installed on a Raspberry Pi and allows novice users to perform a Man-in-the-Middle attack and a small-scale Denial-of-Service attack. The first attack has been designed in such a way so that the attacker can gather credentials of legitimate users even when they try to visit websites that are running under SSL/TLS and they have enabled the HSTS protocol. Regarding the second attack, the attacker has the ability to control a set of malicious Raspberry Pi's and intentionally attempt to stop legitimate users from accessing services. The attacker can select a specific target in the network and overload the corresponding device by sending several fake requests. Throughout this work, we discovered that although security protocols have become more effective over the years it is still considerably easy to launch certain attacks with the main aim to breach users' privacy or restrict service to certain users.
{"title":"Keep Pies Away from Kids: A Raspberry Pi Attacking Tool","authors":"A. Michalas, R. Murray","doi":"10.1145/3139937.3139953","DOIUrl":"https://doi.org/10.1145/3139937.3139953","url":null,"abstract":"The focus of this short paper has been to use a Raspberry Pi device to perform certain network attacks and exploit vulnerabilities in existing systems. To this end, we developed a new attack tool that can be installed on a Raspberry Pi and allows novice users to perform a Man-in-the-Middle attack and a small-scale Denial-of-Service attack. The first attack has been designed in such a way so that the attacker can gather credentials of legitimate users even when they try to visit websites that are running under SSL/TLS and they have enabled the HSTS protocol. Regarding the second attack, the attacker has the ability to control a set of malicious Raspberry Pi's and intentionally attempt to stop legitimate users from accessing services. The attacker can select a specific target in the network and overload the corresponding device by sending several fake requests. Throughout this work, we discovered that although security protocols have become more effective over the years it is still considerably easy to launch certain attacks with the main aim to breach users' privacy or restrict service to certain users.","PeriodicalId":129651,"journal":{"name":"Proceedings of the 2017 Workshop on Internet of Things Security and Privacy","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134295582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: