The Internet of Things has changed the way we interact with the environment around us in our daily life, and it is increasingly common to find more than one IoT device in our home. However, the current design approaches adopted by the vendors are more oriented towards customer usability than to security. This often results in more and more devices exposing serious security problems. This work focuses on the security implications, i.e. the threats and the risks, of the current IoT pairing mechanisms and represents a step forward in the definition of our automated penetration testing methodology. In addition to the general threat model for a general IoT pairing process, we present the analysis of a QR code-based pairing mechanism implemented by a class of devices taken from the real market, which led to the identification of two vulnerabilities, one of which publicly disclosed as CVE-2021-27941.
Security in IoT pairing & authentication protocols, a threat model and a case study analysis / Granata, D.; Rak, M.; Salzillo, G.; Barbato, U.. - 2940:(2021), pp. 207-218. (Intervento presentato al convegno 5th Italian Conference on Cybersecurity, ITASEC 2021 nel 2021).
Security in IoT pairing & authentication protocols, a threat model and a case study analysis
Granata D.;Rak M.;
2021
Abstract
The Internet of Things has changed the way we interact with the environment around us in our daily life, and it is increasingly common to find more than one IoT device in our home. However, the current design approaches adopted by the vendors are more oriented towards customer usability than to security. This often results in more and more devices exposing serious security problems. This work focuses on the security implications, i.e. the threats and the risks, of the current IoT pairing mechanisms and represents a step forward in the definition of our automated penetration testing methodology. In addition to the general threat model for a general IoT pairing process, we present the analysis of a QR code-based pairing mechanism implemented by a class of devices taken from the real market, which led to the identification of two vulnerabilities, one of which publicly disclosed as CVE-2021-27941.File | Dimensione | Formato | |
---|---|---|---|
paper18.pdf
non disponibili
Licenza:
Non specificato
Dimensione
714.11 kB
Formato
Adobe PDF
|
714.11 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.