ABSTRACT
Developing secure Internet of Things (IoT) applications that are free of vulnerabilities and resilient against exploit is desirable for software developers and testers. In this paper, we present IoTVerif, an automated tool that can verify SSL/TLS (Secure Socket Layer/Transport Layer Security) X.509 certificate validation of IoT messaging protocols utilized by real-world IoT client applications. IoTVerif does not require any prior knowledge about the messaging protocol, but simply correlates the observed network trace of an application with its execution context. IoTVerif helps IoT client application developers identify the SSL/TLS vulnerabilities based on certificate validation. We specifically target MQTT, a broker-based protocol that has attracted increasing popularity in the IoT application market.
We used IoTVerif to analyze the server X.509 certificate validation in 15 well-known MQTT client applications. Our result revealed that 5 (33.3%) of the applications examined are vulnerable to man-in-the-middle (MITM) and/or TLS renegotiation attacks. Our result also shows that IoTVerif can generate a Finite State Machine (FSM) that depicts the interaction between the application and the IoT broker and automatically identifies various attacks. It has the potential to reverse-engineer the emerging IoT messaging protocols and identify the vulnerabilities in the IoT applications.
- Akdeniz. 2017. GitHub - Akdeniz/Google Play Crawler). https://github.com/Akdeniz/google-play-crawler. (2017).Google Scholar
- Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, and Moussa Ayyash. 2015. Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications. IEEE Communications Surveys Tutorials Vol. 17, 4 (Fourthquarter. 2015), 2347--2376.Google ScholarDigital Library
Index Terms
- IoTVerif: An Automated Tool to Verify SSL/TLS Certificate Validation in Android MQTT Client Applications
Recommendations
CertLedger: A new PKI model with Certificate Transparency based on blockchain
AbstractIn conventional PKI, CAs are assumed to be fully trusted. However, in practice, CAs’ absolute responsibility for providing trustworthiness caused major security and privacy issues. To prevent such issues, Google introduced the concept ...
Secure coding practices in Java: challenges and vulnerabilities
ICSE '18: Proceedings of the 40th International Conference on Software EngineeringThe Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on ...
Differential Testing of Certificate Validation in SSL/TLS Implementations: An RFC-guided Approach
Certificate validation in Secure Sockets Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet security. Thus, it is significant to check whether certificate validation in SSL/TLS implementations is correctly implemented. With ...
Comments