research-article

Public Access

IoTLS: understanding TLS usage in consumer IoT devices

Authors:

Muhammad Talha Paracha,

Daniel J. Dubois,

Narseo Vallina-Rodriguez,

David ChoffnesAuthors Info & Claims

IMC '21: Proceedings of the 21st ACM Internet Measurement Conference

Pages 165 - 178

https://doi.org/10.1145/3487552.3487830

Published: 02 November 2021 Publication History

Abstract

Consumer IoT devices are becoming increasingly popular, with most leveraging TLS to provide connection security. In this work, we study a large number of TLS-enabled consumer IoT devices to shed light on how effectively they use TLS, in terms of establishing secure connections and correctly validating certificates, and how observed behavior changes over time. To this end, we gather more than two years of TLS network traffic from IoT devices, conduct active probing to test for vulnerabilities, and develop a novel blackbox technique for exploring the trusted root stores in IoT devices by exploiting a side-channel through TLS Alert Messages. We find a wide range of behaviors across devices, with some adopting best security practices but most being vulnerable in one or more of the following ways: use of old/insecure protocol versions and/or ciphersuites, lack of certificate validation, and poor maintenance of root stores. Specifically, we find that at least 8 IoT devices still include distrusted certificates in their root stores, 11/32 devices are vulnerable to TLS interception attacks, and that many devices fail to adopt modern protocol features over time. Our findings motivate the need for IoT manufacturers to audit, upgrade, and maintain their devices' TLS implementations in a consistent and uniform way that safeguards all of their network traffic.

Supplementary Material

ZIP File (p165-paracha.zip)

Supplemental material.

Download
72.45 MB

References

[1]

[n. d.]. 1493822 - Removal of "Visa eCommerce Root" CA from Mozilla Root Program. https://bugzilla.mozilla.org/show_bug.cgi?id=1493822. ([n. d.]). (Accessed on 05/16/2021).

[2]

[n. d.]. 1552374 - Remove Certinomis - Root CA. https://bugzilla.mozilla.org/show_bug.cgi?id=1552374. ([n. d.]). (Accessed on 05/16/2021).

[3]

[n. d.]. Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0 | Ars Technica. https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/. ([n. d.]). (Accessed on 05/14/2021).

[4]

[n. d.]. CAB Forum | Certification Authorities, Web Browsers, and Interested Parties Working to Secure the Web. https://cabforum.org/. ([n. d.]). (Accessed on 09/27/2021).

[5]

[n. d.]. ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF. https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF. ([n. d.]). (Accessed on 05/25/2021).

[6]

[n. d.]. Fire OS Overview | Amazon Fire TV. https://developer.amazon.com/docs/fire-tv/fire-os-overview.html. ([n. d.]). (Accessed on 11/21/2020).

[7]

[n. d.]. Google Online Security Blog: Distrusting WoSign and StartCom Certificates. https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html. ([n. d.]). (Accessed on 05/26/2021).

[8]

[n. d.]. ioXt - The Global Standard for IoT Security. https://www.ioxtalliance.org/. ([n. d.]). (Accessed on 05/26/2021).

[9]

[n. d.]. Microsoft Trusted Root Certificate Program: Participants - TechNet Articles - United States (English) - TechNet Wiki. https://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx. ([n. d.]). (Accessed on 05/19/2021).

[10]

[n. d.]. mitmproxy - an interactive HTTPS proxy. https://mitmproxy.org/. ([n. d.]). (Accessed on 05/26/2021).

[11]

[n. d.]. mitmproxy/tls_passthrough.py at main • mitmproxy/mitmproxy. https://github.com/mitmproxy/mitmproxy/blob/main/examples/contrib/tls_passthrough.py. ([n. d.]). (Accessed on 05/26/2021).

[12]

[n. d.]. mozilla-central: certdata.txt. https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt. ([n. d.]). (Accessed on 05/19/2021).

[13]

[n. d.]. net/data/ssl/blocklist - chromium/src - Git at Google. https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/data/ssl/blocklist/. ([n. d.]). (Accessed on 05/26/2021).

[14]

[n. d.]. Number of IoT devices 2015-2025 | Statista. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/. ([n. d.]). (Accessed on 12/02/2020).

[15]

[n. d.]. platform/libcore - Git at Google. https://android.googlesource.com/platform/libcore/. ([n. d.]). (Accessed on 05/19/2021).

[16]

[n. d.]. Refs - platform/system/ca-certificates - Git at Google. https://android.googlesource.com/platform/system/ca-certificates/+refs. ([n. d.]). (Accessed on 05/19/2021).

[17]

[n. d.]. Revoking Trust in Two TurkTrust Certificates - Mozilla Security Blog. https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/. ([n. d.]). (Accessed on 05/16/2021).

[18]

[n. d.]. rfc2818. https://datatracker.ietf.org/doc/html/rfc2818. ([n. d.]). (Accessed on 05/22/2021).

[19]

[n. d.]. rfc5280. https://datatracker.ietf.org/doc/html/rfc5280. ([n. d.]). (Accessed on 05/22/2021).

[20]

[n. d.]. This POODLE Bites: Exploiting The SSL 3.0 Fallback. https://www.openssl.org/~bodo/ssl-poodle.pdf. ([n. d.]). (Accessed on 05/03/2021).

[21]

[n. d.]. TLS Cipher String • OWASP Cheat Sheet Series. https://web.archive.org/web/20190716105553/https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html. ([n. d.]). (Accessed on 05/16/2021).

[22]

[n. d.]. TLS Fingerprinting in the Real World - Cisco Blogs. https://blogs.cisco.com/security/tls-fingerprinting-in-the-real-world. ([n. d.]). (Accessed on 11/25/2020).

[23]

[n. d.]. What You Need To Know About the SolarWinds Supply-Chain Attack | SANS Institute. https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/. ([n. d.]). (Accessed on 04/04/2021).

[24]

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, et al. 2015. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 5--17.

Digital Library

[25]

Nadhem J AlFardan, Daniel J Bernstein, Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt. 2013. On the Security of RC4 in TLS and WPA. In USENIX Security Symposium. 173.

[26]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In 2019 IEEE Symposium on Security and Privacy (SP). 1362--1380.

[27]

Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, and Ralph Holz. 2017. Mission accomplished? HTTPS security after DigiNotar. In Proceedings of the 2017 Internet Measurement Conference. 325--340.

Digital Library

[28]

Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. 2015. A messy state of the union: Taming the composite state machines of TLS. In 2015 IEEE Symposium on Security and Privacy. IEEE, 535--552.

Digital Library

[29]

Karthikeyan Bhargavan and Gaëtan Leurent. 2016. On the practical (in-) security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 456-467.

Digital Library

[30]

Johannes Braun and Gregor Rynkowski. 2013. The Potential of an Individualized Set of Trusted CAs: Defending against CA Failures in the Web PKI. In 2013 International Conference on Social Computing. 600--605.

Digital Library

[31]

Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. 2014. Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In 2014 IEEE Symposium on Security and Privacy. IEEE, 114--129.

Digital Library

[32]

Sze Yiu Chau, Omar Chowdhury, Endadul Hoque, Huangyi Ge, Aniket Kate, Cristina Nita-Rotaru, and Ninghui Li. 2017. Symcerts: Practical symbolic execution for exposing noncompliance in X. 509 certificate validation implementations. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 503--520.

[33]

Zakir Durumeric, James Kasten, Michael Bailey, and J Alex Halderman. 2013. Analysis of the HTTPS certificate ecosystem. In Proceedings of the 2013 conference on Internet measurement conference. 291--304.

Digital Library

[34]

Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). Association for Computing Machinery, New York, NY, USA, 475--488.

Digital Library

[35]

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The Security Impact of HTTPS Interception. In NDSS.

[36]

Tariq Fadai, Sebastian Schrittwieser, Peter Kieseberg, and Martin Mulazzani. 2015. Trust me, I'm a Root CA! Analyzing SSL Root CAs in Modern Browsers and Operating Systems. In 2015 10th International Conference on Availability, Reliability and Security. IEEE, 174--179.

Digital Library

[37]

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring HTTPS adoption on the web. In 26th USENIX Security Symposium (USENIX Security 17). 1323--1338.

[38]

Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In NDSS.

[39]

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security. 38--49.

Digital Library

[40]

Cristian Hesselman, Jelte Jansen, Marco Davids, and Ricardo de O Schmidt. 2017. SPIN: a user-centric security extension for in-home networks. Technical Report. SIDN Labs Technical report SIDN-TR-2017-002.

[41]

Ralph Holz, Jens Hiller, Johanna Amann, Abbas Razaghpanah, Thomas Jost, Narseo Vallina-Rodriguez, and Oliver Hohlfeld. 2020. Tracking the deployment of TLS 1.3 on the Web: A story of experimentation and centralization. ACM SIGCOMM Computer Communication Review 50, 3 (2020), 3--15.

Digital Library

[42]

James Kasten, Eric Wustrow, and J Alex Halderman. 2013. CAge: Taming certificate authorities by inferring restricted scopes. In International Conference on Financial Cryptography and Data Security. Springer, 329--337.

[43]

Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson, Narseo Vallina-Rodriguez, and Juan Caballero. 2018. Coming of Age: A Longitudinal Study of TLS Deployment. In Proceedings of the Internet Measurement Conference 2018 (IMC '18). Association for Computing Machinery, New York, NY, USA, 415--428.

Digital Library

[44]

Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, and Christo Wilson. 2015. An End-to-End Measurement of Certificate Revocation in the Web's PKI. In Proceedings of the 2015 Internet Measurement Conference (IMC '15). Association for Computing Machinery, New York, NY, USA, 183--196.

Digital Library

[45]

Anna Maria Mandalari, Daniel J. Dubois, Roman Kolcun, Muhammad Talha Paracha, Hamed Haddadi, and David Choffnes. 2021. Blocking without Breaking: Identification and Mitigation of Non-Essential IoT Traffic. In Proc. of the Privacy Enhancing Technologies Symposium (PETS).

[46]

Bodo Möller, Thai Duong, and Krzysztof Kotowicz. 2014. This POODLE bites: exploiting the SSL 3.0 fallback. Security Advisory (2014).

[47]

Marten Oltrogge, Nicolas Huaman, Sabrina Amft, Yasemin Acar, Michael Backes, and Sascha Fahl. 2021. Why Eve and Mallory Still Love Android: Revisiting TLS (In) Security in Android Applications. In 30th USENIX Security Symposium (USENIX Security 21).

[48]

Mark O'Neill, Scott Heidbrink, Jordan Whitehead, Tanner Perdue, Luke Dickinson, Torstein Collett, Nick Bonner, Kent Seamons, and Daniel Zappala. 2018. The Secure Socket API: TLS as an Operating System Service. In 27th USENIX Security Symposium (USENIX Security 18). 799--816.

[49]

Damilola Orikogbo, Matthias Büchler, and Manuel Egele. 2016. CRiOS: Toward large-scale iOS application analysis. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. 33--42.

Digital Library

[50]

Henning Perl, Sascha Fahl, and Matthew Smith. 2014. You Won't Be Needing These Any More: On Removing Unused Certificates from Trust Stores. In International Conference on Financial Cryptography and Data Security. Springer, 307--315.

[51]

Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS usage in Android apps. In Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies. 350--362.

Digital Library

[52]

Jingjing Ren, Daniel J. Dubois, David Choffnes, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi. 2019. Information Exposure for Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach. In Proc. of the Internet Measurement Conference (IMC).

Digital Library

[53]

Said Jawad Saidi, Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi, Daniel J Dubois, David Choffnes, Georgios Smaragdakis, and Anja Feldmann. 2020. A Haystack Full of Needles: Scalable Detection of IoT Devices in the Wild. In Proceedings of the ACM Internet Measurement Conference. 87--100.

Digital Library

[54]

Narseo Vallina-Rodriguez, Johanna Amann, Christian Kreibich, Nicholas Weaver, and Vern Paxson. 2014. A Tangled Mass: The Android Root Certificate Stores. In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies. 141--148.

Digital Library

[55]

Janus Varmarken, Hieu Le, Anastasia Shuba, Athina Markopoulou, and Zubair Shafiq. 2020. The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking. Proceedings on Privacy Enhancing Technologies 2020, 2 (2020).

Cited By

Zhang LMa DZhang LMa D(2024)Evaluating Network Security Configuration (NSC) Practices in Vehicle-Related Android ApplicationsSAE Technical Paper Series10.4271/2024-01-2881Online publication date: 16-Apr-2024
https://doi.org/10.4271/2024-01-2881
Szymanski T(2024)A Quantum-Safe Software-Defined Deterministic Internet of Things (IoT) with Hardware-Enforced Cyber-Security for Critical InfrastructuresInformation10.3390/info1504017315:4(173)Online publication date: 22-Mar-2024
https://doi.org/10.3390/info15040173
Tagliaro CKomsic MContinella ABorgolte KLindorfer M(2024)Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused ProtocolsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678899(561-578)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678899
Show More Cited By

Index Terms

IoTLS: understanding TLS usage in consumer IoT devices
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network properties
    1. Network security
2. Security and privacy
  1. Network security
  2. Security in hardware
    1. Embedded systems security

Recommendations

Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild
IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

IoT devices are increasingly used in consumer homes. Despite recent works in characterizing IoT TLS usage for a limited number of in-lab devices, there exists a gap in quantitatively understanding TLS behaviors from devices in the wild and server-side ...
SP 800-113. Guide to SSL VPNs
Trust but Verify: Auditing the Secure Internet of Things
MobiSys '17: Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services

Internet-of-Things devices often collect and transmit sensitive information like camera footage, health monitoring data, or whether someone is home. These devices protect data in transit with end-to-end encryption, typically using TLS connections ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '21: Proceedings of the 21st ACM Internet Measurement Conference

November 2021

768 pages

ISBN:9781450391290

DOI:10.1145/3487552

General Chairs:
Dave Levin
University of Maryland
,
Alan Mislove
Northeastern University
,
Program Chairs:
Johanna Amann
International Computer Science Institute
,
Matthew Luckie
University of Waikato

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)
National Science Foundation
H2020 European Research Council
Spanish National Grant ODIO
Consumer Reports

Conference

IMC '21

Sponsor:

IMC '21: ACM Internet Measurement Conference

November 2 - 4, 2021

Virtual Event

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
2,061
Total Downloads

Downloads (Last 12 months)839
Downloads (Last 6 weeks)136

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang LMa DZhang LMa D(2024)Evaluating Network Security Configuration (NSC) Practices in Vehicle-Related Android ApplicationsSAE Technical Paper Series10.4271/2024-01-2881Online publication date: 16-Apr-2024
https://doi.org/10.4271/2024-01-2881
Szymanski T(2024)A Quantum-Safe Software-Defined Deterministic Internet of Things (IoT) with Hardware-Enforced Cyber-Security for Critical InfrastructuresInformation10.3390/info1504017315:4(173)Online publication date: 22-Mar-2024
https://doi.org/10.3390/info15040173
Tagliaro CKomsic MContinella ABorgolte KLindorfer M(2024)Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused ProtocolsProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678899(561-578)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678899
Hu TDubois DChoffnes DVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)IoT Bricks Over v6: Understanding IPv6 Usage in Smart HomesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688457(595-611)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688457
Theofanous APapadogiannaki EShevtsov AIoannidis SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS AnalysisProceedings of the ACM Web Conference 202410.1145/3589334.3645719(1933-1944)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645719
Zhang BXu CShi F(2024)Accurate DNS server fingerprinting based on borderline behavior analysisInternational Conference on Computer Graphics, Artificial Intelligence, and Data Processing (ICCAID 2023)10.1117/12.3026357(38)Online publication date: 27-Mar-2024
https://doi.org/10.1117/12.3026357
Kuzniar CNeves MGurevich VHaque I(2024)PoirIoT: Fingerprinting IoT Devices at Tbps ScaleIEEE/ACM Transactions on Networking10.1109/TNET.2024.339527832:4(3408-3420)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1109/TNET.2024.3395278
de Hoz Diego JMadi TKonstantinou C(2024)CMXsafe: A Proxy Layer for Securing Internet-of-Things CommunicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340425819(5767-5782)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3404258
Elsayed SKrintz CWolski R(2024)Just the FACTS: Flexible and Energy Efficient Federated Access Control for the Edge2024 9th International Conference on Fog and Mobile Edge Computing (FMEC)10.1109/FMEC62297.2024.10710274(204-211)Online publication date: 2-Sep-2024
https://doi.org/10.1109/FMEC62297.2024.10710274
Buccafurri FLazzaro S(2024)A Framework for Secure Internet of Things Applications2024 10th International Conference on Control, Decision and Information Technologies (CoDIT)10.1109/CoDIT62066.2024.10708208(2845-2850)Online publication date: 1-Jul-2024
https://doi.org/10.1109/CoDIT62066.2024.10708208
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents