SoK: Security Evaluation of Home-Based IoT Deployments Omar Alrawi∗, Chaz Lever∗, Manos Antonakakis∗, Fabian Monrosey ∗Georgia Institute of Technology falrawi, chazlever, [email protected] yUniversity of North Carolina at Chapel Hill [email protected] Abstract—Home-based IoT devices have a bleak reputation cyber operations [1]. To make matters worse, some vendors regarding their security practices. On the surface, the insecurities leave service backdoors in their devices that are later dis- of IoT devices seem to be caused by integration problems that covered and exploited by botnets [13]. Even unsophisticated may be addressed by simple measures, but this work finds that to be a naive assumption. The truth is, IoT deployments, at criminal groups are taking advantage of the rampant insecu- their core, utilize traditional compute systems, such as embedded, rities to run distributed denial-of-service (DDoS) attacks [2]. mobile, and network. These components have many unexplored Unfortunately, cleanup efforts and vulnerability patching are challenges such as the effect of over-privileged mobile applica- far from perfect, and as additional devices come online, the tions on embedded devices. threats that target them become versatile, which enables them Our work proposes a methodology that researchers and practitioners could employ to analyze security properties for to spread even further [14]. To systematically address these home-based IoT devices. We systematize the literature for home- security issues, researchers need to understand the landscape based IoT using this methodology in order to understand attack by conducting measurements and in-depth studies to classify techniques, mitigations, and stakeholders. Further, we evaluate 45 and address the vulnerabilities. There are ample research devices to augment the systematized literature in order to identify efforts for home-based IoT security, but they are scattered. Our neglected research areas. To make this analysis transparent and easier to adapt by the community, we provide a public portal to community needs an understanding of the current literature, a share our evaluation data and invite the community to contribute derivation of insights, and an identification of security gaps. their independent findings. The insights would allow the research community to formalize what insecurities are perpetuated, what are the proposed mit- I. INTRODUCTION igations, and what responsibilities stakeholders bear. Further, Security problems involving Internet of Things (IoT) con- these in-depth studies and classifications of literature can guide tinue to cause severe operational issues with high-profile the community to help prioritize their efforts. attacks [1], mass exploitation of devices [2], and eye-catching In this work, we propose a modeling methodology to study headlines about “exotic” device hacking [3]. The demand for home-based IoT devices and evaluate their security posture IoT devices — especially in the multi-billion-dollar residential based on component analysis, namely: the IoT device, the market [4] — has created a modern-day gold rush. New companion mobile application, the cloud endpoints, and the and established companies are rushing to grab a piece of associated communication channels. Leveraging our approach, the IoT market. As time-to-market and production costs take we systematize the research literature for home-based IoT priority over prudent security practices, the all-too-familiar devices to understand attack techniques, proposed mitigations, sight of compromised IoT devices is numbing. Researchers and stakeholder responsibilities. We use the knowledge to and vendors are playing catch-up to address IoT insecurities, derive insights and identify research opportunities for our com- but much of the efforts are indistinct and ad-hoc. munity. Additionally, we evaluate 45 home-based IoT devices Several working groups and market leaders have proposed that are available on the market today and provide an overview standardizations for IoT devices [5]–[12], but unfortunately, of their security properties across the IoT components. they have not agreed on a solution. Additionally, the het- Based on the systematization and evaluation, we compare erogeneity of home-based IoT devices contributes to these the insights found between both approaches showing the insecurities because although core functionalities are alike, commonalities and differences. We provide a list of mitiga- specific features based on the device type can be vastly tions for each component and propose strategies for different different. For example, an IoT vacuum cleaner and a home stakeholders to address the issues found. Most importantly, assistant device may use an embedded Linux operating system, we establish a portal1 where we invite our fellow researchers, but the running services on the device will be different. These vendors, and power-users to contribute new device evaluations differences make it difficult to analyze diverse home-based IoT and to reproduce our results using the published dataset and products. proposed methodology. State-sponsored adversaries are well aware of these predica- ments, and they have taken advantage to run sophisticated 1The evaluation portal is available online at: https://yourthings.info. Fig. 1: Typical home-based IoT setup. Fig. 2: Single IoT deployment. Fig. 3: IoT graph model. Cloud Endpoint s edrVendor/User Vendor Cloud Endpoint s c1 c0 d2 ∗ d0 a0 d1 LE Devices IoT Hub Mobile Apps Smart TV LE Devices IoT Hub Mobile Apps II. METHODOLGY • Permissions refers to a mobile application being over- The contribution of our work is two-fold, the systemati- privileged. zation of literature and the evaluation of home-based IoT • Programming refers to the mobile application containing devices. The work relies on an abstract model that segments vulnerable implementations, including improper use of IoT deployments into components, which we apply to the cryptographic protocols. research literature and the device evaluations uniformly. • Data protection refers to the mobile application hard coding sensitive information. A. Abstraction Model Overview The communication of the components have two attack cat- We propose an abstract model to represent IoT deployments egories, encryption and man-in-the-middle (MITM) that are and their topologies. Figure1 is an example of an IoT con- defined as follows: nected home with multiple devices. The approach involves • Encryption refers to lack of encryption or support of segmenting each device into its respective topology as shown weak encryption protocols. in Figure2. Formally, we define an IoT deployment as a set • MITM refers to the susceptibility to a man-in-the-middle of vertices V and edges E as illustrated in Figure3. Overall, attack. our abstract model has four main components: a set of devices The cloud endpoint shares the following attack categories with (D), a set of cloud endpoints (C), a set of mobile applications devices and communication edges: vulnerable services, weak (A), and a set of communication channels (E). authentications, and encryption, as defined above. where: A; C; D ⊂ V ; D : fdi; i 2 Zg; Mitigation. The mitigation categories, patching and frame- work C : fcj; j 2 Zg; A : fak; k 2 Zg; , span all four components. Patching refers to mitigating E : fe ; l 2 g an attack vector by patching the components through vendor l Z updates or user attentiveness. The framework category miti- For each device deployment, we construct a representative gates fundamental problems that require a new approach. graph and examine the security properties for each component. Stakeholders. The stakeholder categories, vendors and end- B. Security Properties users, span all four components. These categories indicate which stakeholder is responsible for mitigation. Figure1 The security properties have three categories: attack vectors, segments the IoT deployment into vendor-and-user-controlled mitigations, and stakeholders. Attack vectors are the methods networks. The cloud endpoint is controlled and mitigated by used to circumvent the security of the IoT system. The the vendor, while the components within the home network mitigations define which measures should be taken to address may expose configuration parameters so users can disable the attack vectors. Lastly, the stakeholders represent the party vulnerable features. For example, if the device has a known responsible for mitigation. default password and the vendor allows users to change the Attack Vector. The device has three attack categories: vulner- default password, then the end-user can change the password able services, weak authentications, and default configurations to secure the device. that are defined as follows: • Vulnerable services refers to vulnerabilities in running C. Systematization Approach services. The systematization uses the proposed abstract model, • Weak authentications refers to weak or guessable cre- which presents the literature uniformly across the categories dentials. discussed earlier identifying their attack techniques, proposed • Default configurations refers to the device operating mitigations, and stakeholder responsibilities. Each work can with insecure factory settings. fit into one or more of the IoT components. The literature for The mobile application has three attack categories, permis- the systematization is chosen based on the following criteria: sions, programming, and data protection that are defined as • Merit: The work is unique and among the first to explore