ABSTRACT
Vulnerabilities in smart devices often are particular severe from a privacy point of view. If these devices form central components of the underlying infrastructure, such as Wifi repeaters, even an entire network may be compromised. The devastating effects of such a compromise recently became evident in light of the Mirai botnet. In this paper, we conduct a thorough security analysis of so-called HomePlug devices, which are used to establish network communication over power lines. We identify multiple security issues and find that hundreds of vulnerable devices are openly connected to the Internet across Europe. 87 % run an outdated firmware, showing the deficiency of manual updates in comparison to automatic ones. However, even the default configurations of updated devices lack basic security mechanisms.
- Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In Proc. of the IEEE Symposium on Security and Privacy. 208--226.Google ScholarCross Ref
- Sumayah Alrwais, Kan Yuan, Eihal Alowaisheq, Xiaojing Liao, Alina Oprea, XiaoFeng Wang, and Zhou Li. 2016. Catching Predators at Watering Holes: Finding and Understanding Strategically Compromised Websites. In Proc. of the Annual Computer Security Applications Conference (ACSAC). 153--166. Google ScholarDigital Library
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proc. of the USENIX Security Symposium. 1093--1110. Google ScholarDigital Library
- Atheros Communications Inc. 2010. AR9331 Highly-Integrated and Cost Effective IEEE 802.11n 1x1 2.4 GHz SoC for AP and Router Platforms. Technical Report. Atheros Communications Inc.Google Scholar
- Z. Berkay Celik, Leonardo Babun, Amit K. Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluaga. 2018. Sensitive Information Tracking in Commodity IoT. In Proc. of the USENIX Security Symposium. 1687--1704. Google ScholarDigital Library
- Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang.2018. IOTFUZZER: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Proc. of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Tamara Denning, Tadayoshi Kohno, and Henry M. Levy. 2013. Computer Security and the Modern Home. Commun. ACM 56, 1 (2013), 94--103. Google ScholarDigital Library
- devolo AG. 2002--2019. dLAN Powerline adapters. Internet and Wi-Fi in any room. https://www.devolo.com/. visited January 2019.Google Scholar
- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-Wide Scanning and its Security Applications. In Proc. of the USENIX Security Symposium. 605--619. Google ScholarDigital Library
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In Proc. of the IEEE Symposium on Security and Privacy. 636--654.Google ScholarCross Ref
- Robert David Graham. 2013-2018. MASSCAN: Mass IP port scanner. https://github.com/robertdavidgraham/masscan. visited January 2019.Google Scholar
- Jeremiah Grossman. 2007. Hacking Intranet Websites from the Outside (Take 2). In Proc. of Black Hat USA.Google Scholar
- Jeremiah Grossman and T.C. Niedzialkowski. 2006. Hacking Intranet Websites from the Outside. In Proc. of Black Hat USA.Google Scholar
- IEEE Working Group: BPLPHMAC Broadband Over Power Lines PHY/-MAC Working Group. 2010. IEEE Standard for Broadband over Power Line Networks: Medium Access Control and Physical Layer Specifications. Standard. IEEE.Google Scholar
- Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. 2017. Detecting Credential Spearphishing Attacks in Enterprise Settings. In Proc. of the USENIX Security Symposium. 469--485. Google ScholarDigital Library
- Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh. 2007. Protecting Browsers from DNS Rebinding Attacks. 421--431. Google ScholarDigital Library
- Marek Jawurek, Martin Johns, and Konrad Rieck. 2011. Smart Metering De-Pseudonymization. In Proc. of the Annual Computer Security Applications Conference (ACSAC). 227--236. Google ScholarDigital Library
- Jun Young Kim, Ralph Holz, Wen Hu, and Sanjay Jha. 2017. Automated Analysis of Secure Internet of Things Protocols. In Proc. of the Annual Computer Security Applications Conference (ACSAC). 238--249. Google ScholarDigital Library
- Marius Muench, Jan Stijohann, Frank Kargl, Aurélien Francillon, and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. In Proc. of the Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Nethys SA. 2006-2019. VOO. http://www.voo.be/en/. visited January 2019.Google Scholar
- Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian Rossow. 2017. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs. In Proc. of the ACM Conference on Computer and Communications Security (CCS). 1757--1771. Google ScholarDigital Library
- J. Postel and J.K. Reynolds. 1983. Telnet Option Specifications. RFC 855 (INTERNET STANDARD). http://www.ietf.org/rfc/rfc855.txt Google ScholarDigital Library
- Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi-Or Weingarten. 2017. IoT Goes Nuclear: Creating a Zigbee Chain Reaction. In Proc. of the IEEE Symposium on Security and Privacy. 195--212.Google ScholarCross Ref
- Ishtiaq Rouf, Hossen Mustafa, Rob Miller, and Marco Gruteser. 2012. Neighborhood Watch: Security and Privacy Analysis of Automatic Meter Reading Systems. In Proc. of the ACM Conference on Computer and Communications Security (CCS). 462--473. Google ScholarDigital Library
- Bruce Schneier. 2017. Security and the Internet of Things. Technical Report. Schneier on Security.Google Scholar
- Thomas Schreiber. 2004. Session Riding -- A Widerspread Vulnerability in Today's Web Applications. Technical Report. SecureNet GmbH.Google Scholar
- Jörg Schwenk, Marcus Niemietz, and Christian Mainka. 2017. Same-Origin Policy: Evaluation in Modern Browsers. In Proc. of the USENIX Security Symposium. 713--727. Google ScholarDigital Library
- TrendLabs APT Research Team. 2012. Spear-Phishing Email: Most Favored APT Attack Bait. Technical Report. Trend Micro Inc.Google Scholar
Recommendations
Exploitation and threat analysis of open mobile devices
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications SystemsThe increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as ...
Security Vulnerability Analysis for IoT Devices Raspberry Pi using PENTEST
AbstractIoT device security is vital due to their involvement in collecting sensitive information from our environment. This study proves that IoT devices lack a defense mechanism to identify malicious or virus-infected files, making them vulnerable to ...
Management of security policies for mobile devices
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum developmentThis paper discusses management of security policies for mobile devices. The increasing use of mobile devices in the workplace is covered, as well as new software applications that allow employees to use their mobile devices to increase their ...
Comments