Defense Event

Securing IoT Platforms Through Systematic Analysis and Design

Earlence Fernandes

Wednesday, March 29, 2017
1:00pm - 3:00pm
3725 Beyster Bldg.

Add to Google Calendar

About the Event

Our homes, hospitals, cities, and industries are being enhanced with devices that have computational and networking capabilities. This emerging network of connected devices, or Internet of Things (IoT), promises better safety, enhanced management of patients, improved energy efficiency, and optimized manufacturing processes. Although there are many such benefits, security vulnerabilities in these systems can lead to user dissatisfaction (e.g., from random bugs), privacy violation (e.g., from stolen information), monetary loss (e.g., denial-of-service attacks or ``ransomware''), or even loss of life (e.g., from malicious actors manipulating critical processes in a hospital). Security design flaws may manifest at several layers of the IoT software/hardware stack. This work focuses on design flaws that arise in IoT platforms---software systems that manage devices, data analysis results and control logic. Specifically, we show that empirical security-oriented analyses of personal IoT platforms lead to: (1) an understanding of design flaws that can be leveraged in long-range and device-independent attacks; (2) the development of security mechanisms that limit the potential for these attacks. Concretely, we contribute empirical analyses for two categories of personal IoT platforms---Hub-Based (Samsung SmartThings), and Cloud-First (If-This-Then-That). Our analyses reveal overprivilege as a main enabler for attacks, and we propose a set of information flow control techniques (FlowFence and Decoupled-IFTTT) to manage privilege better in these platforms, therefore reducing the potential for attacks.

Additional Information

Sponsor(s): Atul Prakash

Open to: Public