Show simple item record

dc.contributor.authorParacha, Muhammad Talha
dc.contributor.authorDubois, Daniel J.
dc.contributor.authorVallina-Rodriguez, Narseo 
dc.contributor.authorChoffnes, David
dc.date.accessioned2021-10-11T11:54:34Z
dc.date.available2021-10-11T11:54:34Z
dc.date.issued2021-11
dc.identifier.urihttp://hdl.handle.net/20.500.12761/1516
dc.description.abstractConsumer IoT devices are becoming increasingly popular, with most leveraging TLS to provide connection security. In this work, we study a large number of TLS-enabled consumer IoT devices to shed light on how effectively they use TLS, in terms of establishing secure connections and correctly validating certificates, and how observed behavior changes over time. To this end, we gather more than two years of TLS network traffic from IoT devices, conduct active probing to test for vulnerabilities, and develop a novel black- box technique for exploring the trusted root stores in IoT devices by exploiting a side-channel through TLS Alert Messages. We find a wide range of behaviors across devices, with some adopting best security practices but most being vulnerable in one or more of the following ways: use of old/insecure protocol versions and/or ciphersuites, lack of certificate validation, and poor maintenance of root stores. Specifically, we find that at least 8 IoT devices still include distrusted certificates in their root stores, 11/32 devices are vulnerable to TLS interception attacks, and that many devices fail to adopt modern protocol features over time. Our findings motivate the need for IoT manufacturers to audit, upgrade, and maintain their devices’ TLS implementations in a consistent and uniform way that safeguards all of their network traffic.es
dc.description.sponsorshipUSA NSFes
dc.description.sponsorshipEU H2020es
dc.description.sponsorshipSpanish Ministry of Sciencees
dc.description.sponsorshipConsumer Reportses
dc.language.isoenges
dc.titleIoTLS: Understanding TLS Usage in Consumer IoT Deviceses
dc.typeconference objectes
dc.conference.date2-4 November 2021es
dc.conference.placeVirtuales
dc.conference.titleInternet Measurement Conference*
dc.event.typeconferencees
dc.pres.typepaperes
dc.type.hasVersionAMes
dc.rights.accessRightsopen accesses
dc.acronymIMC*
dc.rankA*
dc.relation.projectIDinfo:eu-repo/grantAgreement/EU/H2020/101021377es
dc.relation.projectNameTRUST aWAREes
dc.relation.projectNameODIO (Open Digital Identity Observatory)es
dc.subject.keywordTLSes
dc.subject.keywordIoTes
dc.subject.keywordTransparencyes
dc.description.refereedTRUEes
dc.description.statusinpresses


Files in this item

This item appears in the following Collection(s)

Show simple item record