Ph.D student Chao Gao won the 1st place prize at the 2016 ACSC annual conference!


On Nov. 3, 2016, at the 2016 Advanced Cyber Security Center (ACSC) annual conference held in Boston, our Ph.D student Chao Gao won the 1st place prize of the poster competition! The poster authors are Chao Gao, Benyuan Liu and Xinwen Fu.

"A non-profit consortium launched and supported by Mass Insight Global Partnerships, the Advanced Cyber Security Center (ACSC) brings together industry, university, and government organizations to address the most advanced cyber threats. "

"Since 2012, graduate students and post docs from the region's major research universities have been invited to present their cyber security projects, with a poster as a visual aid, before several hundred cyber experts from academia, industry, and government at the ACSC Annual Conference. "

Here is the poster introduction.

Title: How we controlled smart plugs of a known company!

Abstract:

On Oct. 21, 2016, a huge DDoS attacked US networks and caused the shutdown of many network services including Twitter. Behind it were hundreds of thousands of compromised IoT devices. In this research, we send out a strong warning message again to the IoT community and hopefully to enforce smart plug and other IoT device manufacturers/developers to put security at a higher priority.

Security concerns come along with the emergence of Internet of Things (IoT), which provides the capabilities of connecting smart devices, small actuators, and people anywhere and anytime to the Internet. Smart plugs, as one type of fast emerging IoT devices, are gaining increasing popularity in home automation, with which users can remotely monitor and control their homes. However, compromised smart plugs would lead to both security and privacy breach of home users. A disrupted medical equipment connected to smart plugs may threaten a patient's life.

Despite the importance and broad concern of security problems in smart plugs, we found their vulnerabilities are still prominently exposed. As an evidence, we in this research case study the security problems of a typical smart plug system from Edimax. We notified Edimax the vulnerabilities of the smart plug. The company is patching their system based on our provided information. The smart plug system has three components: a plug, cloud servers, and the control app on devices like smartphones. In our research, with reverse engineering, we disclose its entire communication protocols and identify its vulnerabilities that could open the door to different attacks. The goal of this research is to send out a strong warning message to the IoT community and hopefully to enforce smart plug and other IoT device manufacturers/developers to put security at a higher priority. As such, the code of our attacks will not be disclosed.

The main vulnerability of the smart plug system in question is its lack of device authentication. The remote server used by an app communicating with plugs does not authenticate the plugs. This widely opens the door for an adversary to perform our four attacks. 1. The smart plug system uses the MAC address of a plug as the identity of the plug. We are able to use the device scanning attack and scan the MAC address space of the vendor in order to find the online status of all smart plugs made by the vendor. 2. If the plug is online, we can perform the brute force attack to infer the passwords if a default password is not used. 3. Even If long passwords are employed by users, we can launch the device spoofing attack, which blocks the genuine plug and pretends to be a legal one, waiting for the remote application to send the authentication credential of a user for login and use of the plug. 4. With the compromised credentials, we can inject a customized firmware into the plug and turn the plug into a bot!

As countermeasures to the potential attacks exploiting the above vulnerabilities, we present guidelines to protect smart plug systems, including secure communication protocols to block eavesdropping attacks, mutual authentication between the control app and plug through the remote server, intrusion detection system for abnormal behavior detection, anti-bot mechanisms, and validation of data integrity.

ACSC16
From left to right: Ph.D student Ms. Chao Gao, ACSC Chairman William Guenther, and Dr. Xinwen Fu.
ACSC Poster
Chao Gao by courtesy of Rick Friedman Photography

We also want to thank our collaborators Ms. Yiling Xu, Dr. Zhen Ling from Southeast University, China and Dr. Wei Zhao from University of Macau.