DISCOVERING SECURITY WEAKNESSES IN IOT DEVICE SETUP

Abstract

This study provides the first comprehensive analysis of potential information leakage occurring during Internet-of-Things (IoT) device setup. The setup process involves communication between IoT devices, vendor applications, and cloud services. We sample a total of 20 off-the-shelf “smart home” IoT devices from various IoT vendors, putting them under the setup process and examining their potential sensitive information leakage. We adopt a threat model in which we assume the attackers do not have physical access to the devices or even access to the same model devices. We develop a methodology by combining the vendors’ publicly available “app” executable and the sniffed over-the-air (OTA) network traffic. This is the same type of information that an attacker can access and/or acquire. We demonstrate that it is possible to harvest potentially sensitive information communicated during the setup process using our methodology. The result shows that two-thirds of the tested IoT devices expose at least one type of sensitive information, including unique device identifiers, app login credentials, and users’ home network WiFi credentials during the setup. Moreover, by taking the harvested sensitive information, we show the potential of executing a chain of attacks, e.g., allowing attackers to control victim devices in an unauthenticated manner, and we successfully execute the attacks on three of the tested devices. Thus, the propose methodology offers a foundation for assessing IoT device setup security and can be used to establish a benchmark of the information disclosure risks associated with IoT devices in general.