Proceedings of the 5th Workshop on CPS&IoT Security and Privacy
Last Update : [26 November, 2023]
SESSION: Session 1: Assessment and Mitigation Strategies
Firmulti Fuzzer: Discovering Multi-process Vulnerabilities in IoT Devices with Full System Emulation and VMI
- Yung-Tai Cheng
- Shin-Ming Cheng
With the growth of Internet of Things devices, the number and complexity of these devices are increasing rapidly. Nevertheless, many IoT products are developed without sufficient consideration for security, leaving them vulnerable to exploitation by malware. To proactively address these vulnerabilities before they are discovered by malicious attackers, information security researchers use both static and dynamic analysis techniques to identify vulnerabilities and propose firmware updates.
Due to the variety of IoT firmware architectures, conducting fuzzing tests directly on firmware using a general personal computer is challenging. As a solution, emulation techniques are commonly applied to create virtual environments for vulnerability detection. However, existing emulation-based fuzzing test tools often prioritize efficiency and avoid utilizing full-system emulation. These tools are limited to detecting vulnerabilities in individual programs and are unable to identify deep-seated vulnerabilities that arise from interactions across multiple processes.
To solve this challenge, we have proposed Firmulti Fuzzer, a fuzzing framework leverages full system emulation. In our approach, we do emulation for two times. The first emulation utilizes the existing emulation system to acquire the full system emulation configuration of the firmware. Next, the second emulation uses an emulator with virtual machine introspection (VMI) function to monitor the entire system environment. With Firmulti Fuzzer, we can track the execution status of all programs within the environment and generate notifications upon detecting exceptions, thereby identifying vulnerabilities stemming from interactions among multiple processes.
Experiments have shown the effectiveness of Firmulti Fuzzer in detecting both general vulnerabilities and multi-process vulnerabilities. Most importantly, Firmulti Fuzzer outperforms other fuzzers in identifying multi-process vulnerabilities. Firmulti Fuzzer holds promising potential as a tool for enhancing the security of IoT devices and mitigating the exploitation of vulnerabilities by malicious attackers.
- Alyah Alfageh
- Sridhar Adepu
- Charalambos Konstantinou
Desalination plants, heavily reliant on Industrial Control Systems (ICS), have emerged as increasingly vital resources in the wake of escalating global water scarcity. This raises an urgent need to prioritize their security, calling for the implementation of robust risk assessment measures. Recognizing these pressing issues, this paper proposes a risk assessment approach for ICS within water desalination facilities. The strategy integrates the capabilities of Bayesian Networks (BNs) and Dynamic Programming (DP). It evolves BNs into Multilevel Bayesian Networks (MBNs), an innovative form that adeptly navigates the intricacies of system complexity, facilitates efficient inference, and dynamically adapts risk profiles. The proposed methodology considers the perspective of potential attackers, which is critical for a comprehensive risk assessment and a robust defense strategy. The DP aspect enhances this approach by dissecting complex problems and identifying optimal attack paths. The work demonstrates the comprehensive risk assessment by executing multiple attacks on a water desalination plant with various strategies. It takes into account the probabilistic interdependence relationships within the system. Additionally, the paper formulates a mathematical risk assessment using system models and graphical representation, yielding realistic results.
Remote Attestation of IoT Devices using Physically Unclonable Functions: Recent Advancements and Open Research Challenges
- Niccolò Marastoni
- Mariano Ceccato
In the past few years, the diffusion of IoT devices used in everyday life has skyrocketed. From wearable devices to smart home appliances, these gadgets are increasingly exposed to the Internet or to open networks. This means that it is necessary to find security solutions that can guarantee the safety of these devices, while at the same time saving on energy consumption and implementation space. In this paper we explore recent works that use remote attestation as a possible solution to the security of IoT devices while also focusing on the use of Physically Unclonable Functions (PUFs). We provide a thorough analysis of the selected papers, providing insights on possible future research directions.
- Islam Obaidat
- Zachary Palko
- Meera Sridhar
DDoSimQ, a simulation testbed for replicating intricate botnet DDoS attacks, is introduced. Building on the foundation of DDoSim (a testbed that uses Docker containers and the NS-3 simulator for IoT botnet DDoS attack simulations), DDoSimQ extends its capabilities through the integration of the QEMU emulator. This integration facilitates full system emulation, enhancing its potential to support diverse security research concerning DDoS attacks.
SESSION: Session 2: Adversarial Exploitation and Compiler Insights in Real-World Systems
- Yazhou Tu
- Sara Rampazzi
- Xiali Hei
Real-world process control requires continuous sensor measurements and automatic control of the environment. Typical process control systems consist of three main components: controllers functioning as the system's "brain'', sensors acting as measurement devices, and final control elements that modify the environment. Prior works showed that adversaries could inject signals into analog sensors to affect the control process; however, an adversarial controller that is necessary to achieve process control is inherently missing in conventional physical-level sensor signal injection attacks, which revealed mechanisms to perturb sensor systems but did not describe the computations necessary to adjust and regulate the process over time. This paper introduces an adversarial control loop approach that computes attack signals during the attack to guide the adversarial process control. Our approach allows constructing the external "brain'' of the adversarial process control with programs. Further, we characterize the Physical Feedback Side Channel (PFSC) in out-of-band signal injection attacks, and study how the adversarial prototype system can be constructed non-invasively to gain control over two types of inertial sensor-actuator systems, including a MegaWheels self-balancing scooter. We demonstrate proof-of-concept process control without accessing or tampering with internal modules of the victim system.
Brain-Hack: Remotely Injecting False Brain-Waves with RF to Take Control of a Brain-Computer Interface
- Alexandre Armengol-Urpi
- Reid Kovacs
- Sanjay E. Sarma
The promise of Brain-Computer Interfaces (BCIs) is counterbalanced by concerns about vulnerabilities. Recent studies have revealed that EEG-based BCIs are susceptible to security breaches. However, current attack approaches are challenging to execute in real-world settings because they need access to, at a minimum, the EEG data stream. In this work, we introduce an unexplored vulnerability of current EEG-based BCIs that consists of remotely injecting false brain-waves into the recording device. We do this by transmitting amplitude-modulated radio-frequency (RF) signals that are received by the physical structure of the EEG equipment. We demonstrate the versatility of our system by successfully attacking three different categories of EEG devices: research-grade (Neuroelectrics), open-source (OpenBCI), and consumer-grade (Muse). We test our attack system by taking control of three different BCIs: a virtual keyboard speller, a drone-control interface, and a neuro-feedback meditation interface. Our system was successful in each case, forcing the input of any desired character with the virtual keyboard, crashing the drone, and reporting false meditative states, respectively. To the best of our knowledge, this is the first time that an EEG device is remotely hacked at the physical layer. This work shows the risks that can arise from this type of attacks, which can not only be dangerous by seizing control of a BCI, but could also lead to severe misdiagnoses in clinical EEG tests.
The Internet of Insecure Cows - A Security Analysis of Wireless Smart Devices Used for Dairy Farming
- Samuel Barnes-Thornton
- Joseph Gardiner
- Awais Rashid
IoT devices are becoming increasingly common in the world of agriculture with farmers now relying on technology to keep their businesses running. From crop management and greenhouse automation to entirely autonomous milking parlours, technology is being used in more ways than ever to improve efficiency. The benefits are huge, with the ability for farms to expand due to lower requirements for manual labour and other resources like water usage, so much so that in places it would now be infeasible for farmers to go back to traditional ways of working. Unfortunately, this technological advancement also brings with it an increase in the risk of cyber attacks. If one of these succeeds it could cause catastrophic effects for both individual farms and the security of the wider food supply chain.
This project provides a comprehensive analysis of the security of collars used for health monitoring of cows in a smart dairy farm. This is the first practical cyber security analysis of such devices that are currently in use on farms. We have successfully reverse-engineered the wireless protocol and demonstrated the ability to inject false data into the system, posing as one of the sensors. Testing has shown that both the system to receive signals from the sensors and the data endpoint software are vulnerable to data injection. This paper highlights the specific threats from the vulnerabilities and identifies potential countermeasures that could be integrated into the sensors in the future.
- Zetong Zhao
- Shreyas Srinivasa
- Emmanouil Vasilomanolakis
The utilization of the Internet of Things (IoT) as an attack surface is nowadays a fact. Taking IP cameras as a use-case, they have been targeted to a great extent mainly due to the absence of authentication, the utilization of weak, in terms of security, protocols, and their high availability. To cope with the current situation and study the current state of attacks against IP cameras we propose the use of cyber-deception and in particular honeypots. Honeypots can provide useful insights into current attack campaigns, and they can divert attackers' attention away from the actual targets.
In this paper, we propose an open-source medium interaction IP camera honeypot that requires minimal settings while supporting a modular architecture for adding new camera models. The honeypot, namely SweetCam, supports the emulation of SSH, RTSP and HTTP. Furthermore, it creates a web-service (HTTP) that depicts an IP camera interface with a login page and the emulation of a camera interface using user-specified 360-degree video streams and images. We deploy instances of the honeypot in different geographical locations, for a period of 3 weeks, and receive a total of 5,780, 1,402 and 218,344 attacks on HTTP, RTSP and SSH services respectively; from 5,924 unique IPs. Lastly, we further analyze the attacks, and identify common Internet scanners (e.g., Shodan) among the services that have contacted the honeypots.
Towards PLC-Specific Binary Analysis Tools: An Investigation of Codesys-Compiled PLC Software Applications
- Hadjer Benkraouda
- Anand Agrawal
- Dimitrios Tychalas
- Marios Sazos
- Michail Maniatakos
Critical infrastructures are controlled by industrial control systems. Such systems are primarily operated by Programmable Logic Controllers (PLC). In recent years, PLC vendors have been moving towards commercial-off-the-shelf components and operating systems, a trend that has decreased development and maintenance costs. It also had the side-effect of exposing these devices to a wider range of attacks. Previous research has focused on securing the network and monitoring its traffic. PLC software applications though, the programs that run on PLCs, have not been subject to diligent security analysis. This can be attributed to the proprietary nature of PLC compilers and the unique format of the PLC software binaries. Therefore, in this work we aim to closely study a PLC compiler (Codesys) that is used by more that 250 devices, including Siemens, Mitsubishi, and Schneider Electric devices. To this end, we created a varied dataset of 600 in-house programs comprised of basic operations developed in different PLC languages and spanning different architectures, Codesys compiler versions, and PLC hardware vendors. Our dataset also contains binaries for real-world systems. To the best of our knowledge, this is the first comprehensive dataset of PLC programs aimed at exploring the compiler behavior.
SESSION: Session 3: Device Identification and Anonymization
- Ashley Andrews
- George Oikonomou
- Simon Armour
- Paul Thomas
- Thomas Cattermole
Internet of things (IoT) devices are becoming more prevalent in home environments and are shown to be generally insecure. There have been many previous studies looking to identify unknown IoT devices on networks. To truly secure a network however, there is a need to identify unknown devices down to the granularity of firmware version; a problem previous studies have failed to solve. As devices change versions, it is expected that there would be subtle differences in the on-wire signatures that would be hard for a human analyst to notice, but easy for an NLP technique to identify. In this paper we extract keywords from both encrypted and unencrypted network traffic and first use UMAP with K-Means clustering to visualise the data and show that natural clusters form across our test dataset of 18 devices covering 61 versions. This analysis suggests that there are underlying patterns in the extracted keywords that could be detected by machine learning techniques. We then show that these patterns can be detected by proposing a novel technique using TF-IDF and cosine similarity that follows the clustering results to identify IoT devices down to the level of firmware version. We show that our chosen features are strong enough to work accurately across a range of device types, manufacturers, models and versions, and note the main observations found when trying to identify devices down to a firmware version. This approach to get granularity down to device version level achieves an accuracy of 67% without being to the detriment of identifying device models, where we achieve an accuracy of 90%.
- Xin Yang
- Omid Ardakanian
Generative models have shown great promise in synthesizing high-quality time-series data that resemble the sensor data generated by mobile and IoT devices, but do not reveal the user's private attributes. These synthesized data can be treated as the obfuscated version of the sensor data and sent to downstream applications. However, existing obfuscation techniques that rely on generative models require the user to enumerate all inferences they deem intrusive. This black-listing approach would inevitably result in privacy loss if the definition of intrusive inferences changes after releasing the obfuscated data. In this work, we propose a white-listed approach to sensor data obfuscation based on a guided denoising diffusion model and a surrogate model for the desired inference. We evaluate this obfuscation model on a human activity recognition dataset and show that the proposed obfuscation model provides an acceptable privacy-utility trade-off, without assuming knowledge of the private attributes.