IoTIO: Analyzing and Understanding the Internet of Insecure Things

Principal Investigators

Prof. Dr. Kevin Borgolte
Prof. Dr. Martina Lindorfer (TU Wien)

Project Time Period

Jun 2020–Nov 2025

Funding Agency

Vienna Science and Technology Fund (WWTF)

Abstract

Consumer devices, from door locks to light bulbs, are becoming increasingly smart. They are linked with other devices as part of smart homes and offices, usually Internet-connected, and may be publicly accessible through misconfiguration or IPv6. The corresponding security and privacy implications have yet to be explored in depth, and their analysis is complicated by device type and architecture diversity. Prior work focused on case studies of specific device types, or analyzed devices’ firmware in isolation, requiring substantial manual effort. In contrast, the automatic analysis of devices’ interaction with their environment and other devices could uncover new vulnerability types and privacy violations. In this project, we will propose scalable techniques to analyze smart devices for potential vulnerabilities based on how they are collecting, processing, and sharing data by interacting with their mobile companion app or smart hubs. We will provide a proof-of-concept tool to show our research’s practicality. The basis of our project are novel software and network analyses of companion apps and hub integration to synthesize protocols, discover commands to exercise device functionality, and identify information flows – without requiring access to the smart devices themselves. The project is a multi-disciplinary research effort enabling security and privacy analyses. It has also societal impact by enabling informed decision making by manufactures, lawmakers, and users.

Publications

Peer-Reviewed

Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols

Carlotta Tagliaro, Martina Komsic, Andrea Continella, Kevin Borgolte, Martina Lindorfer

Proceedings of the 27th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2024

@inproceedings{raid2024-iot-backends,
  title     = {{Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols}},
  author    = {Tagliaro, Carlotta and Komsic, Martina and Continella, Andrea and Borgolte, Kevin and Lindorfer, Martina},
  booktitle = {Proceedings of the 27th International Symposium on Recent Advances in Intrusion Detection (RAID)},
  series    = {Lecture Notes in Computer Science (LNCS)},
  date      = {2024-09},
  doi       = {https://doi.org/10.1145/3678890.3678899},
  edition   = {27},
  editor    = {Aafer, Yousra and Fratantonio, Yanick},
  isbn      = {979-8-4007-0959},
  location  = {Padua, Italy},
  publisher = {Springer International Publishing},
  url       = {https://doi.org/10.1145/3678890.3678899}
}

IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis

David Schmidt, Carlotta Tagliaro, Kevin Borgolte, Martina Lindorfer

Proceedings of the 30th ACM SIGSAC Conference on Computer and Communications Security (CCS), November 2023

@inproceedings{ccs2023-iotflow,
  title     = {{IoTFlow: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis}},
  author    = {Schmidt, David and Tagliaro, Carlotta and Borgolte, Kevin and Lindorfer, Martina},
  booktitle = {Proceedings of the 30th ACM SIGSAC Conference on Computer and Communications Security (CCS)},
  date      = {2023-11},
  doi       = {10.1145/3576915.3623211},
  edition   = {30},
  editor    = {Cremers, Cas and Kirda, Engin},
  location  = {Copenhagen, Denmark},
  publisher = {Association for Computing Machinery (ACM)},
  url       = {https://doi.org/10.1145/3576915.3623211}
}

Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale

Stijn Pletinckx, Kevin Borgolte, Tobias Fiebig

Proceedings of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS), November 2021

@inproceedings{ccs2021-out-of-sight-out-of-mind,
  title     = {{Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale}},
  author    = {Pletinckx, Stijn and Borgolte, Kevin and Fiebig, Tobias},
  booktitle = {Proceedings of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS)},
  date      = {2021-11},
  doi       = {10.1145/3460120.3485367},
  edition   = {28},
  editor    = {Shi, Elaine and Vigna, Giovanni},
  isbn      = {978-1-4503-8454-4},
  location  = {Seoul, South Korea},
  publisher = {Association for Computing Machinery (ACM)},
  url       = {https://doi.org/10.1145/3460120.3485367}
}