Jiongyi Chen scite author profile

With more IoT devices entering the consumer market, it becomes imperative to detect their security vulnerabilities before an attacker does. Existing binary analysis based approaches only work on firmware, which is less accessible except for those equipped with special tools for extracting the code from the device. To address this challenge in IoT security analysis, we present in this paper a novel automatic fuzzing framework, called IOTFUZZER, which aims at finding memory corruption vulnerabilities in IoT devices without access to their firmware images. The key idea is based upon the observation that most IoT devices are controlled through their official mobile apps, and such an app often contains rich information about the protocol it uses to communicate with its device. Therefore, by identifying and reusing program-specific logic (e.g., encryption) to mutate the test case (particularly message fields), we are able to effectively probe IoT targets without relying on any knowledge about its protocol specifications. In our research, we implemented IOTFUZZER and evaluated 17 real-world IoT devices running on different protocols, and our approach successfully identified 15 memory corruption vulnerabilities (including 8 previously unknown ones).

show abstract

Your Smart Home Can't Keep a Secret: Towards Automated Fingerprinting of IoT Traffic

Dong

Tang

et al. 2020

View full text Add to dashboard Cite

The IoT (Internet of Things) technology has been widely adopted in recent years and has profoundly changed the people's daily lives. However, in the meantime, such a fast-growing technology has also introduced new privacy issues, which need to be better understood and measured. In this work, we look into how private information can be leaked from network traffic generated in the smart home network. Although researchers have proposed techniques to infer IoT device types or user behaviors under clean experiment setup, the effectiveness of such approaches become questionable in the complex but realistic network environment, where common techniques like Network Address and Port Translation (NAPT) and Virtual Private Network (VPN) are enabled. To this aim, we propose a traffic analysis framework based on sequence-learning techniques like LSTM and leveraged the temporal relations between packets for the attack of device identification. We evaluated it under different environment settings (e.g., pure-IoT and noisy environment with multiple non-IoT devices). The results showed our framework was able to differentiate device types with a high accuracy. This result suggests IoT network communications pose prominent challenges to users' privacy, even when they are protected by encryption and morphed by the network gateway. As such, new privacy protection methods on IoT traffic need to be developed towards mitigating this new issue.

show abstract

Your IoTs Are (Not) Mine: On the Remote Binding Between IoT Devices and Users

Chen

Zuo

Diao

et al. 2019

View full text Add to dashboard Cite

BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals

Diao

Zhou

et al. 2019

View full text Add to dashboard Cite

Bluetooth is a widely used communication technology, especially under the scenarios of mobile computing and Internet of Things. Once paired with a host device, a Bluetooth device then can exchange commands and data, such as voice, keyboard/mouse inputs, network, blood pressure data, and so on, with the host. Due to the sensitivity of such data and commands, some security measures have already been built into the Bluetooth protocol, like authentication, encryption, authorization, etc. The newly discovered vulnerabilities can lead to severe attacks on user's privacy. To demonstrate the potential security implications of these vulnerabilities, we devise several concrete

show abstract

Nano-Pd/CeO2 catalysts for hydrogen storage by reversible benzene hydrogenation/dehydrogenation reactions

Zhou

Chen

et al. 2021

International Journal of Hydrogen Energy

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Jiongyi Chen

IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing

Your Smart Home Can't Keep a Secret: Towards Automated Fingerprinting of IoT Traffic

Your IoTs Are (Not) Mine: On the Remote Binding Between IoT Devices and Users

BadBluetooth: Breaking Android Security Mechanisms via Malicious Bluetooth Peripherals

Nano-Pd/CeO2 catalysts for hydrogen storage by reversible benzene hydrogenation/dehydrogenation reactions

Contact Info

Product

Resources

About