Abstract
Recent Internet of Things (IoT) botnet attacks have called the attention to the fact that there are many vulnerable IoT devices connected to the Internet today. Some of these Web-connected devices lack even basic security practices such as strong password authentication. As a consequence, many IoT devices are already infected with malware and many more are vulnerable to exploitation. In this paper we analyze the security level of 16 popular IoT devices. We evaluate several low-cost black-box techniques for reverse engineering these devices, including software and fault injection-based techniques used to bypass password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically add these devices to a botnet. We also discuss how to improve the security of IoT devices without significantly increasing their cost or affecting their usability.
Original language | English |
---|---|
Article number | 8488542 |
Pages (from-to) | 4965-4976 |
Number of pages | 12 |
Journal | IEEE Internet of Things Journal |
Volume | 5 |
Issue number | 6 |
DOIs | |
State | Published - 1 Dec 2018 |
Keywords
- Computer security
- Internet of Things (IoT)
- IoT application design
- IoT standardization
- IoT system architecture
- IoT test-bed
- Privacy
- Reverse engineering
ASJC Scopus subject areas
- Signal Processing
- Information Systems
- Hardware and Architecture
- Computer Science Applications
- Computer Networks and Communications