Static analysis for discovering IoT vulnerabilities

Ferrara, Pietro; Mandal, Amit Kr; Cortesi, Agostino; Spoto, Fausto

doi:10.1007/s10009-020-00592-x

Cited by 43 publications

(20 citation statements)

References 44 publications

(54 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(i) Weak, guessable, or hardcoded passwords: To get access to a system, a user must utilize credentials that are readily brute-forced, publicly accessible, or impossible to modify [284][285][286]. Credentials that are both hardcoded and integrated into IoT devices constitute a threat to both IT systems and the IoT itself.…”

Section: Vulnerabilities In Iotmentioning

confidence: 99%

Machine and Deep Learning for IoT Security and Privacy: Applications, Challenges, and Future Directions

Bharati

Podder

2022

Security and Communication Networks

View full text Add to dashboard Cite

The integration of the Internet of Things (IoT) connects a number of intelligent devices with minimum human interference that can interact with one another. IoT is rapidly emerging in the areas of computer science. However, new security problems are posed by the cross-cutting design of the multidisciplinary elements and IoT systems involved in deploying such schemes. Ineffective is the implementation of security protocols, i.e., authentication, encryption, application security, and access network for IoT systems and their essential weaknesses in security. Current security approaches can also be improved to protect the IoT environment effectively. In recent years, deep learning (DL)/machine learning (ML) has progressed significantly in various critical implementations. Therefore, DL/ML methods are essential to turn IoT system protection from simply enabling safe contact between IoT systems to intelligence systems in security. This review aims to include an extensive analysis of ML systems and state-of-the-art developments in DL methods to improve enhanced IoT device protection methods. On the other hand, various new insights in machine and deep learning for IoT securities illustrate how it could help future research. IoT protection risks relating to emerging or essential threats are identified, as well as future IoT device attacks and possible threats associated with each surface. We then carefully analyze DL and ML IoT protection approaches and present each approach’s benefits, possibilities, and weaknesses. This review discusses a number of potential challenges and limitations. The future works, recommendations, and suggestions of DL/ML in IoT security are also included.

show abstract

Section: Vulnerabilities In Iotmentioning

confidence: 99%

Machine and Deep Learning for IoT Security and Privacy: Applications, Challenges, and Future Directions

Bharati

Podder

2022

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Various security vulnerabilities are reported in the built-in authentication mechanism in IoT devices such as weak, guessable, or hardcoded passwords, insecure ecosystem interfaces, lack of firmware validation on device, insecure network services, insecure default settings, and so forth [4]. Hence, the built-in mechanism is not reliable.…”

Section: Research Contributionsmentioning

confidence: 99%

“…In an attempt to partially fulfill these requirements, some IoT device manufacturers made IoT device products with built-in authentication mechanism. However, several security vulnerabilities are disclosed in the firmware implementation of authentication in IoT such as weak, guessable, or hardcoded passwords leading to unauthorized access, insecure ecosystem interfaces resulting to lack of authentication/authorization or weak encryption (broken authentication), lack of firmware validation on device, insecure network services, insecure default settings that may allow the operators to modify the configurations, and so on [4]. Hence, the built-in authentication mechanism in IoT Extended author information available on the last page of the article devices is not reliable.…”

Section: Introductionmentioning

confidence: 99%

SUACC-IoT: secure unified authentication and access control system based on capability for IoT

Sivaselvan

Rajarajan

et al. 2022

Cluster Comput

View full text Add to dashboard Cite

With the widespread use of Internet of Things (IoT) in various applications and several security vulnerabilities reported in them, the security requirements have become an integral part of an IoT system. Authentication and access control are the two principal security requirements for ensuring authorized and restricted accesses to limited and essential resources in IoT. The built-in authentication mechanism in IoT devices is not reliable, because several security vulnerabilities are revealed in the firmware implementation of authentication protocols in IoT. On the other hand, the current authentication approaches for IoT that are not firmware are vulnerable to some security attacks prevalent in IoT. Moreover, the recent access control approaches for IoT have limitations in context-awareness, scalability, interoperability, and security. To mitigate these limitations, there is a need for a robust authentication and access control system to safeguard the rapidly growing number of IoT devices. Consequently, in this paper, we propose a new secure unified authentication and access control system for IoT, called SUACC-IoT. The proposed system is based around the notion of capability, where a capability is considered as a token containing the access rights for authorized entities in the network. In the proposed system, the capability token is used to ensure authorized and controlled access to limited resources in IoT. The system uses only lightweight Elliptic Curve Diffie-Hellman Ephemeral (ECDHE), symmetric key encryption/decryption, message authentication code and cryptographic hash primitives. SUACC-IoT is proved to be secure against probabilistic polynomial-time adversaries and various attacks prevalent in IoT. The experimental results demonstrate that the proposed protocol's maximum CPU usage is 29.35%, maximum memory usage is 2.79% and computational overhead is 744.5 ms which are quite acceptable. Additionally, in SUACC-IoT, a reasonable communication cost of 872 bits is incurred for the longest message exchanged.

show abstract

“…Mamun et al [22] worked on cryptography applicable to IoT by analyzing lightweight symmetric encryption algorithms such as CLEFIA and TRIVIUM. Pietro et al [23] statically analyzed web applications used in IoT. They discussed top 10 vulnerabilities in The Open Web Application Security Project (IoT 2018) and how these can be exploited.…”

Section: Related Workmentioning

confidence: 99%

Eavesdropping Vulnerability and Countermeasure in Infrared Communication for IoT Devices

Kim

Suh

2021

Sensors

View full text Add to dashboard Cite

Infrared (IR) communication is one of the wireless communication methods mainly used to manipulate consumer electronics devices. Traditional IR devices support only simple operations such as changing TV channels. These days, consumer electronic devices such as smart TV are connected to the internet with the introduction of IoT. Thus, the user’s sensitive information such as credit card number and/or personal information could be entered with the IR remote. This situation raises a new problem. Since TV and the set-top box are visual media, these devices can be used to control and/or monitor other IoT devices at home. Therefore, personal information can be exposed to eavesdroppers. In this paper, we experimented with the IR devices’ reception sensitivity using remotes. These experiments were performed to measure the IR reception sensitivity in terms of distance and position between the device and the remote. According to our experiments, the transmission distance of the IR remote signal is more than 20 m. The experiments also revealed that curtains do not block infrared rays. Consequently, eavesdropping is possible to steal the user’s sensitive information. This paper proposes a simple, practical, and cost-effective countermeasure against eavesdropping, which does not impose any burden on users. Basically, encryption is used to prevent the eavesdropping. The encryption key is created by recycling a timer inside the microcontroller typically integrated in a remote. The key is regenerated whenever the power button on a remote is pressed, providing the limited lifecycle of the key. The evaluation indicates that the XOR-based encryption is practical and effective in terms of the processing time and cost.

show abstract

Static analysis for discovering IoT vulnerabilities

Cited by 43 publications

References 44 publications

Machine and Deep Learning for IoT Security and Privacy: Applications, Challenges, and Future Directions

Machine and Deep Learning for IoT Security and Privacy: Applications, Challenges, and Future Directions

SUACC-IoT: secure unified authentication and access control system based on capability for IoT

Eavesdropping Vulnerability and Countermeasure in Infrared Communication for IoT Devices

Contact Info

Product

Resources

About