Abstract
Although extensive research has been conducted on securing the Internet of Things (IoT) communication protocols, various vulnerabilities and exploits are continuously discovered and reported. Since vulnerabilities are introduced from either insecure communication protocols or defectiveness of applications, it is difficult to identify them during the software development or testing phase. In this paper, we present IoTVerif, a system that automatically verifies the Secure Socket Layer/Transport Layer Security (SSL/TLS) certificate for IoT applications that utilize broker-based messaging protocols. IoTVerif constructs the specification of an IoT protocol and verifies its security properties, without relying on prior knowledge about communication protocols. Once the specification is constructed, a general-purpose model checker automatically verifies those properties, as well as generates counter-examples if any property does not hold. We analyze the effectiveness of IoTVerif with real-world IoT-related applications. Our evaluation results show that IoTVerif can successfully identify vulnerabilities from IoT applications, which are exploitable by the man-in-the-middle (MITM) and TLS renegotiation attacks. IoTVerif holds a great promise for reverse-engineering emerging IoT messaging protocols and identifies the vulnerabilities from IoT-related applications.
Highlights
As a new computing paradigm, the Internet of Things (IoT) aims at connecting physical objects known as intelligent ‘‘things’’ with applications in different domains, such as personal, home, cities, energy management, agriculture, health care, and automotive to monitor and collaborate at any time and from anywhere [1]
From the application’s perspective, we focus on the APIs in the application that are directly engaged in broker-based IoT protocol activities, such as establishing a connection, publishing and subscribing messages, and disconnecting a connection, and denote them as A = {α1, α2, . . . , αi}
We developed the computation tree logic (CTL) formulas based on the existence of the Secure Socket Layer/Transport Layer Security (SSL/transport layer security (TLS)) certificate validation in the client applications and the interaction between the application and the IoT broker
Summary
As a new computing paradigm, the Internet of Things (IoT) aims at connecting physical objects known as intelligent ‘‘things’’ with applications in different domains, such as personal, home, cities, energy management, agriculture, health care, and automotive to monitor and collaborate at any time and from anywhere [1]. We present IoTVerif, a system that automatically verifies the security properties of the IoT communication session, initiated by an application that uses the SSL/TLS certificate. IoTVerif first constructs the finite state machines (FSMs) that depict the interaction between the application and the IoT broker by correlating the live network trace of an application with its execution context It generates the specification with the security properties from the FSMs, which are sequentially verified by a general-purpose model checker.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
