713 research outputs found
Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going To Be
Inspired by the boom of the consumer IoT market, many device manufacturers, new start-up companies and technology behemoths have jumped into the space. Indeed, in a span of less than 5 years, we have experienced the manifestation of an array of solutions for the smart home, smart cities and even smart cars. Unfortunately, the exciting utility and rapid marketization of IoTs, come at the expense of privacy and security. Online and industry reports, and academic work have revealed a number of attacks on IoT systems, resulting in privacy leakage, property loss and even large-scale availability problems on some of the most influential Internet services (e.g. Netflix, Twitter). To mitigate such threats, a few new solutions have been proposed. However, it is still less clear what are the impacts they can have on the IoT ecosystem. In this work, we aim to perform a comprehensive study on reported attacks and defenses in the realm of IoTs aiming to find out what we know, where the current studies fall short and how to move forward. To this end, we first build a toolkit that searches through massive amount of online data using semantic analysis to identify over 3000 IoT-related articles (papers, reports and news). Further, by clustering such collected data using machine learning technologies, we are able to compare academic views with the findings from industry and other sources, in an attempt to understand the gaps between them, the trend of the IoT security risks and new problems that need further attention. We systemize this process, by proposing a taxonomy for the IoT ecosystem and organizing IoT security into five problem areas. We use this taxonomy as a beacon to assess each IoT work across a number of properties we define. Our assessment reveals that despite the acknowledged and growing concerns on IoT from both industry and academia, relevant security and privacy problems are far from solved. We discuss how each proposed solution can be applied to a problem area and highlight their strengths, assumptions and constraints. We stress the need for a security framework for IoT vendors and discuss the trend of shifting security liability to external or centralized entities. We also identify open research problems and provide suggestions towards a secure IoT ecosystem
Securing the Internet of Healthcare
Cybersecurity, which includes the security of information technology (IT), is critical to ensuring that society trusts, and therefore can benefit from, modern technology. Problematically, though, rarely a day goes by without a news story related to how critical data has been exposed, exfiltrated, or otherwise inappropriately used or accessed as a result of supply chain vulnerabilities. From the Russian government’s campaign to influence the 2016 U.S. presidential election to the September 2017 Equifax breach of more than 140 million Americans’ credit reports, cyber risk has become a topic of conversation in boardrooms and the White House, on Wall Street and main street. But these discussions often miss the problems replete in the expansive supply chains on which many of these products and services we depend on are built; this is particularly true in the medical device context. The problem recently made national news with the voluntary recall of more than 400,000 pacemakers that were found to be vulnerable to hackers, necessitating a firmware update. This Article explores the myriad vulnerabilities in the supply chain for medical devices, investigates existing FDA cybersecurity and privacy regulations to identify any potential governance gaps, and suggests a path forward to boost cybersecurity due diligence for manufacturers by making use of new approaches and technologies, including blockchain
Securing the Internet of Healthcare
Cybersecurity, including the security of information technology (IT), is a critical requirement in ensuring society trusts, and therefore can benefit from, modern technology. Problematically, though, rarely a day goes by without a news story related to how critical data has been exposed, exfiltrated, or otherwise inappropriately used or accessed as a result of supply chain vulnerabilities. From the Russian government\u27s campaign to influence the 2016 U.S. presidential election to the September 2017 Equifax breach of more than 140-million Americans\u27 credit reports, mitigating cyber risk has become a topic of conversation in boardrooms and the White House, on Wall Street and Main Street. But oftentimes these discussions miss the problems replete in the often-expansive supply chains on which many of these products and services we depend on are built; this is particularly true in the medical device context. The problem recently made national news with the FDA-mandated recall of more than 400,000 pacemakers that were found to be vulnerable to hackers necessitating a firmware update. This Article explores the myriad vulnerabilities in the supply chain for medical devices, investigates existing FDA cybersecurity and privacy regulations to identify any potential governance gaps, and suggests a path forward to boost cybersecurity due diligence for manufacturers by making use of new approaches and technologies, including blockchain
Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions
For parents of young children and adolescents, the digital age has introduced
many new challenges, including excessive screen time, inappropriate online
content, cyber predators, and cyberbullying. To address these challenges, many
parents rely on numerous parental control solutions on different platforms,
including parental control network devices (e.g., WiFi routers) and software
applications on mobile devices and laptops. While these parental control
solutions may help digital parenting, they may also introduce serious security
and privacy risks to children and parents, due to their elevated privileges and
having access to a significant amount of privacy-sensitive data. In this paper,
we present an experimental framework for systematically evaluating security and
privacy issues in parental control software and hardware solutions. Using the
developed framework, we provide the first comprehensive study of parental
control tools on multiple platforms including network devices, Windows
applications, Chrome extensions and Android apps. Our analysis uncovers
pervasive security and privacy issues that can lead to leakage of private
information, and/or allow an adversary to fully control the parental control
solution, and thereby may directly aid cyberbullying and cyber predators
Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
A Bluetooth finder is a small battery-powered device that can be attached to
important items such as bags, keychains, or bikes. The finder maintains a
Bluetooth connection with the user's phone, and the user is notified
immediately on connection loss. We provide the first comprehensive security and
privacy analysis of current commercial Bluetooth finders. Our analysis reveals
several significant security vulnerabilities in those products concerning
mobile applications and the corresponding backend services in the cloud. We
also show that all analyzed cloud-based products leak more private data than
required for their respective cloud services.
Overall, there is a big market for Bluetooth finders, but none of the
existing products is privacy-friendly. We close this gap by designing and
implementing PrivateFind, which ensures locations of the user are never leaked
to third parties. It is designed to run on similar hardware as existing
finders, allowing vendors to update their systems using PrivateFind.Comment: WiSec '2
Do Androids Dream of Electric Sheep? On Privacy in the Android Supply Chain
The Android Open Source Project (AOSP) was first released by Google in 2008 and
has since become the most used operating system [Andaf]. Thanks to the openness
of its source code, any smartphone vendor or original equipment manufacturer
(OEM) can modify and adapt Android to their specific needs, or add proprietary features
before installing it on their devices in order to add custom features to differentiate themselves
from competitors. This has created a complex and diverse supply chain, completely opaque to
end-users, formed by manufacturers, resellers, chipset manufacturers, network operators, and
prominent actors of the online industry that partnered with OEMs. Each of these stakeholders
can pre-install extra apps, or implement proprietary features at the framework level.
However, such customizations can create privacy and security threats to end-users. Preinstalled
apps are privileged by the operating system, and can therefore access system APIs
or personal data more easily than apps installed by the user. Unfortunately, despite these
potential threats, there is currently no end-to-end control over what apps come pre-installed
on a device and why, and no traceability of the different software and hardware components
used in a given Android device. In fact, the landscape of pre-installed software in Android and
its security and privacy implications has largely remained unexplored by researchers.
In this thesis, I investigate the customization of Android devices and their impact on the
privacy and security of end-users. Specifically, I perform the first large-scale and systematic
analysis of pre-installed Android apps and the supply chain. To do so, I first develop an app,
Firmware Scanner [Sca], to crowdsource close to 34,000 Android firmware versions from 1,000
different OEMs from all over the world. This dataset allows us to map the stakeholders involved
in the supply chain and their relationships, from device manufacturers and mobile network operators
to third-party organizations like advertising and tracking services, and social network
platforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors.
My results show a disturbing lack of transparency and control over the Android supply
chain, thus showing that it can be damageable privacy- and security-wise to end-users.
Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing,
the permission system empowers users to control what sensitive resources (e.g., user
contacts, the camera, location sensors) are accessible to which apps. The research community
has extensively studied the permission system, but most previous studies focus on its limitations
or specific attacks. In this thesis, I present an up-to-date view and longitudinal analysis
of the evolution of the permissions system. I study how some lesser-known features of the
permission system, specifically permission flags, can impact the permission granting process,
making it either more restrictive or less. I then highlight how pre-installed apps developers
use said flags in the wild and focus on the privacy and security implications. Specifically, I
show the presence of third-party apps, installed as privileged system apps, potentially using
said features to share resources with other third-party apps.
Another salient feature of the permission system is its extensibility: apps can define their
own custom permissions to expose features and data to other apps. However, little is known
about how widespread the usage of custom permissions is, and what impact these permissions
may have on users’ privacy and security. In the last part of this thesis, I investigate the exposure
and request of custom permissions in the Android ecosystem and their potential for opening
privacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed and
publicly available apps using both Firmware Scanner and purpose-built app store crawlers.
I find the usage of custom permissions to be pervasive, regardless of the origin of the apps,
and seemingly growing over time. Despite this prevalence, I find that custom permissions are
virtually invisible to end-users, and their purpose is mostly undocumented. While Google recommends
that developers use their reverse domain name as the prefix of their custom permissions
[Gpla], I find widespread violations of this recommendation, making sound attribution
at scale virtually impossible. Through static analysis methods, I demonstrate that custom permissions
can facilitate access to permission-protected system resources to apps that lack those
permissions, without user awareness. Due to the lack of tools for studying such risks, I design
and implement two tools, PermissionTracer [Pere] and PermissionTainter [Perd] to study
custom permissions. I highlight multiple cases of concerning use of custom permissions by
Android apps in the wild.
In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of preinstalled
Android apps. My results show a complete lack of control of the supply chain which
is worrying, given the huge potential impact of pre-installed apps on the privacy and security
of end-users. I conclude with a number of open research questions and future avenues for
further research in the ecosystem of the supply chain of Android devices.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en IngenierĂa Telemática por la Universidad Carlos III de MadridPresidente: Douglas Leith.- Secretario: RubĂ©n Cuevas RumĂn.- Vocal: Hamed Haddad
Static analysis for discovering IoT vulnerabilities
The Open Web Application Security Project (OWASP), released the \u201cOWASP Top 10 Internet of Things 2018\u201d list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia\u2019s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies
- …