Through the Spyglass: Towards IoT Companion App Man-in-the-Middle Attacks

Proceedings of the 14th Cyber Security Experimentation and Test Workshop Pub Date : 2021-08-09 DOI:10.1145/3474718.3474729

T. OConnor, D. Jessee, Daniel Campos

{"title":"Through the Spyglass: Towards IoT Companion App Man-in-the-Middle Attacks","authors":"T. OConnor, D. Jessee, Daniel Campos","doi":"10.1145/3474718.3474729","DOIUrl":null,"url":null,"abstract":"The lack of mature development in smart home companion applications complicates Internet of Things (IoT) security and privacy. Companion applications offer transparency and control for smart home devices that otherwise lack displays or interfaces. We access our smart home devices through a distributed communication architecture that seamlessly integrates smart home devices, cloud-based servers, and our mobile devices. This paper seeks to better understand IoT security and privacy by studying the design flaws of this distributed communications channel for smart home devices. To understand this, we then assess the vulnerability of 20 popular smart home vendors to this attack. Our analysis discovers pervasive failures in the distributed communications channels across 16 different vendors. A successful attack allows adversaries to conceal device users, manipulate the state of locks, spoof camera images, and manipulate history log files. While our work uncovers pervasive failures, vendors can take measures to improve confidentiality and integrity in smart home devices and their applications.","PeriodicalId":128435,"journal":{"name":"Proceedings of the 14th Cyber Security Experimentation and Test Workshop","volume":"29 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 14th Cyber Security Experimentation and Test Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3474718.3474729","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

The lack of mature development in smart home companion applications complicates Internet of Things (IoT) security and privacy. Companion applications offer transparency and control for smart home devices that otherwise lack displays or interfaces. We access our smart home devices through a distributed communication architecture that seamlessly integrates smart home devices, cloud-based servers, and our mobile devices. This paper seeks to better understand IoT security and privacy by studying the design flaws of this distributed communications channel for smart home devices. To understand this, we then assess the vulnerability of 20 popular smart home vendors to this attack. Our analysis discovers pervasive failures in the distributed communications channels across 16 different vendors. A successful attack allows adversaries to conceal device users, manipulate the state of locks, spoof camera images, and manipulate history log files. While our work uncovers pervasive failures, vendors can take measures to improve confidentiality and integrity in smart home devices and their applications.

查看原文本刊更多论文

通过望远镜:对物联网配套应用程序的中间人攻击

智能家居伴侣应用缺乏成熟的发展，使物联网(IoT)的安全和隐私复杂化。配套应用程序为智能家居设备提供了透明度和控制，否则将缺乏显示或界面。我们通过分布式通信架构访问我们的智能家居设备，该架构无缝集成了智能家居设备、基于云的服务器和我们的移动设备。本文旨在通过研究这种用于智能家居设备的分布式通信通道的设计缺陷来更好地理解物联网安全和隐私。为了理解这一点，我们评估了20家流行的智能家居供应商对这种攻击的脆弱性。我们的分析发现，在16个不同供应商的分布式通信通道中普遍存在故障。成功的攻击允许攻击者隐藏设备用户、操纵锁的状态、欺骗相机图像和操纵历史日志文件。虽然我们的工作揭示了普遍存在的故障，但供应商可以采取措施提高智能家居设备及其应用程序的保密性和完整性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 14th Cyber Security Experimentation and Test Workshop

自引率

0.00%

发文量