Finding vulnerabilities in connected devices

Qvick, Matilda, Harnesk, Saga

January 2022

This thesis covers the security testing of a system with connected devices. In a world with an ever-growing number of connected devices, it is crucial to be mindful of the consequences unprotected systems can cause. The thesis aim to shine light on the issues of not having sufficient security measures in place. The test target was a system with a battery charger, gateway and cloud service. The testing was done with two different approaches, penetration testing and threat modelling, covering different parts of the system. Only a small fraction of the system was exploited in the report and overall the security was deemed to be alright. The main vulnerabilities found were that the username and password were found unencrypted when attempting to log into the gateway. The traffic between the battery charger and the gateway was also unencrypted and possibly vulnerable to replay attacks. For evaluation of the penetration testing and threat modelling there were found to be advantages and disadvantages to both methods. For a thoroughly analysis of the methods it would have needed further investigation. The system itself has potential for valuable findings with further investigations as well. / Denna rapport inkluderar säkerhetstestning av ett system med uppkopplade enheter. Antalet uppkopplade enheter (Sakernas Internet) runt om i världen fortsätter att växa med hög hastighet. Det är av stor vikt att se till att enheterna i dessa system har de säkerhetsåtgärder som krävs. Att belysa detta problem är ett utav målen med denna rapport. I rapporten testas ett batteriladdarsystem med tillhörande gateway och cloud-tjänst. Testen utfördes med två olika metoder, penetrationstest och hotmodellering, uppdelat på två olika delar av systemet. På grund av de begränsningar som fanns kunde endast en liten del av systemet testas och exploateras. Till största del ansågs säkerheten vara okej. De främsta sårbarheterna som hittades var bland annat okrypterade  användarnamn och lösenord vid försök att logga in på gatewayen. All traffik mellan batteriladdaren och gatewayen var orkypterad och med stor risk för att inte kunna stå emot en replayattack.  Utvärdering av de två metoderna som användes konstaterades för och nackdelar med båda metoderna. För att kunna göra en ordentlig jämförelse av metoderna skulle det behövas en djupare undersökning. Det finns även stort värde i en vidare undersökning av systemet.

Penetration Testing

Threat Modelling

Connected Devices

Vulnerabilities

Hardware Security

Penetrationstestning

Hotmodellering

Uppkopplade Enheter

Sårbarheter

Hårdvarusäkerhet

Computer and Information Sciences

Data- och informationsvetenskap

Sakernas internet - En säkerhetsrisk : En kvantitativ studie om privatpersoners kunskap gällande IoT-enheters säkerhet

Johansson, Christer, Andersson, Viktor

January 2021

With the constant growth of units connected to the internet, it’s becoming more and more common for private persons to get these units into their homes. With easier accessibility to smart units that can be connected straight to your smart home, and at the same time can make your everyday life easier, may also be the greatest securityrisk of your life. The focus of this essay is about the internet of things-units (IoT-units) that’s considered a large securityrisk. This work is made as a quantitative study about security deficiencies among private persons regarding IoT-units. The data produced from this work can be used as an answer of what a private person needs to be more vigilant of when it comes to IoT-units, and also what actions the manufacturing industry need to take for the connected community to be secured. To delve into this, we have chosen to use the methods literature study and a questionnaire study that will be performed to obtain data to answer our questions. Analysis has been made about what can be seen as an IoT-unit, what security deficiencies there are and then account for how to counteract these risks with help of knowledge. The result of the answers from the surveys and the picture we have received after a search for a sustainable and a more secure solution is that some knowledge exists, although not to the extent needed. The conclusion that can be drawn after the analysis of surveys and in the previous research how it should proceed in the current situation is that significantly more resources need to be spent on the right information for the right purpose, when it comes to this important IT-related issue.

IoT

Internet of Things

internet-connected devices

smart homes

security risks

security flaws

Sakernas internet

uppkopplade enheter

smarta hem

säkerhetsrisker

säkerhetsbrister

Övrig annan teknik