报告简介:
In this talk, we show how Grinch, the bad guy, could ruin our Christmas in the era of IoT. Particularly, we target a known manufacturer, APPLights. Their products include C9 lights, icicle light-strings, spotlight projectors, candy cane pathway markers and Kaleidoscope spotlights. They can often be seen in a local Home Depot store in the US during the winter holiday season. APPLights’ Android or iOS app can be used to control these lights through Bluetooth Low Energy (BLE). The app protects its source code using encryption by Qihoo 360 jiagubao, Java Native Interface (JNI) techniques, code obfuscation and supports password based user authentication at the application layer. We systematically perform static analysis and dynamic analysis of the app, and conduct traffic analysis of the BLE traffic to understand the security measures of the lighting system. With our replay attack, brute force attack and spoofing attack, we can control any product that uses the APPLights app.Extensive real world experiments are performed to validate the feasibility of these attacks. We present threat mitigation strategies such as more sophisticated code obfuscation and strong BLE pairing methods, and propose a practical solution taking cost and usability into account to fight the discovered attacks. While we focus on APPLights in this paper, results and observations from this study can be extended to other similar BLE applications such as medical devices for which user authentication is needed.
报告人简介:
Dr. Xinwen Fu is an associate professor in the Department of Computer Science, University of Central Florida. He received B.S. (1995) and M.S. (1998) in Electrical Engineering from Xi'an Jiaotong University, China and University of Science and Technology of China respectively. He obtained Ph.D. (2005) in Computer Engineering from Texas A&M University. Dr. Fu's current research interests are in network security and privacy, network forensics, computer forensics, information assurance, system reliability and networking QoS. Dr. Fu has been publishing papers in conferences such as IEEE Symposium on Security and Privacy (S&P), ACM Conference on Computer and Communications Security (CCS), ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc), ACM Sensys (ACM Conference on Embedded Networked Sensor Systems), IEEE International Conference on Computer Communications (INFOCOM) and IEEE International Conference on Distributed Computing Systems (ICDCS),journals such as ACM/IEEE Transactions on Networking (ToN), IEEE Transactions on Dependable and Secure Computing (TDSC), IEEE Transactions on Parallel and Distributed Systems (TPDS), IEEE Transactions on Computers (TC), IEEE Transaction on Mobile Computing (TMC) and IEEE Transactions on Vehicular Technology (TVT), book and book chapters. He spoke at various technical security conferences including Black Hat. His research is supported by NSF.