On the Data Privacy, Security, and Risk Postures of IoT Mobile Companion Apps

Neupane, Shradha; Tazi, Faiza; Paudel, Upakar; Baez, Freddy Freddy Veloz; Adamjee, Merzia; Carli, Lorenzo De; Das, Sanchari; Ray, Indrakshi

doi:10.2139/ssrn.4121997

Cited by 1 publication

(2 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This work differs from ours because the authors only investigate known CVEs that do not include the DFU attacks in our work. Neupane et al [51] utilize existing tools to perform a security analysis of IoT apps. Neupane et al find privacy policy violations and vulnerabilities such as TLS misconfigurations.…”

Section: Related Workmentioning

confidence: 99%

“…As a result, an increasing number of IoT devices are showing up in different settings, ranging from corporate networks [20] to short-term rentals such as Airbnb [49]. Thus, researchers are actively studying the security and privacy concerns imposed by the adoption of these devices [27], [28], [30], [40], [41], [43]- [45], [51], [67], [71], [74], [76], [80], [83]- [85], [88].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

AoT - Attack on Things: A security analysis of IoT firmware updates

Ibrahim,

Continella,

Bianchi

2023

2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

IoT devices implement firmware update mechanisms to fix security issues and deploy new features. These mechanisms are often triggered and mediated by mobile companion apps running on the users' smartphones. While it is crucial to update devices, these mechanisms may cause critical security flaws if they are not implemented correctly. Given their relevance, in this paper, we perform a systematic security analysis of the firmware update mechanisms adopted by IoT devices via their companion apps. First, we define a threat model for IoT firmware updates, and we categorize the different potential security issues affecting them. Then, we analyze 23 popular IoT devices (and corresponding companion apps) to identify vulnerable devices and the SDKs that such devices use to implement the update functionality. Our analysis reveals that 6 popular SDKs present dangerous security flaws. Additionally, we fingerprint each vulnerable SDK and we leverage our fingerprints to perform a largescale analysis of companion apps from the Google Play Store. Our results show that 61 popular devices and 1,356 apps rely on vulnerable SDKs, thus, they potentially adopt an insecure firmware update mechanism.

show abstract

Section: Related Workmentioning

confidence: 99%