Abstract

The rise of IoT devices has led to the proliferation of smart buildings, offices, and homes worldwide. Although commodity IoT devices are employed by ordinary end-users, complex environments such as smart buildings, government, or private smart offices, conference rooms, or hospitality require customized and highly reliable solutions. Those systems called Enterprise Internet of Things (EIoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors (e.g., Control4, Crestron, Lutron, etc.). As EIoT systems require specialized training, software, and equipment to deploy, many of these systems are closed-source and proprietary in nature. This has led to very little research investigating the security of EIoT systems and their components. In effect, EIoT systems in smart settings such as smart buildings present an unprecedented and unexplored threat vector for an attacker. In this work, we explore EIoT system vulnerabilities and insecure development practices. Specifically, focus on the usage of drivers as an attack mechanism, and introduce PoisonIvy, a number of novel attacks that demonstrate how it is possible for an attacker to easily attack and command EIoT system controllers using malicious drivers. Specifically, we show how drivers used to integrate third-party services and devices to EIoT systems can be trivially misused in a systematic fashion. To demonstrate the capabilities of attackers, we implement and evaluate PoisonIvy using a testbed of real EIoT devices in a smart building setting. We show that an attacker can easily perform DoS attacks, gain remote control, and maliciously abuse system resources (e.g., bitcoin mining) of EIoT systems. Further, we discuss the (in)securities in drivers and possible countermeasures. To the best of our knowledge, this is the first work to analyze the (in)securities of EIoT deployment practices and demonstrate the associated vulnerabilities in this ecosystem. With this work, we raise awareness on the (in)secure development practices used for EIoT systems, the consequences of which can largely impact the security, privacy, safety, reliability, and performance of millions, if not billions, of EIoT systems worldwide

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.