IoTIO: Analyzing and Understanding the Internet of Insecure Things
Consumer devices, from door locks to light bulbs, are becoming increasingly smart. They are linked with other devices as part of smart homes and offices, usually Internet-connected, and may be publicly accessible through misconfiguration or IPv6. The corresponding security and privacy implications have yet to be explored in depth, and their analysis is complicated by device type and architecture diversity. Prior work focused on case studies of specific device types, or analyzed devices' firmware in isolation, requiring substantial manual effort. In contrast, the automatic analysis of devices' interaction with their environment and other devices could uncover new vulnerability types and privacy violations. In this project, we will propose scalable techniques to analyze smart devices for potential vulnerabilities based on how they are collecting, processing, and sharing data by interacting with their mobile companion app or smart hubs. We will provide a proof-of-concept tool to show our research's practicality. The basis of our project are novel software and network analyses of companion apps and hub integration to synthesize protocols, discover commands to exercise device functionality, and identify information flows -- without requiring access to the smart devices themselves. The project is a multi-disciplinary research effort enabling security and privacy analyses. It has also societal impact by enabling informed decision making by manufactures, lawmakers, and users.