Riccardo Cestaro scite author profile

Riccardo Cestaro

2Publications

0Citation Statements Received

25Citation Statements Given

How they've been cited

How they cite others

Affiliations

University of Padua

Publications

Order By: Most citations

E-Spoofer: Attacking and Defending Xiaomi Electric Scooter Ecosystem

Casagrande

Cestaro

Losiouk

et al. 2023

View full text Add to dashboard Cite

Xiaomi is the market leader in the electric scooter (e-scooter) segment, with millions of active users. It provides several e-scooter models and Mi Home, a mobile application for Android and iOS to manage and control an e-scooter. Mi Home and the e-scooter interact via Bluetooth Low Energy (BLE). No prior research evaluated the security of this communication channel, as it employs security protocols proprietary to Xiaomi. Exploiting these protocols results in severe security, privacy, and safety issues, e.g., an attacker could steal an e-scooter or prevent the owner from controlling it. In this work, we fill this research gap by performing the first security evaluation on all proprietary wireless protocols deployed to Xiaomi e-scooters from 2016 to 2021. We identify and reverse-engineer four of them, each having ad-hoc Pairing and Session phases. We develop four attacks exploiting these protocols at the architectural level, and we call them Malicious Pairing (MP) and Session Downgrade (SD). Both attacks can be performed from proximity, if the attacker's machine is within BLE range of the target e-scooter, or remotely, via a malicious application co-located with Mi Home. An adversary can utilize MP and SD to steal a password-protected and software-locked e-scooter, or to prevent a victim from accessing it via Mi Home. We isolate six attack root causes, including the lack of authentication while pairing, and the improper enforcement of the e-scooter password. We open-source the E-Spoofer toolkit. Our toolkit automates the MP and SD attacks, and includes a reverseengineering module for future research. We empirically confirm the effectiveness of our attacks by exploiting three e-scooters (i.e., M365, Essential, and Mi 3), embedding five BLE subsystem boards and eight BLE firmware versions that support all four Xiaomi protocols. We design and evaluate two practical countermeasures that address our impactful attacks and their root causes, and we release them as part of E-Spoofer. We responsibly disclosed our findings to Xiaomi.

show abstract

Mascara: A Novel Attack Leveraging Android Virtualization

Marco¹,

Cestaro²,

Conti³

et al. 2020

Preprint

View full text Add to dashboard Cite

Android virtualization enables an app to create a virtual environment, in which other apps can run. Originally designed to overcome the limitations of mobile apps dimensions, malicious developers soon started exploiting this technique to design novel attacks. As a consequence, researchers proposed new defence mechanisms that enable apps to detect whether they are running in a virtual environment.In this paper, we propose Mascara, the first attack that exploits the virtualization technique in a new way, achieving the full feasibility against any Android app and proving the ineffectiveness of existing countermeasures. Mascara is executed by a malicious app, that looks like the add-on of the victim app. As for any other add-on, our malicious one can be installed as a standard Android app, but, after the installation, it launches Mascara against the victim app. The malicious add-on is generated by Mascarer, the framework we designed and developed to automate the whole process. Concerning Mascara, we evaluated its effectiveness against three popular apps (i.e., Telegram, Amazon Music and Alamo) and its capability to bypass existing mechanisms for virtual environments detection. We analyzed the efficiency of our attack by measuring the overhead introduced at runtime by the virtualization technique and the compilation time required by Mascarer to generate 100 malicious add-ons (i.e., less than 10 sec). Finally, we designed a robust approach that detects virtual environments by inspecting the fields values of ArtMethod data structures in the Android Runtime (ART) environment.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.