research-article

Open access

Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT

Authors:

Zhiyun QianAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 3285 - 3299

https://doi.org/10.1145/3548606.3560590

Published: 07 November 2022 Publication History

Abstract

Mobile-as-a-Gateway (MaaG) is a popular feature using mobile devices as gateways to connect IoT devices to cloud services for management. MaaG IoT access control systems support remote access sharing/revocation while allowing "offline availability'' for better usability. Realizing these functionalities requires secure cooperation among the cloud service, the companion app, and the IoT device. For practical considerations, we find that almost all cloud services perform access model translation (AMT) to translate expressive cloud-side access policies to simple device-side policies. During the process, ad-hoc protocols are developed to support the access policy synchronization. Unfortunately, current MaaG IoT systems fail to recognize the security risks in the process of access model translation and synchronization. We analyze ten top-of-the-line MaaG IoT devices and find that all of them have serious vulnerabilities, e.g., allowing irrevocable and permanent access for temporary users. We further propose a secure protocol design that defends against all identified attacks.

References

[1]

2022. August Smart Lock. https://august.com/products/august-smart-lock-3rdgeneration.

[2]

2022. Aura Bluetooth Smart Door Lock | Kwikset. https://www.kwikset.com/aura.

[3]

2022. Chipolo ONE 4 Pack. https://chipolo.net/en-us/products/chipolo-one-4- pack.

[4]

2022. Find Your Lost Phone, Keys, or Anything with Tile's Bluetooth Tracker | Tile. https://www.thetileapp.com/en-us/store/tiles/pro.

[5]

2022. Geonfino Smart Lock. https://www.amazon.com/dp/B0957PSMBJ/.

[6]

2022. Honeywell Bluetooth Enabled Deadbolt Door Lock With Keypad, Satin Nickel | Honeywell Store. https://www.honeywellstore.com/store/products/ honeywell-bluetooth-enabled-entry-deadbolt-nickel-8812309s.htm.

[7]

2022. Kwikset Aura Product Documents. https://www.kwikset.com/support/ productdetail/aura-bluetooth-enabled-smart-lock#documents

[8]

2022. Level | Level Lock - The Smallest and Most Advanced Smart Lock Ever. https://level.co/products/lock.

[9]

2022. Schlage Sense? Smart Deadbolt with Camelot trim. https://www.schlage. com/en/home/products/BE479CAMFFF.html.

[10]

2022. Ultraloq U-Bolt Pro Smart Lock | World's Most Versatile Smart Lock -- U-tec. https://store.u-tec.com/products/ultraloq-u-bolt-pro-bluetooth-enabledfingerprint-and-keypad-smart-lock.

[11]

2022. Yale Assure Lock Touchscreen, Standalone - Yale Home. https://shopyalehome.com/collections/keypad-locks/products/yale-assurelock-touchscreen-standalone?variant=39341912162436.

[12]

Giuseppe Aceto, Alessio Botta, Pietro Marchetta, Valerio Persico, and Antonio Pescapé. 2018. A comprehensive survey on internet outages. Journal of Network and Computer Applications 113 (2018), 36--63.

[13]

Tahir Ahmad, Umberto Morelli, and Silvio Ranise. 2020. Deploying Access Control Enforcement for IoT in the Cloud-Edge Continuum with the help of the CAP Theorem. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 213--220.

Digital Library

[14]

Apu Kapadia Jalal Al-muhtadi. 2000. IRBAC 2000: Secure interoperability using dynamic role translation. In In Proceedings of the 1st International Conference on Internet Computing. 231--238.

[15]

Gianluca Aloi, Giuseppe Caliciuri, Giancarlo Fortino, Raffaele Gravina, Pasquale Pace, Wilma Russo, and Claudio Savaglio. 2016. A mobile multi-technology gateway to enable IoT interoperability. In 2016 IEEE first international conference on internet-of-things design and implementation (IoTDI). IEEE, 259--264.

[16]

Florian Alt and Stefan Schneegass. 2022. Beyond Passwords-Challenges and Opportunities of Future Authentication. IEEE Security & Privacy 20, 1 (2022), 82--86.

[17]

Michael P Andersen, Sam Kumar, Moustafa AbdelBaky, Gabe Fierro, John Kolb, Hyung-Sin Kim, David E Culler, and Raluca Ada Popa. 2019. {WAVE}: A decentralized authorization framework with transitive delegation. In 28th USENIX Security Symposium (USENIX Security 19). 1375--1392.

[18]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2020. BIAS: Bluetooth Impersonation AttackS. In 2020 IEEE Symposium on Security and Privacy (SP). 549--562. https://doi.org/10.1109/SP40000.2020.00093

[19]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen. 2019. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR. In 28th USENIX Security Symposium (USENIX Security. USENIX Association, Santa Clara, CA, 1047--1061. https://www.usenix.org/ conference/usenixsecurity19/presentation/antonioli

[20]

Z Berkay Celik, Gang Tan, and Patrick D McDaniel. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In NDSS.

[21]

Somchai Chatvichienchai, Mizuho Iwaihara, and Yahiko Kambayashi. 2003. Secure Interoperability between Cooperating XML Systems by Dynamic Role Translation. In Database and Expert Systems Applications, Vladimír Mařík, Werner Retschitzegger, and Olga těpánková (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 866--875.

[22]

Jiongyi Chen, Chaoshun Zuo, Wenrui Diao, Shuaike Dong, Qingchuan Zhao, Menghan Sun, Zhiqiang Lin, Yinqian Zhang, and Kehuan Zhang. 2019. Your IoTs Are (Not) Mine: On the Remote Binding Between IoT Devices and Users. In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 222--233. https://doi.org/10.1109/DSN.2019.00034

[23]

Yunang Chen, Mohannad Alhanahnah, Andrei Sabelfeld, Rahul Chatterjee, and Earlence Fernandes. 2022. Practical Data Access Minimization in {Trigger- Action} Platforms. In 31st USENIX Security Symposium (USENIX Security 22). 2929--2945.

[24]

Yunang Chen, Amrita Roy Chowdhury, Ruizhe Wang, Andrei Sabelfeld, Rahul Chatterjee, and Earlence Fernandes. 2021. Data privacy in trigger-action systems. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 501--518.

[25]

Haotian Chi, Chenglong Fu, Qiang Zeng, and Xiaojiang Du. 2022. Delay Wreaks Havoc on Your Smart Home: Delay-based Automation Interference Attacks. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 285--302.

[26]

Giuseppe DeCandia, Deniz Hastorun, Madan Jampani, Gunavardhan Kakulapati, Avinash Lakshman, Alex Pilchin, Swaminathan Sivasubramanian, Peter Vosshall, and Werner Vogels. 2007. Dynamo: Amazon's highly available key-value store. ACM SIGOPS operating systems review 41, 6 (2007), 205--220.

Digital Library

[27]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 73--84.

Digital Library

[28]

Csilla Farkas, Andrei Stoica, and Parag Talekar. 2003. APTA: An automated policy translation architecture. In Int. Conf. Computer, Communication and Control Technologies. Citeseer.

[29]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In 2016 IEEE Symposium on Security and Privacy (SP). 636--654. https://doi.org/10.1109/SP.2016.44

[30]

Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, and Atul Prakash. 2018. Decentralized action integrity for trigger-action IoT platforms. In Proceedings 2018 Network and Distributed System Security Symposium.

[31]

Colin J Fidge. 1987. Timestamps in message-passing systems that preserve the partial ordering. (1987).

[32]

Chenglong Fu, Qiang Zeng, and Xiaojiang Du. 2021. {HAWatcher}:{Semantics- Aware} Anomaly Detection for Appified Smart Homes. In 30th USENIX Security Symposium (USENIX Security 21). 4223--4240.

[33]

Megan Fuller, Madeline Jenkins, and Katrine Tjølsen. 2019. Security Analysis of the August Smart Lock. en. In:() (2019), 17.

[34]

Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur. 2018. Rethinking Access Control and Authentication for the Home Internet of Things ({ { { { {IoT} } } } }). In 27th USENIX Security Symposium (USENIX Security 18). 255--272.

[35]

Yi He, Zhenhua Zou, Kun Sun, Zhuotao Liu, Ke Xu, Qian Wang, Chao Shen, Zhi Wang, and Qi Li. 2022. RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices. In 31th USENIX Security Symposium (USENIX Security 22).

[36]

Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart locks: Lessons for securing commodity internet of things devices. In Proceedings of the 11th ACM on Asia conference on computer and communications security. 461--472.

Digital Library

[37]

Blake Janes, Heather Crawford, and TJ OConnor. 2020. Never ending story: Authentication and access control design flaws in shared iot devices. In 2020 IEEE Security and Privacy Workshops (SPW). IEEE, 104--109.

[38]

Yan Jia, Luyi Xing, Yuhang Mao, Dongfang Zhao, XiaoFeng Wang, Shangru Zhao, and Yuqing Zhang. 2020. Burglars' IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds. In 2020 IEEE Symposium on Security and Privacy (SP). 465--481. https://doi.org/10.1109/ SP40000.2020.00051

[39]

Yan Jia, Bin Yuan, Luyi Xing, Dongfang Zhao, Yifan Zhang, XiaoFeng Wang, Yijing Liu, Kaimin Zheng, Peyton Crnjak, Yuqing Zhang, et al. 2021. Who's In Control? On Security Risks of Disjointed IoT Device Management Channels. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1289--1305.

Digital Library

[40]

Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Zhuoqing Morley Mao, Atul Prakash, and SJ Unviersity. 2017. ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms. In NDSS, Vol. 2. San Diego, 2--2.

[41]

Jmaxxz. 2016. Backdooring the Front Door. https://media.defcon.org/DEF% 20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Jmaxxz-Backdooring-the-Frontdoor-UPDATED.pdf.

[42]

Jason Johnson, Rolf Rando, Siddharth Gidwani, and Christopher Dow. 2021. Intelligent door lock system in communication with mobile device that stores associated user data. US Patent 10,993,111.

[43]

Magne Jorgensen and Martin Shepperd. 2006. A systematic review of software development cost estimation studies. IEEE Transactions on software engineering 33, 1 (2006), 33--53.

Digital Library

[44]

Sam Kumar, Yuncong Hu, Michael P Andersen, Raluca Ada Popa, and David E. Culler. 2019. JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1519--1536. https://www.usenix.org/conference/ usenixsecurity19/presentation/kumar-sam

[45]

Kwok-yan Lam and Dieter Gollmann. 1992. Freshness assurance of authentication protocols. In European Symposium on Research in Computer Security. Springer, 261--271.

[46]

Edward A. Lee, Soroush Bateni, Shaokai Lin, Marten Lohstroh, and Christian Menard. 2021. Quantifying and Generalizing the CAP Theorem. arXiv:2109.07771 [cs.DC]

[47]

Gregory Leighton and Denilson Barbosa. 2011. Access control policy translation, verification, and minimization within heterogeneous data federations. ACM Transactions on Information and System Security (TISSEC) 14, 3 (2011), 1--28.

Digital Library

[48]

Xiaopeng Li, Qiang Zeng, Lannan Luo, and Tongbo Luo. 2020. T2pair: Secure and usable pairing for heterogeneous iot devices. In Proceedings of the 2020 acm sigsac conference on computer and communications security. 309--323.

Digital Library

[49]

Barbara Liskov and Rivka Ladin. 1986. Highly available distributed services and fault-tolerant distributed garbage collection. In Proceedings of the fifth annual ACM symposium on Principles of distributed computing. 29--39.

Digital Library

[50]

Hui Liu, Juanru Li, and Dawu Gu. 2020. Understanding the security of app-inthe- middle IoT. Computers & Security 97 (2020), 102000.

Digital Library

[51]

Lannan Luo, Qiang Zeng, Bokai Yang, Fei Zuo, and Junzhe Wang. 2021. Westworld: Fuzzing-Assisted Remote Dynamic Symbolic Execution of Smart Apps on IoT Cloud Platforms. In Annual Computer Security Applications Conference. 982--995.

[52]

Shrirang Mare, Franziska Roesner, and Tadayoshi Kohno. 2020. Smart Devices in Airbnbs: Considering Privacy and Security for both Guests and Hosts. Proc. Priv. Enhancing Technol. 2020, 2 (2020), 436--458.

[53]

Friedemann Mattern et al. 1988. Virtual time and global states of distributed systems. Univ., Department of Computer Science.

[54]

Muhammad Naveed, Xiao-yong Zhou, Soteris Demetriou, Xiao Feng Wang, and Carl A Gunter. 2014. Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android. In NDSS.

[55]

Roger M. Needham and Michael D. Schroeder. 1978. Using Encryption for Authentication in Large Networks of Computers. Commun. ACM 21, 12 (dec 1978), 993--999. https://doi.org/10.1145/359657.359659

Digital Library

[56]

Dang Tu Nguyen, Chengyu Song, Zhiyun Qian, Srikanth V Krishnamurthy, Edward JM Colbert, and Patrick McDaniel. 2018. IoTSan: Fortifying the safety of IoT systems. In Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies. 191--203.

Digital Library

[57]

Christian Niesler, Sebastian Surminski, and Lucas Davi. 2021. HERA: Hotpatching of Embedded Real-time Applications. In NDSS.

[58]

TJ OConnor, Dylan Jessee, and Daniel Campos. 2021. Through the Spyglass: Towards IoT Companion App Man-in-the-Middle Attacks. In Cyber Security Experimentation and Test Workshop. 58--62.

[59]

Trevor Pering, Yuvraj Agarwal, Rajesh Gupta, and Roy Want. 2006. Cool Spots: Reducing the Power Consumption of Wireless Mobile Devices with Multiple Radio Interfaces (MobiSys '06).

[60]

Adrian Perrig, Robert Szewczyk, Justin Douglas Tygar, Victor Wen, and David E Culler. 2002. SPINS: Security protocols for sensor networks. Wireless networks 8, 5 (2002), 521--534.

[61]

Amir Rahmati, Earlence Fernandes, Kevin Eykholt, and Atul Prakash. 2018. Tyche: A risk-based permission model for smart homes. In 2018 IEEE Cybersecurity Development (SecDev). IEEE, 29--36.

[62]

Ole André Vadla Ravnås. 2016. Frida-A world-class dynamic instrumentation framework. URL: https://frida. re (2016).

[63]

Mike Ryan. 2013. Bluetooth: With Low Energy Comes Low Security. In 7th USENIX Workshop on Offensive Technologies (WOOT 13). USENIX Association, Washington, D.C. https://www.usenix.org/conference/woot13/workshopprogram/ presentation/ryan

[64]

Ravi S Sandhu, Edward J Coyne, Hal L Feinstein, and Charles E Youman. 1996. Role-based access control models. Computer 29, 2 (1996), 38--47.

Digital Library

[65]

Roei Schuster, Vitaly Shmatikov, and Eran Tromer. 2018. Situational access control in the internet of things. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1056--1073.

Digital Library

[66]

B SIG. 2016. Bluetooth core specification version 5.0. Specification of the Bluetooth System (2016).

[67]

Pallavi Sivakumaran and Jorge Blasco. 2019. A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1--18. https: //www.usenix.org/conference/usenixsecurity19/presentation/sivakumaran

[68]

Yuan Tian, Nan Zhang, Yueh-Hsun Lin, Xiao Feng Wang, Blase Ur, Xianzheng Guo, and Patrick Tague. 2017. {SmartAuth}:{User-Centered} Authorization for the Internet of Things. In 26th USENIX Security Symposium (USENIX Security 17). 361--378.

[69]

Werner Vogels. 2009. Eventually consistent. Commun. ACM 52, 1 (2009), 40--44.

Digital Library

[70]

Qi Wang, Pubali Datta, Wei Yang, Si Liu, Adam Bates, and Carl A Gunter. 2019. Charting the attack surface of trigger-action IoT platforms. In Proceedings of the 2019 ACM SIGSAC conference on computer and communications security. 1439--1453.

Digital Library

[71]

Xueqiang Wang, Yuqiong Sun, Susanta Nanda, and XiaoFeng Wang. 2019. Looking from the Mirror: Evaluating {IoT} Device Security through Mobile Companion Apps. In 28th USENIX Security Symposium (USENIX Security 19). 1151--1167.

[72]

Luyi Xing, Ze Jin, Yiwei Fang, Yan Jia, Bin Yuan, and Qixu Liu. 2022. Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies. In Proceedings of the 2022 ACMSIGSAC Conference on Computer and Communications Security.

[73]

Meng Xu, Manuel Huber, Zhichuang Sun, Paul England, Marcus Peinado, Sangho Lee, Andrey Marochko, Dennis Mattoon, Rob Spiger, and Stefan Thom. 2019. Dominance as a new trusted computing primitive for the internet of things. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1415--1430.

[74]

Wen Xu and Yubin Fu. 2015. Own Your Android! Yet Another Universal Root. In 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C. https://www.usenix.org/conference/woot15/workshopprogram/ presentation/xu

Digital Library

[75]

Mengmei Ye, Nan Jiang, Hao Yang, and Qiben Yan. 2017. Security analysis of Internet-of-Things: A case study of august smart lock. In 2017 IEEE conference on computer communications workshops (INFOCOM WKSHPS). IEEE, 499--504.

[76]

Bin Yuan, Yan Jia, Luyi Xing, Dongfang Zhao, XiaoFeng Wang, and Yuqing Zhang. 2020. Shattered Chain of Trust: Understanding Security Risks in Cross-Cloud IoT Access Delegation. In 29th USENIX Security Symposium (USENIX Security. USENIX Association, 1183--1200. https://www.usenix.org/conference/ usenixsecurity20/presentation/yuan

[77]

Thomas Zachariah, Neal Jackson, and Prabal Dutta. 2022. The internet of things still has a gateway problem. In Proceedings of the 23rd Annual International Workshop on Mobile Computing Systems and Applications. 109--115.

Digital Library

[78]

Thomas Zachariah, Noah Klugman, Bradford Campbell, Joshua Adkins, Neal Jackson, and Prabal Dutta. 2015. The internet of things has a gateway problem. In Proceedings of the 16th international workshop on mobile computing systems and applications. 27--32.

Digital Library

[79]

Eric Zeng and Franziska Roesner. 2019. Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 159--176. https://www.usenix.org/conference/ usenixsecurity19/presentation/zeng

[80]

Aijuan Zhang, Jingxiang Gao, Jiuyun Sun, and Cheng Ji. 2013. Declaration and Translation of Spatial Access Control Policy. J. Softw. 8, 5 (2013), 1132--1139.

[81]

Lide Zhang, Birjodh Tiwana, Zhiyun Qian, Zhaoguang Wang, Robert P Dick, Zhuoqing Morley Mao, and Lei Yang. 2010. Accurate online power estimation and automatic battery behavior based power model generation for smartphones. In Proceedings of the eighth IEEE/ACM/IFIP international conference on Hardware/ software codesign and system synthesis. 105--114.

Digital Library

[82]

Wei Zhang, Yan Meng, Yugeng Liu, Xiaokuan Zhang, Yinqian Zhang, and Haojin Zhu. 2018. Homonit: Monitoring smart home apps from encrypted traffic. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1074--1088.

Digital Library

[83]

Yue Zhang, Jian Weng, Rajib Dey, Yier Jin, Zhiqiang Lin, and Xinwen Fu. 2020. Breaking Secure Pairing of Bluetooth Low Energy Using Downgrade Attacks. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 37--54. https://www.usenix.org/conference/usenixsecurity20/presentation/zhangyue

[84]

Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau. 2021. An Investigation of the Android Kernel Patch Ecosystem. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3649--3666. https://www.usenix.org/ conference/usenixsecurity21/presentation/zhang-zheng

[85]

Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1133--1150. https://www.usenix.org/conference/ usenixsecurity19/presentation/zhou

Cited By

Akiirne ZBenkirane ABouzidi D(2024)A Comparative Study of Authentication Protocols in DGC-Based Smart Lock Systems2024 11th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM62286.2024.10656608(1-6)Online publication date: 23-Jul-2024
https://doi.org/10.1109/WINCOM62286.2024.10656608
Zhang ZZou FHong JChen LYi P(2024)Detection and Analysis of Broken Access Control Vulnerabilities in App–Cloud Interaction in IoTIEEE Internet of Things Journal10.1109/JIOT.2024.340085811:17(28267-28280)Online publication date: 1-Sep-2024
https://doi.org/10.1109/JIOT.2024.3400858
Xiao YChen JHu YHuang J(2024)FIRMRES: Exposing Broken Device-Cloud Access Control in IoT Through Static Firmware Analysis2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00054(495-506)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00054

Index Terms

Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT
1. Networks
  1. Network architectures
2. Security and privacy
  1. Security in hardware
    1. Embedded systems security
  2. Software and application security
    1. Software reverse engineering

Recommendations

Who's In Control? On Security Risks of Disjointed IoT Device Management Channels
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

An IoT device today can be managed through different channels, e.g., by its device manufacturer's app, or third-party channels such as Apple's Home app, or a smart speaker. Supporting each channel is a management framework integrated in the device and ...
Selective Forwarding Attack on IoT Home Security Kits
Computer Security
Abstract
Efforts have been made to improve the security of the Internet of Things (IoT) devices, but there remain some vulnerabilities and misimplementations. This paper describes a new threat to home security devices in which an attacker can disable all ...
Decentralised and Scalable Security for IoT Devices
SenSys '21: Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems

Advancements in IoT technology has provided great benefits, unfortunately, IoT adoption also causes an increase in the attack surface which intensify security risks. As a consequence, different types of IoT smart devices have become the main targets of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,230 of 6,929 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
1,338
Total Downloads

Downloads (Last 12 months)442
Downloads (Last 6 weeks)54

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Akiirne ZBenkirane ABouzidi D(2024)A Comparative Study of Authentication Protocols in DGC-Based Smart Lock Systems2024 11th International Conference on Wireless Networks and Mobile Communications (WINCOM)10.1109/WINCOM62286.2024.10656608(1-6)Online publication date: 23-Jul-2024
https://doi.org/10.1109/WINCOM62286.2024.10656608
Zhang ZZou FHong JChen LYi P(2024)Detection and Analysis of Broken Access Control Vulnerabilities in App–Cloud Interaction in IoTIEEE Internet of Things Journal10.1109/JIOT.2024.340085811:17(28267-28280)Online publication date: 1-Sep-2024
https://doi.org/10.1109/JIOT.2024.3400858
Xiao YChen JHu YHuang J(2024)FIRMRES: Exposing Broken Device-Cloud Access Control in IoT Through Static Firmware Analysis2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00054(495-506)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00054

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents