PoisonIvy: (In)secure Practices of Enterprise IoT Systems in Smart Buildings
Conference
Rondon, LP, Babun, L, Aris, A et al. (2020). PoisonIvy: (In)secure Practices of Enterprise IoT Systems in Smart Buildings
. 130-139. 10.1145/3408308.3427606
Rondon, LP, Babun, L, Aris, A et al. (2020). PoisonIvy: (In)secure Practices of Enterprise IoT Systems in Smart Buildings
. 130-139. 10.1145/3408308.3427606
The rise of IoT devices has led to the proliferation of smart buildings, offices, and homes worldwide. Although commodity IoT devices are employed by ordinary end-users, complex environments such as smart buildings, government, or private smart offices, conference rooms, or hospitality require customized and highly reliable solutions. Those systems called Enterprise Internet of Things (EIoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors (e.g., Control4, Crestron, Lutron, etc.). As EIoT systems require specialized training, software, and equipment to deploy, many of these systems are closed-source and proprietary in nature. This has led to very little research investigating the security of EIoT systems and their components. In effect, EIoT systems in smart settings such as smart buildings present an unprecedented and unexplored threat vector for an attacker. In this work, we explore EIoT system vulnerabilities and insecure development practices. Specifically, focus on the usage of drivers as an attack mechanism, and introduce PoisonIvy, a number of novel attacks that demonstrate how it is possible for an attacker to easily attack and command EIoT system controllers using malicious drivers. Specifically, we show how drivers used to integrate third-party services and devices to EIoT systems can be trivially misused in a systematic fashion. To demonstrate the capabilities of attackers, we implement and evaluate PoisonIvy using a testbed of real EIoT devices in a smart building setting. We show that an attacker can easily perform DoS attacks, gain remote control, and maliciously abuse system resources (e.g., bitcoin mining) of EIoT systems. Further, we discuss the (in)securities in drivers and possible countermeasures. To the best of our knowledge, this is the first work to analyze the (in)securities of EIoT deployment practices and demonstrate the associated vulnerabilities in this ecosystem. With this work, we raise awareness on the (in)secure development practices used for EIoT systems, the consequences of which can largely impact the security, privacy, safety, reliability, and performance of millions, if not billions, of EIoT systems worldwide
