Changyu Li
ABSTRACT
Smart devices without an interactive UI (e.g., a smart bulb) typically rely on specific provisioning schemes to connect to wireless networks. Among all the provisioning schemes, SmartCfg is a popular technology to configure the connection between smart devices and wireless routers. Although the SmartCfg technology facilitates the Wi-Fi configuration, existing solutions seldom take into serious consideration the protection of credentials and therefore introduce security threats against Wi-Fi credentials.
This paper conducts a security analysis against eight SmartCfg based Wi-Fi provisioning solutions designed by different wireless module manufacturers. Our analysis demonstrates that six manufacturers provide flawed SmartCfg implementations that directly lead to the exposure of Wi-Fi credentials: attackers could exploit these flaws to obtain important credentials without any substantial efforts on brute-force password cracking. Furthermore, we keep track of the smart devices that adopt such Wi-Fi provisioning solutions to investigate the influence of the security flaws on real world products. Through reversely analyzing the corresponding apps of those smart devices we conclude that the flawed SmartCfg implementations constitute a wide potential impact on the security of smart home ecosystems.
- Broadlink official website. http://www.broadlink.com.cn/pageihc.html. Accessed February 28, 2018.Google Scholar
- Myapp app market. http://android.myapp.com/myapp/searchAjax.htm?kw=smartconfig&pns=3. Accessed March 5, 2018.Google Scholar
- Smarthome - home automation systems, products, kits, hubs. https://www.smarthome.com/. Accessed March 5, 2018.Google Scholar
- Michael Backes, Sven Bugiel, and Erik Derr. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 356--367. ACM, 2016. Google ScholarDigital Library
- bayitHome. bayithomeautomation. www.bayithomeautomation.com. Accessed February 26, 2018.Google Scholar
- BroadLink. Library of libbroadlinkconfig. https://github.com/ruifeng2357/Breeze/blob/master/libs/armeabi/libBroadLinkConfig.so. Accessed February 26, 2018.Google Scholar
- Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. Towards automated dynamic analysis for linux-based embedded firmware. In NDSS, 2016.Google ScholarCross Ref
- Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing.Google Scholar
- Espressif. Espressif document. https://www.espressif.com/en/support/download/documents. Accessed February 27, 2018.Google Scholar
- EspressifApp. Esptouchforandroid. https://github.com/EspressifApp/EsptouchForAndroid/. Accessed February 26, 2018.Google Scholar
- EspressifApp. Esptouch_protocol. https://github.com/EspressifApp/EsptouchForAndroid/blob/master/src/com/espressif/iot/esptouch/protocol/DatumCode.java. Accessed February 26, 2018.Google Scholar
- Hossein Fereidooni, Jiska Classen, Tom Spink, Paul Patras, Markus Miettinen, Ahmad-Reza Sadeghi, Matthias Hollick, and Mauro Conti. Breaking fitness records without moving: Reverse engineering and spoofing fitbit. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 48--69. Springer, 2017.Google ScholarCross Ref
- Dennis Giese and Daniel Wegemer. Reversing iot xiaomi ecosystem. https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Reversing-IoT-Xiaomi-ecosystem.pdf. Accessed March 5, 2018.Google Scholar
- High-Flying. Hf low power wifi module user manual. http://www.hi-flying.com/download-center-1/user-guide-1/download-item-hf-lpx30-user-manual. Accessed November 23, 2017.Google Scholar
- Texas Instruments. Simplelink wi-fi smartconfig technology. http://www.ti.com/tool/SMARTCONFIG?keyMatch=smartconfig&tisearch=Search-. Accessed February 28, 2018.Google Scholar
- Hui Liu, Changyu Li, Xuancheng Jin, Juanru Li, Yuanyuan Zhang, and Dawu Gu. Smart solution, poor protection: An empirical study of security and privacy issues in developing and deploying smart home devices. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy, pages 13--18. ACM, 2017. Google ScholarDigital Library
- MediaTek. Mediatek linkit connect 7681 developer's guide. https://docs.labs.mediatek.com/resource/linkit-connect-7681/en/documents. Published Mar 12, 2016.Google Scholar
- MXCHIP. Easylinkandroid_demo. https://github.com/MXCHIP/EasylinkAndroid_Demo/. Accessed February 26, 2018.Google Scholar
- NufrontIOT. Nl6621 sdk user manual. https://github.com/NufrontIOT/NL6621_StandardSDK/blob/master/Document. Accessed February 26, 2018.Google Scholar
- NufrontIOT. Nl6621_standardsdk. https://github.com/NufrontIOT/NL6621_StandardSDK. Accessed February 26, 2018.Google Scholar
- Kenneth G Paterson, Bertram Poettering, and Jacob CN Schuldt. Plaintext recovery attacks against wpa/tkip. In International Workshop on Fast Software Encryption, pages 325--349. Springer, 2014.Google Scholar
- Realtek. Android_simpleconfigwizard. https://www.amebaiot.com/cn/standard-sdk-simple-config/. Accessed February 26, 2018.Google Scholar
- Realtek. Realtek ameba user manual. https://www.amebaiot.com/cn/ameba-sdk-download/. Accessed February 26, 2018.Google Scholar
- Gil Reiter. A primer to wi-fi® provisioning for iot applications. Texas Instruments White Paper, 2014.Google Scholar
- Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In NDSS, 2015.Google ScholarCross Ref
- Shao Shuai, Dong Guowei, Guo Tao, Yang Tianchang, and Shi Chenjie. Modelling analysis and auto-detection of cryptographic misuse in android applications. In Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on, pages 75--80. IEEE, 2014. Google ScholarDigital Library
- TI. Smartconfigcc3x. http://www.ti.com/wireless-connectivity/simplelink-solutions/wi-fi/tools-software.html. Published February 26, 2018.Google Scholar
- Mathy Vanhoef and Frank Piessens. All your biases belong to us: Breaking rc4 in wpa-tkip and tls. In USENIX Security Symposium, pages 97--112, 2015. Google ScholarDigital Library
- Mathy Vanhoef and Frank Piessens. Key reinstallation attacks: Forcing nonce reuse in wpa2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1313--1328. ACM, 2017. Google ScholarDigital Library
- wikipedia. Wi-fi protected access. https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access. Accessed February 28, 2018.Google Scholar
- Nan Zhang, Soteris Demetriou, Xianghang Mi, Wenrui Diao, Kan Yuan, Peiyuan Zong, Feng Qian, XiaoFeng Wang, Kai Chen, Yuan Tian, et al. Understanding iot security through the data crystal ball: Where we are now and where we are going to be. arXiv preprint arXiv:1703.09809, 2017.Google Scholar
- Chaoshun Zuo and Zhiqiang Lin. Smartgen: Exposing server urls of mobile apps with selective symbolic execution. In Proceedings of the 26th International Conference on World Wide Web, pages 867--876. International World Wide Web Conferences Steering Committee, 2017. Google ScholarDigital Library
- Chaoshun Zuo, Wubing Wang, Zhiqiang Lin, and Rui Wang. Automatic forgery of cryptographically consistent messages to identify security vulnerabilities in mobile services. In NDSS, 2016.Google ScholarCross Ref
- Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. Authscope: Towards automatic discovery of vulnerable authorizations in online services. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 799--813. ACM, 2017. Google ScholarDigital Library
Index Terms
- Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning
Recommendations
Adaptive cross-site scripting attack detection framework for smart devices security using intelligent filters and attack ontology
AbstractSmart devices are equipped with technology that facilitates communication among devices connected via the Internet. These devices are shipped with a user interface that enables users to perform administrative activities using a web browser linked ...
A Contemporary Survey on IoT Based Smart Cities: Architecture, Applications, and Open Issues
AbstractInternet of Things (IoT) is one of the emerging technologies, which is widely used across the globe. As the idea of a smart city was founded, IoT has been acknowledged as the key foundation in smart city paradigms. Technology makes a person smart, ...
Changing How We Make and Deliver Smart Devices: When Can I Print Out My New Phone?
The research vision of printing physical devices has been around for a decade, and in research prototypes this vision is being realized. With fabrication laboratories (fab labs) emerging around the world and with more powerful modular computing ...
Comments