21 |
Ethical Hacking of a Smart IoT Camera : A Penetration Test on D-Link DCS 8515-LH Smart Camera / Etisk hackning av en smart IoT-Kamera : Ett Penetrationstest på D-Link DCS 8515-LH Smart KameraZhuang, Chunyu January 2023 (has links)
The trending usage of IoT devices raises serious security concerns. IoT devices have complete access to users’ network environments. In the eyes of hackers, the value of IoT devices is exceptionally high. From minor disturbances to major crimes, all could happen in no time with compromised IoT devices. As the IoT devices collects sensitive data, properly protect users’ privacy is also a crucial aspect for IoT devices. Thus, IoT devices need to be secure enough against modern cyber-attacks. In this work, a smart camera DCS-8515LH from D-Link is under penetration tests. Threat modeling is first performed as an analysis of the IoT system following by a dozen cyber attacks targeting this smart camera. The penetration tests provide valuable information that can reveal the smart camera’s vulnerability and weakness, such as security misconfiguration, vulnerability to DoS attacks. The smart camera is discovered to be vulnerable to DoS attacks and exploits on the zero-configuration protocol. Several weaknesses which violate the users’ privacy exist in the mobile application and Android storage system. This work evaluated all the vulnerabilities and weaknesses discovered from a security aspect. This report exposes attacks that are effective on the smart camera and also serves as a fundamental basis for future penetration tests on this smart camera. / I detta arbete är en smart kamera DCS-8515LH från D-Link under penetrationstester. Hotmodellering utförs först som en analys av IoT-systemet följt av ett dussin cyberattacker riktade mot denna smarta kamera. Penetrationstesterna ger värdefull information som kan avslöja den smarta kamerans sårbarhet och svaghet, såsom säkerhetsfelkonfiguration, sårbarhet för Dos-attacker. Den smarta kameran har upptäckts vara sårbar för DoS-attacker och utnyttjande av nollkonfigurationsprotokollet. Flera svagheter som kränker användarnas integritet finns i mobilapplikationen och Android-lagringssystemet. Detta arbete utvärderade alla sårbarheter och svagheter som upptäckts ur en säkerhetsaspekt. Den här rapporten avslöjar attacker som är effektiva på den smarta kameran och fungerar också som en grundläggande bas för framtida penetrationstester på denna smarta kamera.
|
22 |
Security and Privacy Concerns for IoTAdoption : A User PerspectiveMazvimba, Dennis January 2022 (has links)
The Internet of Things (IoT) is one of the most rapidly evolving technologies aroundthe globe that has changed the way people live due to the benefits that comes with itsadoption. However, they have been associated with privacy and security risks. Witha focus on technical mechanisms and a lack of attention to consumer concerns over along time, it is unsurprising that manufacturers lack an understanding of consumersecurity and privacy concerns. While there has been significant empirical researchwarranting consumer concerns, their perceptions remain afoot.The purpose of this study is to understand the consumer privacy and securityperceptions associated with adoption of IoT devices within a smart home. Without an understanding of the consumer perceptions on privacy and security issues, manu-facturers may not address these issues which may hinder the adoption of IoT. While a significant number of studies have shown the privacy and security issues surrounding IoT devices, they have only extended to technical issues, mostly from the manufac-turer’s perspective. Since security is a complex issue involving several stakeholders, these studies cannot be applied from a consumer perspective.In this study we adopt an interpretive philosophical orientation and a qualitativeapproach. In depth interviews are used to collect data from smart homeowners,investigating their perceptions of smart home privacy issues. We have identified threesignificant recurring themes that need to be addressed: ethical and regulatory issues,information control and ownership, and technology design issues.
|
23 |
Ethical Hacking of a Smart PlugAchkoudir, Rami, Alsaadi, Zainab January 2021 (has links)
The number of Internet of Things (IoT) devices is growing rapidly which introduces plenty of new challenges concerning the security of these devices. This thesis aims to contribute to a more sustainable IoT environment by evaluating the security of a smart plug. The DREAD and STRIDE methods were used to assess the potential threats and the threats with the highest potential impact were penetration tested in order to test if there were any security preventions in place. The results from the penetration tests presented no major vulnerabilities which bring us to the conclusion that the Nedis Smart Plug has implemented enough security measures. / Antalet Internet of Things (IoT) -enheter växer snabbt vilket medför många nya utmaningar när det gäller säkerheten för dessa enheter. Denna avhandling syftar till att bidra till en mer hållbar IoT-miljö genom att utvärdera säkerheten för en smart plug. Metoderna DREAD och STRIDE användes för att bedöma de potentiella hoten och hoten med störst potentiell påverkan penetrerades för att testa om det fanns några säkerhetsförebyggande åtgärder. Resultaten från penetrationstesterna presenterade inga större sårbarheter som ledde oss till slutsatsen att Nedis Smart Plug har genomfört tillräckliga säkerhetsåtgärder.
|
24 |
Exploring IoT Security Threats and Forensic Challenges: A LiteratureReview and Survey StudyAl Allaf, Abdulrahman, Totonji, Waseem January 2023 (has links)
Internet of Things (IoT) devices have increased rapidly in recent years, revolutionizing many industries, including healthcare, manufacturing, and transportation, and bringing benefits to both individuals and industries. However, this increase in IoT device usage has exposed IoT ecosystems to numerous security threats and digital forensic challenges. This thesis investigates the most common IoT security threats and attacks, students’ awareness of them and their mitigation strategies, and the key challenges associated with IoT forensic investigations. A mixed-method approach is adopted in this thesis combining a literature review and a survey study. The survey assesses students’ knowledge of IoT security threats, mitigation techniques, and perceptions of the most effective ways to enhance IoT security. The survey also emphasizes the importance of user training and awareness in mitigating IoT threats, highlighting the most effective strategies, such as stronger regulations and improved device security by manufacturers. The literature review provides a comprehensive overview of the most common IoT security threats and attacks, such as malware, malicious code injection, replay attacks, Man in the Middle (MITM), botnets, and Distributed Denial of Service Attacks (DDoS). The mitigation techniques to these threats are overviewed as well as real-world incidents and crimes, such as the Mirai botnet, St. Jude Medical implant cardiac devices hack, and the Verkada hack, are examined to understand the consequences of these attacks. Moreover, this work also highlights the definition and the process of digital and IoT forensics, the importance of IoT forensics, and different data sources in IoT ecosystems. The key challenges associated with IoT forensics and how they impact the effectiveness of digital investigations in the IoT ecosystem are examined in detail. Overall, the results of this work contribute to ongoing research to improve IoT device security, highlight the importance of increased awareness and user training, and address the challenges associated with IoT forensic investigations.
|
25 |
Building the Intelligent IoT-Edge: Balancing Security and Functionality using Deep Reinforcement LearningAnand A Mudgerikar (11791094) 19 December 2021 (has links)
<div>The exponential growth of Internet of Things (IoT) and cyber-physical systems is resulting in complex environments comprising of various devices interacting with each other and with users. In addition, the rapid advances in Artificial Intelligence are making those devices able to autonomously modify their behaviors through the use of techniques such as reinforcement learning (RL). There is thus the need for an intelligent monitoring system on the network edge with a global view of the environment to autonomously predict optimal device actions. However, it is clear however that ensuring safety and security in such environments is critical. To this effect, we develop a constrained RL framework for IoT environments that determines optimal devices actions with respect to user-defined goals or required functionalities using deep Q learning. We use anomaly based intrusion detection on the network edge to dynamically generate security and safety policies to constrain the RL agent in the framework. We analyze the balance required between ‘safety/security’ and ‘functionality’ in IoT environments by manipulating the exploration of safe and unsafe benefit state spaces in the RL framework. We instantiate the framework for testing on application layer control in smart home environments, and network layer control including network functionalities like rate control and routing, for SDN based environments.</div>
|
26 |
Achieving Compositional Security and Privacy in IoT EnvironmentsMuslum Ozgur Ozmen (18870154) 11 September 2024 (has links)
<p dir="ltr">The Internet of Things (IoT) systems include sensors that measure the physical world, actuators that influence it, and IoT apps that automate these sensors and actuators. Although IoT environments have revolutionized our lives by integrating digital connectivity into physical processes, they also introduce unique security and privacy concerns. Particularly, these systems include multiple components that are unified through the cyber and physical domains. For instance, smart homes include various devices and multiple IoT apps that control these devices. Thus, attacks against any single component can have rippling effects, amplifying due to the composite behavior of sensors, actuators, apps, and the physical environment.</p><p dir="ltr">In this dissertation, I explore the emerging security and privacy issues that arise from the complex physical interactions in IoT environments. To discover and mitigate these emerging issues, there is a need for composite reasoning techniques that consider the interplay between digital and physical domains. This dissertation addresses these challenges to build secure IoT environments and enhance user privacy with new formal techniques and systems.</p><p dir="ltr">To this end, I first describe my efforts in ensuring the safety and security of IoT en- vironments. Particularly, I introduced IoTSeer, a security service that discovers physical interaction vulnerabilities among IoT apps. I then proposed attacks that evade prior event verification systems by exploiting the complex physical interactions between IoT sensors and actuators. To address them, I developed two defenses, software patching and sensor placement, to make event verification systems robust against evasion attacks. These works provide a suite of tools to achieve compositional safety and security in IoT environments. </p><p dir="ltr">Second, I discuss my work that identifies the privacy risks of emerging IoT devices. I designed DMC-Xplorer to find vulnerabilities in voice assistant platforms and showed that an adversary can eavesdrop on privacy-sensitive device states and prevent users from controlling devices. I then developed a remote side-channel attack against intermittent devices to infer privacy-sensitive information about the environment in which they are deployed. These works highlight new privacy issues in emerging commodity devices used in IoT environments.</p>
|
27 |
Analyzing Secure and Attested Communication in Mobile DevicesMuhammad Ibrahim (19761798) 01 October 2024 (has links)
<p dir="ltr">To assess the security of mobile devices, I begin by identifying the key entities involved in their operation: the user, the mobile device, and the service or device being accessed. Users rely on mobile devices to interact with services and perform essential tasks. These devices act as gateways, enabling communication between the user and the back-end services. For example, a user may access their bank account via a banking app on their mobile device, which communicates with the bank’s back-end server. In such scenarios, the server must authenticate the user to ensure only authorized individuals can access sensitive information. However, beyond user authentication, it is crucial for connected services and devices to verify the integrity of the mobile device itself. A compromised mobile device can have severe consequences for both the user and the services involved.</p><p dir="ltr">My research focuses on examining the methods used by various entities to attest and verify the integrity of mobile devices. I conduct a comprehensive analysis of mobile device attestation from multiple perspectives. Specifically, I investigate how attestation is carried out by back-end servers of mobile apps, IoT devices controlled by mobile companion apps, and large language models (LLMs) accessed via mobile apps.</p><p dir="ltr">In the first case, back-end servers of mobile apps must attest to the integrity of the device to protect against tampered apps and devices, which could lead to financial loss, data breaches, or intellectual property theft. For instance, a music streaming service must implement strong security measures to verify the device’s integrity before transmitting sensitive content to prevent data leakage or unauthorized access.</p><p dir="ltr">In the second case, IoT devices must ensure they are communicating with legitimate companion apps running on attested mobile devices. Failure to enforce proper attestation for IoT companion apps can expose these devices to malicious attacks. An attacker could inject malicious code into an IoT device, potentially causing physical damage to the device or its surroundings, or even seizing control of the device, leading to critical safety risks, property damage, or harm to human lives.</p><p dir="ltr">Finally, in the third case, malicious apps can exploit prompt injection attacks against LLMs, leading to data leaks or unauthorized access to APIs and services offered by the LLM. These scenarios underscore the importance of secure and attested communication between mobile devices and the services they interact with.</p>
|
28 |
INTERNET OF THINGS SYSTEMS SECURITY: BENCHMARKING AND PROTECTIONNaif S Almakhdhub (8810120) 07 May 2020 (has links)
<div><p>Internet of Things (IoT) systems running on Microcontrollers (MCUS) have become a prominent target of remote attacks. Although deployed in security and safety critical domains, such systems lack basic mitigations against control-flow hijacking attacks. Attacks against IoT systems already enabled malicious takeover of smartphones, vehicles, unmanned aerial vehicles, and industrial control systems.</p></div><div><p> </p><div><p>The thesis introduces a systemic analysis of previous defense mitigations to secure IoT systems. Building off this systematization, we identify two main issues in IoT systems security. First, efforts to protect IoT systems are hindered by the lack of realistic benchmarks and evaluation frameworks. Second, existing solutions to protect from control-flow hijacking on the return edge are either impractical or have limited security guarantees. This thesis addresses these issues using two approaches. </p></div><div><p> </p></div><div><p>First, we present BenchIoT, a benchmark suite of five realistic IoT applications and an evaluation framework that enables automated and extensible evaluation of 14 metrics covering security, performance, memory usage, and energy. BenchIoT enables evaluating and comparing security mechanisms. Using BenchIoT, we show that even if two security mechanisms have similarly modest runtime overhead, one can have undesired consequences on security such as a large portion of privileged user execution.</p></div><div><p> </p></div><div><p>Second, we introduce Return Address Integrity (RAI), a novel security mechanism to prevent all control-flow hijacking attacks targeting return edges, without requiring special hardware. We design and implement μRAI to enforce the RAI property. Our results show μRAI has a low runtime overhead of 0.1% on average, and therefore is a</p></div><div><p>practical solution for IoT systems. </p></div><div><p> </p></div><div><p>This thesis enables measuring the security IoT systems through standardized benchmarks and metrics. Using static analysis and runtime monitors, it prevents control-flow hijacking attacks on return edges with low runtime overhead. Combined, this thesis advances the state-of-the-art of protecting IoT systems and benchmarking its security.</p></div></div>
|
29 |
PROGRAM ANOMALY DETECTION FOR INTERNET OF THINGSAkash Agarwal (13114362) 01 September 2022 (has links)
<p>Program anomaly detection — modeling normal program executions to detect deviations at runtime as cues for possible exploits — has become a popular approach for software security. To leverage high performance modeling and complete tracing, existing techniques however focus on subsets of applications, e.g., on system calls or calls to predefined libraries. Due to limited scope, it is insufficient to detect subtle control-oriented and data-oriented attacks that introduces new illegal call relationships at the application level. Also such techniques are hard to apply on devices that lack a clear separation between OS and the application layer. This dissertation advances the design and implementation of program anomaly detection techniques by providing application context for library and system calls making it powerful for detecting advanced attacks targeted at manipulating intra- and inter-procedural control-flow and decision variables. </p>
<p><br></p>
<p>This dissertation has two main parts. The first part describes a statically initialized generic calling context program anomaly detection technique LANCET based on Hidden Markov Modeling to provide security against control-oriented attacks at program runtime. It also establishes an efficient execution tracing mechanism facilitated through source code instrumentation of applications. The second part describes a program anomaly detection framework EDISON to provide security against data-oriented attacks using graph representation learning and language models for intra and inter-procedural behavioral modeling respectively.</p>
<p><br>
This dissertation makes three high-level contributions. First, the concise descriptions demonstrates the design, implementation and extensive evaluation of an aggregation-based anomaly detection technique using fine-grained generic calling context-sensitive modeling that allows for scaling the detection over entire applications. Second, the precise descriptions show the design, implementation, and extensive evaluation of a detection technique that maps runtime traces to the program’s control-flow graph and leverages graphical feature representation to learn dynamic program behavior. Finally, this dissertation provides details and experience for designing program anomaly detection frameworks from high-level concepts, design, to low-level implementation techniques.</p>
|
30 |
Leveraging IoT Protocols : Integrating Palletization Algorithm with Flexible Robotic PlatformFerm Dubois, Mathias January 2024 (has links)
This thesis explores the integration of IoT protocols to enhance supply chain efficiency and sustainability by developing a flexible automated system. The research covers the integration of a palletization optimizer with a flexible robotic platform, a project conducted in collaboration with OpiFlex and Linköping University. Flexibility and sustainability in production, particularly in the food and beverage industry, are critical yet challenging to achieve. This research addresses these challenges by proposing a system that aligns the output with customer needs by combining these technologies. The research employs a combination of case study and exploratory methodologies. The development approach synthesizes elements from Set-Based Design, Point-Based Design, and Agile development frameworks. The primary research questions focus on identifying the best system architecture for integrating the palletization optimizer with a lower-level automation platform and outlining the steps needed to transform this integration into a commercially viable product. The system includes the optimizer, capable of processing customer orders and configuring products on mixed output pallets, integrated with a flexible robotic system provided by OpiFlex. The work involved evaluating communication protocols, MQTT, OPC UA, and TCP/IP, and designing robust interactions and interfaces between the subsystems. The results demonstrate the system's architecture and interaction protocols. The thesis concludes with a discussion of the results in comparison to the application scenario and the standards consulted. The conclusion is that the chosen interface practices should remain largely intact but be re-developed using an OPC UA-based architecture. The main reasons for this are its support for both pub/sub and client-server models, increased security, and greater support for enterprise application integration. However, depending on the specific application, the downsides of OPC UA may outweigh its benefits.
|
Page generated in 0.0676 seconds