Security Analysis of Device Binding for IP-based IoT Devices

Abstract

As one of the fastest growing technologies today, the Internet of Things has profoundly changed the ways people interact with the physical world. With a mobile application on a smartphone, a user can conveniently control an IoT device and acquire the sensor data of the external environment. To enable such convenience, a critical step is to bind the user's smartphone with the IoT device and then establish a secure communication channel between them. Although various techniques have already been adopted, however, little has been done so far to systematically evaluate the security implications of those binding mechanisms in IoT. In this paper, we report the first systematic study on device binding mechanisms of IoT, in an attempt to understand the security implications. For this purpose, we defined a practical adversary model and systematically investigated 24 popular IoT products on the consumer market. Our investigation reveals the fact that IoT developers often mistrust the environment and do not follow best practices in device binding. As a result, we were able to launch several types of real-world attacks against the device binding process. Our research brings the insecure designs of device binding to the spotlight and shows that the threat to IoT device binding is realistic and serious.