I would not make this far without the help and support from some people that have followed me in this journey. I am a very fortunate person for having such wonderful parents. They have always trusted me and gave me the necessary support and freedom to chase my dreams. I dedicate this work to my family for being always present in my file, in the bad and good moments, and always will be my reference. Everything that I've accomplished so far would not be possible without their unconditional support, and I will never be able to express my gratitude into words. My interest for Software Engineering and research appeared while I was still an undergraduate student in Computer Science at UFCG, in Campina Grande. I had excellent professors but two of them had a huge influence in my career and encouraged me to apply in graduate school at UFPE. Thank you very much to professors Tiago Massoni and Rohit Gheyi for giving me opportunity to talk and mentoring me during my staying at UFCG. I am very grateful for the friends that I made at CIn-UFPE. In special, my academic brothers Luis Melo, Igor Simões, and Davino Junior-the last was a close friend from our group. You were my family while I was at UFPE. I am very thankful for the many funny moments and hangouts we had during that moment, not to mention the uncountable late hours in the lab helping each other. I wish all the success in the world for you guys because you are very passionate and hard workers. You deserve it! I am thankful for my advisor, Marcelo d'Amorim, for accepting me and walking beside me during this journey. Since the beginning, he was present and always encouraged me to give my best. Thank you very much to professor Leopoldo Teixeira for staying with me in the beginning while Marcelo was at Georgia Tech, and also for the many conversations followed by a tasty cup of coffee. I am also thankful to the all the members of GENTES for all the lessons and learning experiences from the many presentations. Thanks to FACEPE for funding my work. Finally, I am very grateful to my girlfriend for supporting and staying by my side during this moment of my life, to the friends from UFCG, to the friends from Lar dos Estudante, and to my friends from Cidade Viva for the funny moments. I am thankful to God for all opportunities and for everything that I have been living. To follow the path, look to the master, follow the master, walk with the master, see through the master, become the master.
Internet of Things (IoT) devices are becoming increasingly important. These devices are often resource-limited, hindering rigorous enforcement of security policies. Assessing the vulnerability of IoT devices is an important problem, but analyzing their firmware is difficult for a variety of reasons, including requiring the purchase of devices. This paper finds that analyzing companion apps to these devices for clues to security vulnerabilities can be an effective strategy. Compared to device hardware and firmware, these apps are easy to download and analyze. A key finding of this study is that the communication between an IoT device and its app is often not properly encrypted and authenticated and these issues enable the construction of exploits to remotely control the devices. To confirm the vulnerabilities found, we created exploits against five popular IoT devices from Amazon by using a combination of static and dynamic analyses. We also did a larger study, finding that analyzing 96 popular IoT devices only required analyzing 32 companion apps. Among the conservative findings, 50% of the apps corresponding to 38% of the devices did not use proper encryption techniques to secure device to companion app communication. Finally, we discuss defense strategies that developers can adapt to address the lessons from our work.
Security of Internet of Things (IoT) devices is a wellknown concern as these devices come in increasing use in homes and commercial environments. To better understand the extent to which companies take security of the IoT devices seriously and the methods they use to secure them, this paper presents findings from a security analysis of 96 top-selling WiFi IoT devices on Amazon. We found that we could carry out a significant portion of the analysis by first analyzing the code of Android companion apps responsible for controlling the devices. An interesting finding was that these devices used only 32 unique companion apps; we found instances of devices from same as well as different brands sharing the same app, significantly reducing our work. We analyzed the code of these companion apps to understand how they communicated with the devices and the security of that communication. We found security problems to be widespread: 50% of the apps corresponding to 38% of the devices did not use proper encryption techniques; some even used well-known weak ciphers such as Caesar cipher. We also purchased 5 devices and confirmed the vulnerabilities found with exploits. In some cases, we were able to bypass the pairing process and still control the device. Finally, we comment on technical and non-technical lessons learned from the study that have security implications.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.