A black-box assessment of authentication and reliability in consumer IoT devices

IF 3 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Pervasive and Mobile Computing Pub Date : 2025-04-08 DOI:10.1016/j.pmcj.2025.102045

Sara Lazzaro , Vincenzo De Angelis , Anna Maria Mandalari , Francesco Buccafurri

{"title":"A black-box assessment of authentication and reliability in consumer IoT devices","authors":"Sara Lazzaro , Vincenzo De Angelis , Anna Maria Mandalari , Francesco Buccafurri","doi":"10.1016/j.pmcj.2025.102045","DOIUrl":null,"url":null,"abstract":"<div><div>In the context of consumer Internet of Things (IoT) devices, the identification of vulnerabilities is becoming increasingly relevant. In this paper, we propose a scalable black-box assessment methodology for identifying authentication and reliability issues in IoT devices without the need for prior knowledge of device models or communication protocols. Our methodology consists of a suite of five black-box tests focusing on two specific aspects: authentication and reliability. One of these tests required the development of a tool, called REPLIOT, specifically aimed at discovering replay attacks on the local network. To the best of our knowledge, the development of such a tool is a significant contribution, as there was no similar tool previously available in the literature. We applied these tests to a testbed consisting of 51 consumer IoT devices. Our experiments reveal that 88% of the tested devices fail at least one of the proposed tests. Further manual investigation reveals severe implications of these results in terms of privacy, security, and reliability. Our findings underline a strong need to improve consumer IoT devices security practices to minimize these potential risks and protect smart home environments.</div></div>","PeriodicalId":49005,"journal":{"name":"Pervasive and Mobile Computing","volume":"110 ","pages":"Article 102045"},"PeriodicalIF":3.0000,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Pervasive and Mobile Computing","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1574119225000343","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In the context of consumer Internet of Things (IoT) devices, the identification of vulnerabilities is becoming increasingly relevant. In this paper, we propose a scalable black-box assessment methodology for identifying authentication and reliability issues in IoT devices without the need for prior knowledge of device models or communication protocols. Our methodology consists of a suite of five black-box tests focusing on two specific aspects: authentication and reliability. One of these tests required the development of a tool, called REPLIOT, specifically aimed at discovering replay attacks on the local network. To the best of our knowledge, the development of such a tool is a significant contribution, as there was no similar tool previously available in the literature. We applied these tests to a testbed consisting of 51 consumer IoT devices. Our experiments reveal that 88% of the tested devices fail at least one of the proposed tests. Further manual investigation reveals severe implications of these results in terms of privacy, security, and reliability. Our findings underline a strong need to improve consumer IoT devices security practices to minimize these potential risks and protect smart home environments.

查看原文本刊更多论文

消费者物联网设备认证和可靠性的黑盒评估

在消费者物联网（IoT）设备的背景下，漏洞识别变得越来越重要。在本文中，我们提出了一种可扩展的黑盒评估方法，用于识别物联网设备中的身份验证和可靠性问题，而无需事先了解设备模型或通信协议。我们的方法包括一套五个黑盒测试，重点关注两个特定方面：身份验证和可靠性。其中一项测试需要开发一种名为REPLIOT的工具，专门用于发现本地网络上的重放攻击。据我们所知，这样一个工具的发展是一个重要的贡献，因为没有类似的工具以前可用的文献。我们将这些测试应用到一个由51个消费物联网设备组成的测试平台上。我们的实验表明，88%的测试设备至少不能通过一项建议的测试。进一步的手工调查揭示了这些结果在隐私、安全性和可靠性方面的严重影响。我们的研究结果强调了改善消费者物联网设备安全实践的强烈需求，以最大限度地减少这些潜在风险并保护智能家居环境。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Pervasive and Mobile Computing COMPUTER SCIENCE, INFORMATION SYSTEMS-TELECOMMUNICATIONS

CiteScore

7.70

自引率

2.30%

发文量

审稿时长

68 days

期刊介绍： As envisioned by Mark Weiser as early as 1991, pervasive computing systems and services have truly become integral parts of our daily lives. Tremendous developments in a multitude of technologies ranging from personalized and embedded smart devices (e.g., smartphones, sensors, wearables, IoTs, etc.) to ubiquitous connectivity, via a variety of wireless mobile communications and cognitive networking infrastructures, to advanced computing techniques (including edge, fog and cloud) and user-friendly middleware services and platforms have significantly contributed to the unprecedented advances in pervasive and mobile computing. Cutting-edge applications and paradigms have evolved, such as cyber-physical systems and smart environments (e.g., smart city, smart energy, smart transportation, smart healthcare, etc.) that also involve human in the loop through social interactions and participatory and/or mobile crowd sensing, for example. The goal of pervasive computing systems is to improve human experience and quality of life, without explicit awareness of the underlying communications and computing technologies. The Pervasive and Mobile Computing Journal (PMC) is a high-impact, peer-reviewed technical journal that publishes high-quality scientific articles spanning theory and practice, and covering all aspects of pervasive and mobile computing and systems.