LightningStrike: (In)secure practices of E-IoT systems in the wild Conference

Rondon, LP, Babun, L, Aris, A et al. (2021). LightningStrike: (In)secure practices of E-IoT systems in the wild . 106-116. 10.1145/3448300.3467830

cited authors

  • Rondon, LP; Babun, L; Aris, A; Akkaya, K; Uluagac, AS

abstract

  • The widespread adoption of specialty smart ecosystems has changed the everyday lives of users. As a part of smart ecosystems, Enterprise Internet of Things (E-IoT) allows users to integrate and control more complex installations in comparison to off-the-shelf IoT systems. With E-IoT, users have a complete control of audio, video, scheduled events, lightning fixtures, shades, door access, and relays via available user interfaces. As such, these systems see widespread use in government or smart private offices, schools, smart buildings, professional conference rooms, hotels, smart homes, yachts, and similar professional settings. However, even with their widespread use, the security of many E-IoT systems has not been researched in the literature. Further, many E-IoT systems utilize proprietary communication protocols that rely mostly on security through obscurity, which has perhaps led many users to mistakenly assume that these systems are secure. To address this open research problem and determine if E-IoT systems are vulnerable, we focus on one of the core E-IoT components, E-IoT communication buses. Communication buses are used by E-IoT proprietary protocols to connect multiple E-IoT devices (e.g., keypads and touchscreens) and trigger pre-configured events upon user actions. In this study, we introduce LightningStrike, the implementation of four proof-of-concept attacks that demonstrate several weaknesses in E-IoT proprietary communication protocols through communication buses. With LightningStrike, we show that it is feasible for an attacker to compromise E-IoT systems using E-IoT communication buses. We demonstrate that popular E-IoT proprietary communication protocols are susceptible to Denial-of-Service, eavesdropping, impersonation, and replay attacks. As E-IoT systems control physical access, safety components, and emergency equipment, an attacker with a low level of knowledge and effort can easily exploit E-IoT vulnerabilities to impact the security and safety of users, smart systems, and smart buildings worldwide.

publication date

  • June 21, 2021

Digital Object Identifier (DOI)

International Standard Book Number (ISBN) 13

start page

  • 106

end page

  • 116