After Everything is Connected: A Client Certificate-Oriented Perspective of IoT Device Security Analysis

Abstract

In the IoT era, more and more devices of different types and functions are connected to the network. However, smart devices are bringing about increasingly serious security problems. Although some giants or well-known equipment manufacturers have introduced the transport layer security protocol as a secure transmission mechanism, they are still missing tens of thousands in specific practices. In this paper, we provide a client certificates-oriented perspective on the security analysis of IoT devices, which proves that although the TLS protocol is used, it is still not enough to ensure security. We utilized our self-developed passive traffic-based client certificate collection tool to conduct extensive TLS certificate collection on the ISP-level network CSTNET. We use the keywords already collected to filter out certificates related to IoT smart devices from these certificates, and analyze the security issues that exist. We designed an active crawling subsystem, put the keywords that identify the manufacturer in the certificate into the Internet to crawl its homepage, and use the characteristics of page elements to dig out unknown IoT smart devices, and conduct research on the issue of its certificate. It turns out that more needs to be done to meet the advanced security requirements in practice and deployment.