Skip to main content

Selective Forwarding Attack on IoT Home Security Kits

Hariri, Ali, Giannelos, Nicolas, Arief, Budi (2019) Selective Forwarding Attack on IoT Home Security Kits. In: Springer LNCS Proceedings, 2nd International Workshop on Attacks and Defenses for Internet-of-Things (ADIoT 2019). . (In press) (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided)

PDF - Author's Accepted Manuscript
Restricted to Repository staff only
Contact us about this Publication Download (514kB)
[img]

Abstract

Efforts have been made to improve the security of the Internet of Things (IoT) devices, but there remain some vulnerabilities and misimplementations. This paper describes a new threat to home security devices in which an attacker can disable all functionality of a device, but to the device’s owner, everything still appears to be operational. We targeted home security devices because their security is critical as people may rely on them to protect their homes. In particular, we exploited a feature called “heartbeat”, which is exchanged between the devices and the cloud in order to check that the devices are still connected. Even though network traffic was encrypted, we successfully identified the heartbeats due to their fixed size and periodic nature. Thereafter, we established a man-in-the-middle attack between the device and the cloud and selectively forwarded heartbeats while filtering out other traffic. As a result, the device appears to be still connected (because the heartbeat traffic is being allowed through), while in reality the device’s functionality is disabled (because non-heartbeat traffic is being filtered out). We applied this exploit on a set of six devices, and five were found to be vulnerable. Consequently, an intruder can use this exploit to disable a home security device and break into a house without the awareness of the owner. We carried out a responsible disclosure exercise with the manufacturers of the affected devices, but the response has been limited. This shows that IoT security is still not taken completely seriously and many threats are still undiscovered. Finally, we provide some recommendations on how to detect and prevent the threats posed by insecure IoT devices, which ironically include IoT home security kits.

Item Type: Conference or workshop item (Proceeding)
Uncontrolled keywords: IoT · Security · Attack · Off-the-shelf Devices · Heartbeats · Selective Forwarding · SSL/TLS · WPA2
Divisions: Faculties > Sciences > School of Computing
Depositing User: Budi Arief
Date Deposited: 20 Aug 2019 09:41 UTC
Last Modified: 21 Aug 2019 03:10 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/75895 (The current URI for this page, for reference purposes)
Arief, Budi: https://orcid.org/0000-0002-1830-1587
  • Depositors only (login required):

Downloads

Downloads per month over past year