IS YOUR KETTLE SMARTER THAN A HACKER?
A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices
Sara Lazzaro (Mediterranea University of Reggio Calabria), Vincenzo De Angelis (University of Calabria), Anna Maria Mandalari (University College London) (University College London), Francesco Buccafurri (Mediterranea University of Reggio Calabria)
Last updated: 13/03/2024
News
- 23/03/2023. This research has been accepted for publication at the 22nd International Conference on Pervasive Computing and Communications (PerCom 2024) (PerCom2024) with the paper titled “Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices.“
Abstract
Consumer Internet of Things (IoT) devices often leverage the local network to communicate with the corresponding companion app or other devices. This has benefits in terms of efficiency since it offloads the cloud. ENISA and NIST security guidelines underscore the importance of enabling default local communication for safety and reliability. Indeed, an IoT device should continue to function in case the cloud connection is not available. While the security of cloud-device connections is typically strengthened through the usage of standard protocols, local connectivity security is frequently overlooked. Neglecting the security of local communication opens doors to various threats, including replay attacks. In this paper, we investigate this class of attacks by designing a systematic methodology for automatically testing IoT devices vulnerability to replay attacks. Specifically, we propose a tool, named REPLIOT, able to test whether a replay attack is successful or not, without prior knowledge of the target devices. We perform thousands of automated experiments using popular commercial devices spanning various vendors and categories. Notably, our study reveals that among these devices, 51% of them do not support local connectivity, thus they are not compliant with the reliability and safety requirements of the ENISA/NIST guidelines. We find that 75% of the remaining devices are vulnerable to replay attacks with REPLIOT having a detection accuracy of 0.98-1. Finally, we investigate the possible causes of this vulnerability, discussing possible mitigation strategies.
About this publication
Our research will be published in the proceedings of the International Conference on Pervasive Computing and Communications (PerCom 2024) (PerCom2023)
Paper title: Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices.
Authors: Sara Lazzaro (Mediterranea University of Reggio Calabria), Vincenzo De Angelis (University of Calabria), Anna Maria Mandalari (University College London), Francesco Buccafurri (Mediterranea University of Reggio Calabria))
Full Text (PDF): pre-print
available; print
available
Software: available on Github
Presentation: available on OneDrive
Citation:
@INPROCEEDINGS{10494466,
author={Lazzaro, Sara and De Angelis, Vincenzo and Mandalari, Anna Maria and Buccafurri, Francesco},
booktitle={2024 IEEE International Conference on Pervasive Computing and Communications (PerCom)},
title={Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices},
year={2024},
volume={},
number={},
pages={114-124},
keywords={Performance evaluation;Cloud computing;Systematics;Natural language processing;Internet of Things;Security;Reliability;Internet of Things;replay attack;security;privacy;IoT device},
doi={10.1109/PerCom59722.2024.10494466}}
Acknowledgments
- This research was partially supported by:
- EPSRC PETRAS National Centre of Excellence for IoT Systems Cybersecurity (EP/S035362/1)
- SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU