Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild

Hongying Dong, Hao Shu, Vijay Prakash, Yizhe Zhang, Muhammad Talha Paracha, David Choffnes, Santiago Torres-Arias, Danny Yuxing Huang, Yixin Sun

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

IoT devices are increasingly used in consumer homes. Despite recent works in characterizing IoT TLS usage for a limited number of in-lab devices, there exists a gap in quantitatively understanding TLS behaviors from devices in the wild and server-side certificate management. To bridge this knowledge gap, we conduct a new measurement study by focusing on the practice of device vendors, through a crowdsourced dataset of network traffic from 2,014 real-world IoT devices across 721 global users. By quantifying the sharing of TLS fingerprints across vendors and across devices, we uncover the prevalent use of customized TLS libraries (i.e., not matched to any known TLS libraries) and potential security concerns resulting from co-located TLS stacks of different services. Furthermore, we present the first known study on server-side certificate management for servers contacted by IoT devices. Our study highlights potential concerns in the TLS/PKI practice by IoT device vendors. We aim to raise visibility for these issues and motivate vendors to improve security practice.

Original languageEnglish (US)
Title of host publicationIMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference
PublisherAssociation for Computing Machinery
Pages457-477
Number of pages21
ISBN (Electronic)9798400703829
DOIs
StatePublished - Oct 24 2023
Event23rd Edition of the ACM Internet Measurement Conference, IMC 2023 - Montreal, Canada
Duration: Oct 24 2023Oct 26 2023

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Conference

Conference23rd Edition of the ACM Internet Measurement Conference, IMC 2023
Country/TerritoryCanada
CityMontreal
Period10/24/2310/26/23

Keywords

  • internet of things
  • iot
  • measurements
  • network security
  • pki
  • public key infrastructure
  • tls
  • transport layer security

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild'. Together they form a unique fingerprint.

Cite this