![Page 1: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/1.jpg)
HomeScan: Scrutinizing Implementations of Smart Home
Integrations
Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong
and Zhenkai Liang
1
ICECCS’18, 12 December 2018
![Page 2: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/2.jpg)
2
IoT-enhanced smart home is getting popular
Background
1 https://www.statista.com/study/42112/smart-home-report/
2 https://www.juniperresearch.com/press/press-releases/smart-home-revenues-to-reach-$100-billion-by-2020
![Page 3: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/3.jpg)
3
Network
Attacker
Victim
Server
(e.g., Twitter, GitHub)IoT Devices
Network
Attacker
Home Wi-Fi Victim Control
Point
Handshake
“The biggest DDoS attack in history
powered by 150,000 hacked IoT
devices.”1
“KRACK, the attack on WPA2 protocol could
cripple smart home Wi-Fi.”2
2016 2017
Smart Home Vulnerable to Attacks !
1 http://www.bbc.com/news/technology-37738823
2 http://www.bbc.com/news/av/technology-41641814/krack-wi-fi-security-flaw-explained
![Page 4: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/4.jpg)
Existing Work on Smart Home Security
4
Flaw Identification
Smart locks, smart lights, smart meters, thermostats, wearables
ZigBee, Z-Wave, BLE, Customized protocols on IEEE 802.15.4
Authorization model of IFTTT, Permission model of frameworks (e.g.
SmartThings)
Security Hardening in System Design and Implementation
Secure smart devices from malware, secure BLE IoTs presence
Securing home Wi-Fi from malicious control points
Securing data from malicious apps on control points, Secure platforms
Smart
Devices
Protocols
Platforms
Application Frameworks
IoT Protocols
Smart Devices
Security in
Integration ??
![Page 5: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/5.jpg)
Security of Smart Home Integration
▪ Causes of insecurity when integrating a smart home system.
1) Incompatibilities
2) Invalidated assumptions
5
![Page 6: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/6.jpg)
Incompatibilities in Integration (1)
6
Wide assortments of technologies and devices manufactured by diverse vendors.
Bulb Control PointHubs
Bulb Hub
Smart
Devices
![Page 7: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/7.jpg)
7
E.g. Smart bulb cannot verify the identity of the control point.
Hub
Control Point
Authentication: ZigBee touch-link Authentication: Customized
Bulb
Malicious App on
Control PointUnauthorize control
Incompatibilities in Integration (2)
![Page 8: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/8.jpg)
Invalidated Assumptions
8
Manufactures make assumptions to reduce complexity and cost in building smart home systems.
➢ Home Wi-Fi is secure.
➢ Implicit trust on other components in the integrated system.
Benign bulb Benign hub Benign control app
Malicious hub
Unauthorize control
![Page 9: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/9.jpg)
Our Solution: HomeScan
9
Extract the abstract specification of application-layer protocols and security-relevant internal behaviours from the implementation, and analysing security of the specification.
Challenges: Partial availability of the implementations.
• Unavailability of source code, and only executables/libraries provided by the
vendors available.
• Communication is not clear due to use of cryptographic protocols.
![Page 10: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/10.jpg)
Running Example – Chromecast
10
Chromecast Receiver (CR)
plugged into TV’s HDMI port
Control Point (CP) YouTube Server (YS)
HTTPS
Communicate
over SSLCommunicate
over TLS
Have source code
No source code
No source code
![Page 11: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/11.jpg)
11
Input Pre-processing
Our Approach
Implementation
Initial Knowledge
Test Cases
![Page 12: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/12.jpg)
Pre-processing
12
Capture Traces TransactionsExtract values
E.g. msg
Control Point (CP) YouTube Server (YS)HTTPS
POST https://www.youtube.com/api/lounge/pairing/get_lounge_token_batch
HTTP/1.1
Host: www.youtube.com
Chrome/63.0.3239.132 Safari/537.36
screen_ids=fsti0e72vuamj9p8b26h5j08ug
message on trace
Transaction = ( sender: CP, receiver: YS, channel: Wi-Fi, Message: {“fsti0e72vuamj9p8b26h5j08ug”}
![Page 13: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/13.jpg)
13
Input Pre-processing
Our Approach
Implementation
Initial Knowledge
Test Cases
Specification
Extraction
Transactions
![Page 14: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/14.jpg)
Specification Extraction
14
Transactions Whitebox Analysis Trace Analysis
![Page 15: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/15.jpg)
Specification Extraction
15
Transactions Whitebox Analysis Trace Analysis
Program
Transaction = (
sender: CP, receiver: YS, channel: Wi-Fi,
Message: {“fsti0e72vuamj9p8b26h5j08ug”}
E.g. msg
Control Point
(CP)
YouTube
Server (YS)
HTTPS
Program of CP
send(msg)
msg = Receive(msg*)
YouTube Server (YS)
msg
HTTPS
Chromecast
Receiver
msg*
over SSLNo source code
Have source code No source code
![Page 16: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/16.jpg)
1. Known
Configuration - (1)
Specification Extraction
16
Transactions Whitebox Analysis Trace Analysis
Before reset of CR Trace 1
Chromecast Receiver (CR) Control Point (CP) YouTube Server (YS)
msg* msg1 2
After reset of CR Trace 2
Analyse the difference in the values in msg before and after the reset of CR.
HTTPSover SSL
Semantics of the msg = CR’s session identity
![Page 17: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/17.jpg)
1. Known
Configuration - (2)
Specification Extraction
17
Transactions Whitebox Analysis Trace Analysis
Before replace of Hub Trace 1
After replace of Hub Trace 2
Analyse the difference in “s” before and after the reset of CR.
Semantics of the String “s” = Hub specific value
Control Point (CP)
HTTP
12
Philips Hue Bulb Hub
s
Encrypted
![Page 18: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/18.jpg)
2. Control
Command
Specification Extraction
18
Transactions Whitebox Analysis Trace Analysis
E.g.2
Control Point (CP)
HTTP
12
Philips Hue Bulb Hub
Packet Turn On
Heartbeat
Data(37)
With Turn On cmd
Packet
Data(37)
Remove Heartbeat
Turn On command over Zigbee
Encrypted
![Page 19: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/19.jpg)
19
Chromecast Receiver (CR)
Control Point (CP)
YouTube Server (YS)
Specification: LTS Representation
CR CP YS
![Page 20: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/20.jpg)
20
Input Pre-processing
Our Approach
Implementation
Initial Knowledge
Test Cases
Specification
Extraction
Transactions
Flaw Identification
LTS
Representation
OutputVulnerabilities
![Page 21: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/21.jpg)
Flaw Identification
21
Extracted
Participants AttackSecurity
Propertiese.g. CP||YS||CR
LTS
Representa-
tion
![Page 22: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/22.jpg)
Attack Models and Security Properties
22
Malicious Participant
A
Network Attacker
• Collect information illegally
• Send unauthorized commands
• Eavesdropping
• Intercept and modify
Security Properties Data Level Association Level Access Level
Confidentiality
Integrity
Authentication
Authorization
![Page 23: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/23.jpg)
Approach
23
Extracted
Participants AttackSecurity
Propertiese.g. CP||YS||CR
Model
LTS
Representa-
tion
Execution Rules
![Page 24: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/24.jpg)
24
Generate the System ModelAttack
Malicious CP
CR
CP
YS
Extracted Participants
System Model
… …
Init K = {}
![Page 25: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/25.jpg)
Approach
25
Vulnerabilities
Extracted
Participants AttackSecurity
Properties
Verification
AlgorithmOutput
e.g. CP||YS||CR
Model
LTS
Representati
on
Execution Rules
![Page 26: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/26.jpg)
26
Flaw Identification
Attack Trace
Attack
Malicious CP
CR
CP
YS
Extracted Participants
bad state: The attacker sent
a casting video request to
the YS.
Mis-response to discovery request
![Page 27: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/27.jpg)
Evaluation: Vulnerabilities
27
Vulnerability Mis-response
to Discovery
Request
Flawed
Authentication
Protocol
Lack of
Authentication
Use of Insecure
Underlying
Protocols
Unprotected
SD’s Wi-Fi
Hotspot
Lack of User or
Device
Authentication
Vulnerable to
Network Traffic
Replay
Total
Philips Hue 2 1 1 1 0 0 0 5
LIFX 0 0 0 0 2 1 1 4
Chromecast 1 0 0 0 1 1 0 3
Total 3 1 1 1 3 2 1 12
Chromecast Philips Hue LIFX
Mis-response to discovery request:
allows a malicious control point to
obtain the identity of the TV screen and
casting a video to the TV.
Misuse of ZigBee Light Link
protocol: allows a malicious hub to
hijack the bulb.
Unprotected Wi-Fi hotspot on the
bulb: allows a malicious bulb with a
fake hotspot to steal the password
of the victim’s home Wi-Fi.
Lack of device or user authentication:
allows a malicious control point to
obtain the identity of a private YouTube
video of the victim.
Lack of control to administration
commands: results in uncontrolled
authentication.
Malicious hub
Initialize ZLL protocol
bulb hub control app
Benign System
Hijack the connection
bulb control app
Benign System
Participants
Malicious bulb
Discover and connect
with malicious bulb
Send home Wi-Fi
credentials
![Page 28: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/28.jpg)
Conclusion and Future Work
Conclusion
• Propose hybrid techniques to extract the specification of the smart home integration.
• Analyse the security of the extracted specification using formal verification techniques.
• Applied the approach for three existing smart home systems.
• Found twelve vulnerabilities in them.
Future Work
• Plan to propose new attack models to find vulnerabilities in similar IoT systems.
28
![Page 29: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/29.jpg)
Thank You
Questions?
29
![Page 30: HomeScan: Scrutinizing Implementations of Smart Home ... · Authorization model of IFTTT, Permission model of frameworks (e.g. SmartThings) Security Hardening in System Design and](https://reader034.vdocuments.site/reader034/viewer/2022042307/5ed3c27da0e09216242fe795/html5/thumbnails/30.jpg)
Reference
1. Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets. https://arxiv.org/abs/1702.03681.
2. M. Vanhoef and F. Piessens. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In CCS, 2017.
3. N.Apthorpe, D.Reisman, S.Sundaresan, A.Narayanan, and N.Feamster, 2017. Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic. arXiv preprint arXiv:1708.05044.
4. https://hometheaterreview.com/attack-of-the-smart-home-devices/
5. S. Majumder, E. Aghayi, M. Noferesti, H. Memarzadeh-Tehran, T. Mondal, Z. Pang, & M. J. Deen (2017). Smart Homes for Elderly Healthcare—Recent Advances and Research Challenges. Sensors, 17(11), 2496.
30