security analysis of emerging smart home applica6ons · ip cameras smart door locks emerging smart...
TRANSCRIPT
Security Analysis of Emerging Smart Home Applica6ons
EarlenceFernandes,JaeyeonJung,AtulPrakashPresentedby:GoharIrfanChaudhry
IEEESecurityandPrivacy24May2016
COSensors ConnectedOvens
SmartTVs
SmartPlugsIPCameras
SmartDoorLocks
EmergingSmartHomeFrameworks
2
Poten6al Security Risks
3
Flooding[1]RemotelydetermineprimeOmeforBurglary[1,2]
OR
[1]Denningetal.,ComputerSecurityandtheModernHome,CACM’13[2]FTCInternetofThingsReport’15
Current Vulnerabili6es
Devices Protocols
TheseaUacksaredevice-specific,andrequireproximitytothehome
Inwhatwaysaretheseemerging,programmablesmarthomesvulnerabletoaUacks,and
whatdothoseaUacksentail?
4
Analysis of SmartThings
• WhySmartThings?• RelaOvelyMature(2012)• 521SmartApps• 132devicetypes• SharesdesignprincipleswithotherexisOng,nascentframeworks
AccessControl
5
Trigger-AcOonProgramming
• Methodology• Examinesecurityfrom5perspecOvesbyconstrucOngtestappstoexerciseSmartThingsAPI
• Empiricalanalysisof499appstodeterminesecurityissueprevalence• ProofofconceptaUacksthatcomposesecurityflaws
Analysis of SmartThings – Results Overview SecurityAnalysisArea FindingOverprivilegeinApps TwoTypesofAutomaOcOverprivilegeEventSystemSecurity EventSnoopingandSpoofing
Third-partyIntegraOonSafety IncorrectOAuthCanLeadtoAUacksExternalInputSaniOzaOon GroovyCommandInjecOonAUacks
APIAccessControl NoAccessControlaroundSMS/InternetAPI
EmpiricalAnalysisof499Apps >40%ofappsexhibitoverprivilegeofatleastonetype
ProofofConceptAIacks
6
PincodeInjecLonandSnooping,DisablingVacaLonMode,FakeFireAlarms
SmartThings Primer
WiFi
ZWave
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlagorm
SmartAppSmartDevice
Groovy-BasedSandbox
Groovy-BasedSandbox
CapabilitySystem
[Cmd/AUr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
7
Capability System
UntrustedSmartApp
ZWaveLockSmartDevice
capability.lock capability.lockCodes capability.baFery …
SendcommandsRead/setaUributes
Receiveevents
Capability Commands AIributes
capability.lock lock(),unlock() lock(lockstatus)
capability.baUery N/A baUery(baUerystatus)
UsabilitySimplerCoarserCapabiliOes
SecurityVeryGranularCapabiliOes
EaseofDevelopmentExpressiveFuncOonality
8
SmartApps request Capabili6es
DeviceEnumeraOon
defini6on(name: “DemoApp”, namespace: “com.tes6ng”, category: “U6lity”) //query the user for capabili6es preferences {
sec6on(“BaFery-Powered Devices”) { input “dev”, “capability.baFery”, 6tle: “Select baFery powered devices you wish to authorize”, mul6ple: true
} }
…
9
ZWave
WiFi
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlagorm
SmartAppSmartDevice
Groovy-BasedSandbox
Groovy-BasedSandbox
CapabilitySystem
[Cmd/AUr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
Overprivilege in SmartApps
10
Overprivilege in SmartApps
CoarseSmartApp-SmartDeviceBindingSmartApp
input “dev”, “capability.baFery”
SmartDevice1[ZWaveLock]
capability.battery capability.lock
capability.refresh
SmartDevice2[SmokeSensor] capability.battery capability.smoke capability.refresh
PhysicalLock PhysicalSmokeSensor
Coarse-GrainedCapabiliOes • “Auto-lock”appfromappstore
• Onlyneeds“lock”command,butcanalsoissue“unlock”
OverprivilegeIncreasesAUackSurfaceoftheHome
11
ZWave
WiFi
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlagorm
SmartAppSmartDevice
CapabilitySystem
[Cmd/AUr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
Insufficient Event Data Protec6on
Groovy-BasedSandbox
Groovy-BasedSandbox
12
Insufficient Event Data Protec6on
SmartApp ZWaveDoorLock
71c9344e-6bea-4ae8-993a-28a7817a7d9e
subscribedev,“door.unlock”,handler
13
handler(EventData:{unlocked,Ome:9AM})
• OnceaSmartAppgainsanycapabilityforadevice,itcansubscribetoanyeventthatdevicegenerates
• IfaSmartAppacquiresthe128-bitID,thenitcanmonitoralleventsofthatdevicewithoutgaininganyofthecapabiliOesthedevicesupports
• Usingthe128-bitID,aSmartAppcanspoofphysicaldeviceevents• (aperbeingregistereditcanreaddevice.idvalue)
Insufficient Event Data Protec6on
SmartApp ZWaveDoorLock
71c9344e-6bea-4ae8-993a-28a7817a7d9e
subscribedev,“door.unlock”,handler
14
handler(EventData:{unlocked,Ome:9AM})
• CanleadtoleakageofconfidenOalinformaOon
• SpoofedEventscanleadtoApps/DevicestakingincorrectacOons
• AppscanusethelocaOonobject(vacaOonmodeaUack)
15
SmartThingsCloudPlagorm
SmartAppSmartDevice
CapabilitySystem
[Cmd/AUr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
Other Poten6al Security Issues - OAuth
[1]Chenetal.,OAuthDemysOfiedforMobileApplicaOonDevelopers,CCS’14
• InsecurityofThird-PartyIntegraOon:SmartAppsexposeHTTPendpointsprotectedbyOAuth;IncorrectimplementaOoncanleadtoremoteaUacks[1]
Groovy-BasedSandbox
Groovy-BasedSandbox
SmartThingsCloudPlagorm
SmartAppSmartDevice
CapabilitySystem
[Cmd/AUr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
Other Poten6al Security Issues - OAuth
• UnsafeuseofGroovyDynamicMethodInvocaOon:AppscanbetrickedintoperformingunintendedacOons
16
def foo() { … } def str = “foo” “$str”()
Groovy-BasedSandbox
Groovy-BasedSandbox
SmartThingsCloudPlagorm
SmartAppSmartDevice
CapabilitySystem
[Cmd/AUr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
Other Poten6al Security Issues – Unrestricted
17
External Communica6on APIs
• UnrestrictedCommunicaOonAbiliOes:SMSandInternet;Canbeusedtoleakdataarbitrarily
Groovy-BasedSandbox
Groovy-BasedSandbox
Compu6ng Overprivilege
Coarse-GrainedCapabiliOes
RequestedCmds/Attrs
CoarseSmartApp-SmartDeviceBinding
GrantedCapabiliOes
18
UsedCmds/AUrs
UsedCapabiliOes
Measuring Overprivilege in SmartApps
19
• SmartThingsisclosedsource;can’tdoinstrumentaOon
• Groovyisextremelydynamic;BytecodeusesreflecOon(GroovyMetaObjectProtocol)
Challenge• Incompletecapabilitydetails(commands/aUributes)
SoluOon• DiscoveredanunpublishedRESTendpoint,which,ifgivenadeviceID,returnscapabilitydetails
• Studysourcecodeofappsfromopen-sourceappstoreinstead
• StaOcanalysis
Empirical Analysis Results
20
Documented CompletedCommands 65 93AUributes 60 85
ReasonforOverprivilege NumberofAppsCoarse-grainedCapability 276(55%)
CoarseSmartApp-SmartDeviceBinding
213(43%)
OverprivilegeUsagePrevalence(CoarseBinding) 68(14%)
21
Empirical Analysis of SmartThings
TotalnumberofSmartDevices 132NumberofSmartDevicesraisingeventsusing
createEventandsendEvent.SucheventscanbesnoopedonbySmartApps
111
TotalnumberofSmartApps 499
NumberofappsusingpotenOallyunsafeGroovydynamicmethodinvocaOon
26
NumberofOAuth-enabledapps,whosesecuritydependsoncorrectimplementaOonofOAuth
27
NumberofappsusingunrestrictedSMSAPIs 131
NumberofappsusingunrestrictedInternetAPIs 36
22
Exploi6ng Design Flaws in SmartThings
AIackDescripLon
AIackVectors
PhysicalWorldImpact
BackdoorPincodeInjecOonAUack
CommandinjecOonintoexisOngWebServiceSmartApp;Overprivilege;OAuthimpl.flaws
Enablingphysicalentry;Thep
DoorLockPincodeSnoopingAUack
StealthybaUery-levelmonitoringapp;Overprivilege;leakdatausingSMS
Enablingphysicalentry;Thep
DisablingVacaOonModeAUack
AUackappwithnocapabiliOes;Misusinglogicofbenignapp;EventSpoofing
Thep;Vandalism
FakeAlarmAUack
AUackappwithnocapabiliOes;Eventspoofing;Misusinglogicofbenignapp
MisinformaOon;Annoyance
Exploi6ng Design Flaws in SmartThings
OverprivilegeCommandInjecOon
OAuthCompromise
EventSpoofing
UnrestrictedSMSAPI
PincodeInjecOon
PincodeSnooping
DisablingVacaOonMode
FakeCOAlarm
PopularExisOngSmartAppwithAndroidcompanionapp;UnintendedacOonofsetCode()onlock
StealthymalwareSmartApp;ONLYrequestscapability.baUery
MalwareSmartAppswithnocapabiliOes;MisuseslogicofexisOngSmartAppswithfakeevents
21
24
Poten6al Defense Strategies
• Achievingleast-privilegeinSmartApps• RiskasymmetryindeviceoperaOons,e.g.,oven.onandoven.off• IncludenoOonsofriskfrommulOplestakeholders,rank[1],andregroup
• PrevenLnginformaLonleakagefromevents• ProvideanoOonofstrongidenOtyforapps+accesscontrolonevents• Makeappsrequestaccesstocertaintypesofevents,e.g.,lockpincodeACKs
[1]Feltetal.,I’vegot99problems,butvibraOonain’tone:Asurveyofsmartphoneusers’concerns, SPSM’12
Backdoor Pincode Injec6on AFack
28
WebServiceSmartApp
HTTP PUT
HTTP GET
client_id client_secret
mappings { path(“/devices/:id”) { ac6on: [ PUT: “updateDevice” ]
} def updateDevice() {
def cmd = request.JSON.command def args = request.JSON.arguments // code truncated device.”$cmd”(*args)
}
{ command: setCode, arguments: [3, ‘5500’]
}
Example of Stealing an OAuth Bearer Token
• DecompileAPKbytecodetogettheclient_secret+client_id
• Sendemailtouseraskingto“reauthenOcate”toSmartThings
hUps://graph.api.smarUhings.com/oauth/authorize?responsetype=code&client_id=REDACTED&scope=app&redirect_uri=hUp%3A%2F%2FssmarUhings.appspot.com
OpenRedirector29
39
Door Lock Pincode Snooping AFack
LockCodeManagerApp
ZWaveLockDeviceHandler
SmartThingsHub
BaUeryMonitorApp
setCode(‘5500’)
28
codeReport event
zwave.userCodeV1.userCodeSet zwave.userCodeV1.userCodeGet
subscribe(‘codeReport’) [Possible due to overprivilege]
ZWave commands and reports
29
Summary • Firstlookatthesecuritydesignofaprogrammablesmarthomepla[orm:SamsungSmartThings;Challenge:BlackboxCloudSystem
• Twosecuritydesignissues:• Overprivilege:CoarsegrainedcapabiliOes,andCoarseSmartApp-SmartDeviceBinding
• InsecureEvents:AppsdonotneedspecialprivilegestoaccesssensiOveinfo• EmpiricalAnalysis:55%ofappsdonotusealloperaOonstheircapabiliOesimply;43%getcapabiliOestheydidnotexplicitlyrequest
• FourPoCaIacksthatcombinevarioussecuritydesignissues• TheseaUacksaredeviceindependent,andlong-range
• SecurityImprovements:NoOfiedSmartThingsinDec2015;ImprovementsinvezngprocessanddeveloperbestpracOcesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem(May2016)
• Firstlookatthesecuritydesignofaprogrammablesmarthomepla[orm:SamsungSmartThings
• Twosecuritydesignissues:• Overprivilege:CoarsegrainedcapabiliOes,andCoarseSmartApp-SmartDeviceBinding
• InsecureEvents:AppsdonotneedspecialprivilegestoaccesssensiOveinfo• EmpiricalAnalysis:55%ofappsdonotusealloperaOonstheircapabiliOesimply;43%getcapabiliOestheydidnotexplicitlyrequest
• FourPoCaIacksthatcombinevarioussecuritydesignissues• TheseaUacksaredeviceindependent,andlong-range
• SecurityImprovements:NoOfiedSmartThingsinDec2015;ImprovementsinvezngprocessanddeveloperbestpracOcesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem(May2016)
24
Security Analysis of Emerging Smart Home Applica6ons
hIps://iotsecurity.eecs.umich.edu EarlenceFernandes
Discussion
1. Smarthomeordumbsecurityrisk?2. Howshouldweredesignthesystem?3. Maketheprogrammableframeworksopensource?
4. Videos?hIps://iotsecurity.eecs.umich.edu