Successfully reported this slideshow.
Your SlideShare is downloading. ×

A Threat Model for Extensible Smart Home Gateways

Ad

A Threat Model for Extensible
Smart Home Gateways
Fulvio CORNO and Luca MANNELLA
e-Lite research group
Department of Contr...

Ad

OUTLINE
• Introduction
• Reference Smart Home Architecture
• Proposed Threat Model
• Use Case & Proofs of Concept
• Conclu...

Ad

INTRODUCTION
• Smart Home (SH) systems are in a dangerous situation
• At least 40% houses have an IoT device (70% in the U...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 22 Ad
1 of 22 Ad

A Threat Model for Extensible Smart Home Gateways

Download to read offline

7th International Conference on Smart and Sustainable Technologies (SpliTech 2022).

The presented paper is entitled: "A Threat Model for Extensible Smart Home Gateways".

This paper proposes a threat model for a specific class of components of IoT infrastructures: smart home gateways extensible through plug-ins.
The purpose of the proposed model is twofold.
From one side, it helps to understand some possible issues that could be generated from a malicious or defective implementation of a plug-in and affect the gateway itself or other smart home devices. Consequently, the model could help programmers of gateway applications, plug-ins, and devices
think about possible countermeasures and develop more resilient solutions.
On the other side, the model could be regarded as a set of guidelines. Indeed, plug-in developers should not create plug-ins acting like the threats reported in the paper.
To provide a first validation of the model, the paper presents a use case based on Home Assistant, an open-source smart home gateway application.

7th International Conference on Smart and Sustainable Technologies (SpliTech 2022).

The presented paper is entitled: "A Threat Model for Extensible Smart Home Gateways".

This paper proposes a threat model for a specific class of components of IoT infrastructures: smart home gateways extensible through plug-ins.
The purpose of the proposed model is twofold.
From one side, it helps to understand some possible issues that could be generated from a malicious or defective implementation of a plug-in and affect the gateway itself or other smart home devices. Consequently, the model could help programmers of gateway applications, plug-ins, and devices
think about possible countermeasures and develop more resilient solutions.
On the other side, the model could be regarded as a set of guidelines. Indeed, plug-in developers should not create plug-ins acting like the threats reported in the paper.
To provide a first validation of the model, the paper presents a use case based on Home Assistant, an open-source smart home gateway application.

Advertisement
Advertisement

More Related Content

Advertisement

A Threat Model for Extensible Smart Home Gateways

  1. 1. A Threat Model for Extensible Smart Home Gateways Fulvio CORNO and Luca MANNELLA e-Lite research group Department of Control and Computer Engineering Politecnico di Torino, Turin, Italy 7th International Conference On Smart and Sustainable Technologies Split, July 6, 2022
  2. 2. OUTLINE • Introduction • Reference Smart Home Architecture • Proposed Threat Model • Use Case & Proofs of Concept • Conclusions & Future Work 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 2
  3. 3. INTRODUCTION • Smart Home (SH) systems are in a dangerous situation • At least 40% houses have an IoT device (70% in the USA) • In 62% of involved houses, at least one device has a known vulnerability • A compromised device could affect other SH devices • To manage them, Smart Home gateways are often involved • Such solutions are often extensible (EvenGhost, Home Assistant, OpenHAB, Pimatic, etc.) • Extending something developed by a third-party is never an easy task • Therefore, a compromised IoT gateway in a SH is particularly critical • Goal: supporting programmers during development (or evaluation) of plug-ins for SH gateways • Proposing a threat model with a twofold purpose 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 3
  4. 4. REFERENCE SMART HOME ARCHITECTURE SpliTech 2022 — Fulvio Corno and Luca Mannella 2022-07-06 4
  5. 5. A SMART HOME ARCHITECTURE 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 5
  6. 6. 2022-07-05 SpliTech 2022 — Fulvio Corno and Luca Mannella 11 • The gateway OS • The smart home gateway application • Other plug-ins • Other applications running on the gateway • A device belonging to the smart home POSSIBLE ATTACK TARGETS
  7. 7. A THREAT MODEL FOR EXTENSIBLE SMART HOME GATEWAYS 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 12
  8. 8. THREAT MODEL INTRODUCTION • The 11 threats are labeled with the letter “T” and a digit • The model considers menaces originated from a plug-in • Plug-in scope: • Set of variables, files, or resources that the plug-in can legitimately access • Accessed resources must be declared in plug-in documentation • Resources must be accessed through the modalities envisaged by the platform (e.g., API) 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 13
  9. 9. THREATS DIVIDED BY CATEGORIES • Confidentiality • T1: a plug-in could access and use private data of other attack targets • T2: a plug-in could access and spread private data of other attack targets • Integrity • T3: a plug-in could alter the state of other smart home devices outside its scope • T4: a plug-in could alter private data of other attack targets outside its scope • Availability • T5: a plug-in could delay the regular functionality of an attack target • T6: a plug-in could alter one of the regular functionalities of an attack target • T7: a plug-in could alter the regular functionality of an attack target, preventing the users from using it • T8: a plug-in could physically damage an attack target 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 14
  10. 10. THREATS DIVIDED BY CATEGORIES • Authentication • T9: a plug-in could interact with an attack target, pretending to be a different entity • Authorization • T10: a plug-in could access an authorization level higher than expected • Non-Repudiation • T11: a plug-in could anonymously communicate with an attack target (i.e., there is no way to know that the plug-in establishes a specific communication). 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 15
  11. 11. USE CASE & PROOFS OF CONCEPT SpliTech 2022 — Fulvio Corno and Luca Mannella 2022-07-06 16
  12. 12. USE CASE • Home Assistant (HAss) — https://www.home-assistant.io/ • A Python-based open-source smart home gateway software • Developed since 2013 and released in 2016 • More than 150.000 active installations (estimated to be four-fold) • Four different types of release (additional features with respect to core version) • Extensible through two different kind of plug-ins: integrations and add-ons • Focus on Integrations — https://www.home-assistant.io/integrations • Available in all Home Assistant releases • Closer to “traditional” plug-in concept • Deeply integrated in Hass • Impacting only other integrations 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 17
  13. 13. DEVELOPED PROOFS OF CONCEPT • One target integration: switch_target • Two states: on & off • Contains a secret value • It should be accessible only by the integration itself • Note: open source and available on GitHub https://github.com/Sarcares/HAss-TM-Integrations • Two malicious integrations • light_simple_access • light_altering_state • Integrations designed for managing lights • Two states: on & off • A brightness value • With additional malicious side-effects • Both integrations retrieve a reference to the switch_target through the Python’s Garbage Collector 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 18
  14. 14. DEVELOPED PROOFS OF CONCEPT • Two malicious integrations • light_simple_access • light_altering_state • Integrations designed for managing lights • Two states: on & off • A brightness value • With additional malicious side-effects • Both integrations retrieve a reference to the switch_target through the Python’s Garbage Collector 2022-07-06 19 Threat Category Threat Exploited Confidentiality T1 ✔️ T2 ✔️ Integrity T3 ✔️ T4 ✔️ Availability T5 ❌ T6 ✔️ T7 ✔️ T8 ❌ Authentication T9 ✔️ Authorization T10 ❌ Non-Repudiation T11 ✔️
  15. 15. LIGHT_SIMPLE_ACCESS • Access and retrieve the secret from the switch_target • This could lead to T1 or T2 according to malicious developer’s behavior • Confidentiality: “a plug-in could access and use/spread private data of other attack targets” When the light is turned on • Modify the secret stored in the switch_target • T4 (integrity): altering private data • T6 (availability): altering one of the regular functionalities When the light is turned off 2022-07-05 SpliTech 2022 — Fulvio Corno and Luca Mannella 21
  16. 16. LIGHT_ALTERING_STATE • Malicious effect triggered every time a user turns on or off this light • The state of switch_target is toggled • T3: (integrity) alter the state of the switch_target • T7: (integrity) alter the regular functionality: the user partially lose control over the switch_target • T9: (authentication) interacting with the switch_target as the original integration • T11: (non-repudiation) it interacts anonymously with the switch_target 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 22
  17. 17. CONCLUSIONS & FUTURE WORKS SpliTech 2022 — Fulvio Corno and Luca Mannella 2022-07-06 23
  18. 18. CONCLUSIONS • Purposes of the proposed threat model • Understand security issues in plug-ins • helping programmers think about possible countermeasures • Set of guidelines • plug-ins should not act like the reported threats • Exploited some threats through a couple of proofs of concept • Suggestions for Home Assistant: • More isolation among its components • Introducing a permission system (T10) 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 24
  19. 19. FUTURE WORK • Creating proofs of concept addressing other attack targets • Analyzing publicly available Home Assistant plug-ins looking for the presented threats • Can developers accidentally fall into the presented issues? • Provide best practices and/or tools for developing more reliable smart home systems 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 25
  20. 20. THANK YOU FOR YOUR KIND ATTENTION! ANY QUESTIONS? 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 26 fulvio.corno@polito.it luca.mannella@polito.it
  21. 21. 1. D. Kumar, et al., “All Things Considered: An Analysis of IoT Devices on Home Networks,” in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1169–1185. 2. K. Kafle, et al., “Security in Centralized Data Store-based Home Automation Platforms: A Systematic Analysis of Nest and Hue,” ACM Trans. on Cyber-Phys. Syst., vol. 5, no. 1, jan 2021. 3. F. Pub, “Standards for Security Categorization of Federal Information and Information Systems,” NIST FIPS, vol. 199, 2004. 4. U.S. Congress, “Federal Information Security Modernization Act of 2014,” Public Law, pp. 113–283, 2014. 5. H. Kim and E. A. Lee, “Authentication and Authorization for the Internet of Things,” IT Professional, vol. 19, no. 5, pp. 27–33, 2017. 6. https://analytics.home-assistant.io/ 7. https://www.home-assistant.io/blog/2021/11/12/100k-analytics/ 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 27 REFERENCES
  22. 22. LICENSE • These slides are distributed under a Creative Commons license “Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)” • You are free to: • Share — copy and redistribute the material in any medium or format • Adapt — remix, transform, and build upon the material • The licensor cannot revoke these freedoms as long as you follow the license terms. • Under the following terms: • Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. • NonCommercial — You may not use the material for commercial purposes. • ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. • No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. • https://creativecommons.org/licenses/by-nc-sa/4.0/ 2022-07-06 SpliTech 2022 — Fulvio Corno and Luca Mannella 28

×