Characterizing the Security Facets of IoT Device Setup

Characterizing the Security Facets of IoT Device Setup

연구 분야: Analysis

학회: IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

In this work, we characterize the potential information leakage from IoT platforms during their setup phase. Setup involves an IoT device, its ''app'', and a cloud-based service. We assume that the on-device firmware is inaccessible, e.g., read-protected. We focus on the combination of information that can be extracted from analyzing the app and the local communication between the app and the IoT device. An attacker can trivially obtain the app, analyze its operation, and potentially eavesdrop on the wireless communication occurring during the setup phase. We develop a semi-automated general methodology involving off-the-shelf tools to examine information disclosure during the setup phase. We tested our methodology on twenty commodity-grade IoT devices. The outcome reveals a wide range of device-dependent choices for encryption at various layers and the potential for exposure of, among other things, device-identifying information and local networking (WiFi) credentials. Our methodology contributes towards a means to assess and ''certify'' IoT devices.