research-article

Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things

Authors:

Vinay Sachidananda,

Shachar Siboni,

Yuval EloviciAuthors Info & Claims

IoTPTS '17: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security

Pages 3 - 10

https://doi.org/10.1145/3055245.3055251

Published: 02 April 2017 Publication History

Abstract

The exponential increase of Internet of Things (IoT) devices have resulted in a range of new and unanticipated vulnerabilities associated with their use. IoT devices from smart homes to smart enterprises can easily be compromised. One of the major problems associated with the IoT is maintaining security; the vulnerable nature of IoT devices poses a challenge to many aspects of security, including security testing and analysis. It is trivial to perform the security analysis for IoT devices to understand the loop holes and very nature of the devices itself. Given these issues, there has been less emphasis on security testing and analysis of the IoT. In this paper, we show our preliminary efforts in the area of security analysis for IoT devices and introduce a security IoT testbed for performing security analysis. We also discuss the necessary design, requirements and the architecture to support our security analysis conducted via the proposed testbed.

References

[1]

SHODAN, https://www.shodan.io/.

[2]

Patton, Mark, et al. "Uninvited connections: a study of vulnerable devices on the internet of things (IoT)." In Proc. of JISIC, IEEE, 2014.

Digital Library

[3]

Linda, Markowsky, et.al, "Scanning for vulnerable devices in the Internet of Things." In Proc. of IDAACS, IEEE, 2015.

[4]

Computerworld, http://www.computerworld.com/.

[5]

The Next Web, http://thenextweb.com/.

[6]

Gluhak, Alexander, et al. "A survey on facilities for experimental internet of things research." IEEE Communications Magazine 49.11, 2011.

[7]

Wurm, Jacob, et al. "Security analysis on consumer and industrial iot devices." In Proc. of ASP-DAC, IEEE, 2016.

[8]

G. Werner-Allen et.al, "Motelab: A wireless sensor network testbed." In Proc. of IPSN, IEEE, 2005.

[9]

Arora, Anish, et al. "Kansei: A high-fidelity sensing testbed." IEEE Internet Computing 10.2 (2006): 35.

Digital Library

[10]

Bers, Josh, et al. "Citysense: The design and performance of an urban wireless sensor network testbed." In Proc. of International Conference on Technologies for Homeland Security, IEEE, 2008.

[11]

Earlence, Fernandes, et.al, Security Analysis of Emerging Smart Home Applications. In Proc. of IEEE S&P, 2016.

[12]

Alberca, Carlos, et.al, "Security Analysis and Exploitation of Arduino devices in the Internet of Things." In Proc. of the ACM International Conference on Computing Frontiers. ACM, 2016.

Digital Library

[13]

FIT IoT-LAB: a very large scale open testbed, https://www.iot-lab.info/.

[14]

German Telekom and City of Friedrichshafen, "Friedrichshafen Smart City," 2010, http://www.telekom.com/dtag/cms/content/dt/en/395380.

[15]

M. Doddavenkatappa, et.al, "Indriya: A Low-Cost, 3D Wireless Sensor Network Testbed," In Proc. of TRIDENTCOM, 2011.

[16]

INFINITE Testbed, http://www.iotinfinite.org/.

[17]

Ho, Grant, et al. "Smart locks: Lessons for securing commodity internet of things devices." In Proc. of ASIACCS, ACM, 2016.

Digital Library

[18]

Alghamdi, et.al, "Security analysis of the constrained application protocol in the Internet of Things." In Proc. of FGCT, IEEE, 2013.

[19]

Ndibanje, et.al, "Security analysis and improvements of authentication and access control in the internet of things." In Proc. of Sensors 14.8, 2014.

[20]

Atamli, et.al, "Threat-based security analysis for the internet of things." In Proc. of SIoT, IEEE, 2014.

Digital Library

[21]

OWASP, IoT Top Ten Vulnerabilities https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project.

[22]

Nmap, https://nmap.org/.

[23]

Wireshark, https://www.wireshark.org/.

[24]

Aircrack-ng, http://aircrack-ng.org/.

[25]

Metasploit, Penetration Testing Tool, https://www.metasploit.com/.

[26]

Kali Linux, https://www.kali.org/.

[27]

Nessus, http://www.tenable.com/products/nessus-vulnerability-scanner.

[28]

OpenVAS, http://openvas.org/.

[29]

Cain & Abel, a password recovery tool for Microsoft Operating Systems, OXID.IT, http://www.oxid.it/cain.html.

[30]

OSSEC, Open Source HIDS SECurity, http://ossec.github.io/.

[31]

National Instruments TestStand, http://www.ni.com/teststand/.

[32]

National Instruments LabVIEW, http://www.ni.com/labview/.

[33]

Tenable, http://www.tenable.com/sc-report-templates/vulnerability-reporting-by-common-ports.

[34]

Behrang, Fouladi, et.al, "Honey, I'm Home!!, Hacking ZWave Home Automation Systems," Black Hat USA 2013.

[35]

Egli, et.al, "Susceptibility of wireless devices to denial of service attacks." White paper, Netmodule AG, Niederwangen, Switzerland (2006).

[36]

Rahman, et.al, "Security analysis of IoT protocols: A focus in CoAP." In Proc. of ICBDSC, IEEE, 2016.

[37]

https://nvd.nist.gov/.

[38]

https://packetfence.org/dhcp_fingerprints.conf

[39]

Amazon Echo, https://www.amazon.com/Amazon-Echo-Bluetooth-Speaker-with-WiFi-Alexa/dp/B00X4WHP5E

[40]

Nest Cam, https://nest.com/camera/meet-nest-cam/.

[41]

Philips Hue, http://www2.meethue.com/en-sg/.

[42]

SENSE Mother, https://sen.se/store/mother/.

[43]

Samsung SmartThings, https://www.smartthings.com/.

[44]

Withings HOME, https://www.withings.com/us/en/products/home.

[45]

WeMo Smart Crock-Pot, https://www.crock-pot.com/wemo-landing-page.html.

[46]

NETATMO Security Camera, https://www.netatmo.com/product/security/welcome.

Cited By

Kumar APeshvani BVenkatesan SKumar MYadav SShukla S(2023)Automated Security Audit Testbed For IP-Based IoT Devices Without Physical Access2023 10th International Conference on Internet of Things: Systems, Management and Security (IOTSMS)10.1109/IOTSMS59855.2023.10325768(96-103)Online publication date: 23-Oct-2023
https://doi.org/10.1109/IOTSMS59855.2023.10325768
Akhilesh RBills OChilamkurti NChowdhury M(2022)Automated Penetration Testing Framework for Smart-Home-Based IoT DevicesFuture Internet10.3390/fi1410027614:10(276)Online publication date: 27-Sep-2022
https://doi.org/10.3390/fi14100276
Oser Pvan der Heijden RLüders SKargl F(2022)Risk Prediction of IoT Devices Based on Vulnerability AnalysisACM Transactions on Privacy and Security10.1145/351036025:2(1-36)Online publication date: 4-May-2022
https://dl.acm.org/doi/10.1145/3510360
Show More Cited By

Index Terms

Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Security requirements
  2. Systems security
    1. Vulnerability management

Recommendations

Advanced Security Testbed Framework for Wearable IoT Devices
Special Issue on Internet of Things (IoT): Smart and Secure Service Delivery

Analyzing the security of Wearable Internet-of-Things (WIoT) devices is considered a complex task due to their heterogeneous nature. In addition, there is currently no mechanism that performs security testing for WIoT devices in different contexts. In ...
Internet of Things (IoT): From awareness to continued use
Abstract
This paper proposes a research model with five constructs, i.e., IoT awareness, users’ IoT privacy knowledge, users’ IoT security knowledge, users’ IoT Trust, and continued intention to use IoT to bring clarity to the growing yet ...
Highlights
- Clarifying how variables linked from IoT awareness to IoT continued use.
- IoT ...
POSTER: Towards Exposing Internet of Things: A Roadmap
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Considering the exponential increase of Internet of Things (IoT) devices there is also unforeseen vulnerabilities associated with these IoT devices. One of the major problems in the IoT is the security testing and analysis due to the heterogeneous ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IoTPTS '17: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security

April 2017

46 pages

ISBN:9781450349697

DOI:10.1145/3055245

Program Chairs:
Richard Chow
Intel Corporation, USA
,
Gokay Saldamli
San Jose State University, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

IoTPTS '17 Paper Acceptance Rate 5 of 14 submissions, 36%;

Overall Acceptance Rate 16 of 39 submissions, 41%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
857
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)1

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kumar APeshvani BVenkatesan SKumar MYadav SShukla S(2023)Automated Security Audit Testbed For IP-Based IoT Devices Without Physical Access2023 10th International Conference on Internet of Things: Systems, Management and Security (IOTSMS)10.1109/IOTSMS59855.2023.10325768(96-103)Online publication date: 23-Oct-2023
https://doi.org/10.1109/IOTSMS59855.2023.10325768
Akhilesh RBills OChilamkurti NChowdhury M(2022)Automated Penetration Testing Framework for Smart-Home-Based IoT DevicesFuture Internet10.3390/fi1410027614:10(276)Online publication date: 27-Sep-2022
https://doi.org/10.3390/fi14100276
Oser Pvan der Heijden RLüders SKargl F(2022)Risk Prediction of IoT Devices Based on Vulnerability AnalysisACM Transactions on Privacy and Security10.1145/351036025:2(1-36)Online publication date: 4-May-2022
https://dl.acm.org/doi/10.1145/3510360
Maniriho PMahmood AChowdhury M(2022)A study on malicious software behaviour analysis and detection techniquesFuture Generation Computer Systems10.1016/j.future.2021.11.030130:C(1-18)Online publication date: 1-May-2022
https://dl.acm.org/doi/10.1016/j.future.2021.11.030
Ahanger TAljumah AAtiquzzaman M(2022)State-of-the-art survey of artificial intelligent techniques for IoT securityComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2022.108771206:COnline publication date: 7-Apr-2022
https://dl.acm.org/doi/10.1016/j.comnet.2022.108771
Hashmat FAbbas SHina SShah GBakhshi TAbbas W(2022)An automated context-aware IoT vulnerability assessment rule-set generatorComputer Communications10.1016/j.comcom.2022.01.022186:C(133-152)Online publication date: 15-Mar-2022
https://dl.acm.org/doi/10.1016/j.comcom.2022.01.022
Wickramasinghe CReinhardt D(2022)A User-Centric Privacy-Preserving Approach to Control Data Collection, Storage, and Disclosure in Own Smart Home EnvironmentsMobile and Ubiquitous Systems: Computing, Networking and Services10.1007/978-3-030-94822-1_11(190-206)Online publication date: 8-Feb-2022
https://doi.org/10.1007/978-3-030-94822-1_11
Thaseen IMohanraj VRamachandran SSanapala KYeo S(2021)A Hadoop Based Framework Integrating Machine Learning Classifiers for Anomaly Detection in the Internet of ThingsElectronics10.3390/electronics1016195510:16(1955)Online publication date: 13-Aug-2021
https://doi.org/10.3390/electronics10161955
Anand PSingh YSelwal A(2021)Internet of Things (IoT): Vulnerabilities and Remediation StrategiesRecent Innovations in Computing10.1007/978-981-15-8297-4_22(265-273)Online publication date: 13-Jan-2021
https://doi.org/10.1007/978-981-15-8297-4_22
Haefner KRay I(2021)Trust and Verify: A Complexity-Based IoT Behavioral Enforcement MethodCyber Security Cryptography and Machine Learning10.1007/978-3-030-78086-9_32(432-450)Online publication date: 1-Jul-2021
https://doi.org/10.1007/978-3-030-78086-9_32
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents