Web-based attacks to discover and control local IoT devices

Gunes Acar, Danny Yuxing Huang, Frank Li, Arvind Narayanan, Nick Feamster

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In this paper, we present two web-based attacks against local IoT devices that any malicious web page or third-party script can perform, even when the devices are behind NATs. In our attack scenario, a victim visits the attacker's website, which contains a malicious script that communicates with IoT devices on the local network that have open HTTP servers. We show how the malicious script can circumvent the same-origin policy by exploiting error messages on the HTML5 MediaError interface or by carrying out DNS rebinding attacks.We demonstrate that the attacker can gather sensitive information from the devices (e.g., unique device identifiers and precise geolocation), track and profile the owners to serve ads, or control the devices by playing arbitrary videos and rebooting. We propose potential countermeasures to our attacks that users, browsers, DNS providers, and IoT vendors can implement.

Original languageEnglish (US)
Title of host publicationIoT S and P 2018 - Proceedings of the 2018 Workshop on IoT Security and Privacy, Part of SIGCOMM 2018
PublisherAssociation for Computing Machinery, Inc
Pages29-35
Number of pages7
ISBN (Electronic)9781450359054
DOIs
StatePublished - Aug 7 2018
Event2nd ACM SIGCOMM Workshop on the Internet-of-Things Security and Privacy, IoT S and P 2018 - Budapest, Hungary
Duration: Aug 20 2018 → …

Publication series

NameIoT S and P 2018 - Proceedings of the 2018 Workshop on IoT Security and Privacy, Part of SIGCOMM 2018

Conference

Conference2nd ACM SIGCOMM Workshop on the Internet-of-Things Security and Privacy, IoT S and P 2018
Country/TerritoryHungary
CityBudapest
Period8/20/18 → …

Keywords

  • DNS rebinding
  • Internet of Things
  • JavaScript
  • Privacy

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Web-based attacks to discover and control local IoT devices'. Together they form a unique fingerprint.

Cite this