A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices

A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices

Tutkimuksessa tarkastellaan IoT laitteiden tietoturvaa ja niiden haavoittu-vuuksia tapaustutkimusmenetelmää käyttäen. IoT laitteiden määrä on kasvanut räjähdysmäisesti ja jopa normaalit kodinkoneet alkavat olla yhdistettynä internetiin. Tämä johtaa siihen, että hyökkäyspinta-ala kasvaa räjähdysmäise...

Täydet tiedot

Bibliografiset tiedot
Päätekijä: Jokela, Patrik
Muut tekijät: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Aineistotyyppi: Pro gradu
Kieli:eng
Julkaistu: 2023
Aiheet:
Penetration testing
Vulnerabilities
Exploit
Denial-of-Service
Amplification attack
Response size amplification
Kyberturvallisuus
601
esineiden internet
kyberturvallisuus
turvallisuus
verkkohyökkäykset
Internet of things
cyber security
safety and security
cyber attacks
Linkit: https://jyx.jyu.fi/handle/123456789/86729
_version_ 1826225751021584384
author Jokela, Patrik
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Jokela, Patrik Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Jokela, Patrik Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Jokela, Patrik
datasource_str_mv jyx
description Tutkimuksessa tarkastellaan IoT laitteiden tietoturvaa ja niiden haavoittu-vuuksia tapaustutkimusmenetelmää käyttäen. IoT laitteiden määrä on kasvanut räjähdysmäisesti ja jopa normaalit kodinkoneet alkavat olla yhdistettynä internetiin. Tämä johtaa siihen, että hyökkäyspinta-ala kasvaa räjähdysmäisesti ja välttämättä tietoturva ei pysy perässä. Tämän takia on syytä jatkuvasti tarkastella markkinoilla olevien laitteiden tietoturvaa ja niistä mahdollisesti löytyviä haavoittuvuuksia. Kirjallisuutta tarkastelemalla havaittiin, että yleisimmät tietoturvaa vaarantavat asiat ovat olleet oletuskäyttäjätunnukset, sekä tarpeettomat verkko-palvelut. Tutkimuksessa kuitenkin havaittiin, että nykyään IoT laitteista ei löydy oletuskäyttäjätunnuksia eikä tarpeettomia verkkopalveluita. Tällä het-kellä suurimman vaaran IoT laitteille aiheuttaa automaattisten päivitysten puuttuminen, sekä perustamisvaiheessa nykyisen käyttöjärjestelmän version tarkastaminen uusien päivitysten varalta. Tämä saattaa jättää laitteita, jotka sisältävät tunnettuja haavoittuvuuksia pitkäksikin aikaa kodin verkkoon ennen uuden päivityksen asentamista. Tutkimuksessa havaittiin uusi hyökkäystekniikka (response size amplification), jonka avulla oli mahdollista aiheuttaa palvelunestotilanne tutkimuksessa olleelle reitittimelle. Tälle haavoittuvuudelle annettiin CVE-ÌD: CVE-2023-25644. Tutkimuksessa tehtiin yhteensä kolme tietoturvahavaintoa, jotka nähtiin tarpeelliseksi raportoida laitteista vastaaville tahoille. In this research the security and vulnerabilities of IoT devices is inspected by using empirical case study approach. The amount of IoT devices has grown rapidly over the recent years and even normal household apparatus have started to be connected to the internet. This leads to the rapid growth of attack surface and the security of the IoT devices cannot keep up. This is why it is necessary to continuously inspect the level of security and vulnerabilities of the IoT devices at the market. By reviewing the literature, it was observed that the most common security hindering things were default credentials and unnecessary network services. In the research however it was found out that the IoT devices currently in the market do not use default credentials or unnecessary network services any-more. It was discovered that currently the most common security hindering thing was the missing or disabled automatic updates and not checking for current firmware version for new updates when setting up the device. This may leave devices with known critical vulnerabilities in the home network for long periods of time before newest update is installed. In this research new attack technique was discovered (response size amplification), which made it possible to cause a Denial-of-Service situation to the router in research. This vulnerability received CVE-ID: CVE-2023-25644. In this research total of three security findings were made which were seen as necessary to report further to the team in charge of the vulnerabilities in the corresponding company.
first_indexed 2024-09-11T08:52:42Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Frantti, Tapio", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Jokela, Patrik", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2023-05-03T04:57:15Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2023-05-03T04:57:15Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2023", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/86729", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Tutkimuksessa tarkastellaan IoT laitteiden tietoturvaa ja niiden haavoittu-vuuksia tapaustutkimusmenetelm\u00e4\u00e4 k\u00e4ytt\u00e4en. IoT laitteiden m\u00e4\u00e4r\u00e4 on kasvanut r\u00e4j\u00e4hdysm\u00e4isesti ja jopa normaalit kodinkoneet alkavat olla yhdistettyn\u00e4 internetiin. T\u00e4m\u00e4 johtaa siihen, ett\u00e4 hy\u00f6kk\u00e4yspinta-ala kasvaa r\u00e4j\u00e4hdysm\u00e4isesti ja v\u00e4ltt\u00e4m\u00e4tt\u00e4 tietoturva ei pysy per\u00e4ss\u00e4. T\u00e4m\u00e4n takia on syyt\u00e4 jatkuvasti tarkastella markkinoilla olevien laitteiden tietoturvaa ja niist\u00e4 mahdollisesti l\u00f6ytyvi\u00e4 haavoittuvuuksia. \nKirjallisuutta tarkastelemalla havaittiin, ett\u00e4 yleisimm\u00e4t tietoturvaa vaarantavat asiat ovat olleet oletusk\u00e4ytt\u00e4j\u00e4tunnukset, sek\u00e4 tarpeettomat verkko-palvelut. Tutkimuksessa kuitenkin havaittiin, ett\u00e4 nyky\u00e4\u00e4n IoT laitteista ei l\u00f6ydy oletusk\u00e4ytt\u00e4j\u00e4tunnuksia eik\u00e4 tarpeettomia verkkopalveluita. T\u00e4ll\u00e4 het-kell\u00e4 suurimman vaaran IoT laitteille aiheuttaa automaattisten p\u00e4ivitysten puuttuminen, sek\u00e4 perustamisvaiheessa nykyisen k\u00e4ytt\u00f6j\u00e4rjestelm\u00e4n version tarkastaminen uusien p\u00e4ivitysten varalta. T\u00e4m\u00e4 saattaa j\u00e4tt\u00e4\u00e4 laitteita, jotka sis\u00e4lt\u00e4v\u00e4t tunnettuja haavoittuvuuksia pitk\u00e4ksikin aikaa kodin verkkoon ennen uuden p\u00e4ivityksen asentamista.\nTutkimuksessa havaittiin uusi hy\u00f6kk\u00e4ystekniikka (response size amplification), jonka avulla oli mahdollista aiheuttaa palvelunestotilanne tutkimuksessa olleelle reitittimelle. T\u00e4lle haavoittuvuudelle annettiin CVE-\u00ccD: CVE-2023-25644. Tutkimuksessa tehtiin yhteens\u00e4 kolme tietoturvahavaintoa, jotka n\u00e4htiin tarpeelliseksi raportoida laitteista vastaaville tahoille.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "In this research the security and vulnerabilities of IoT devices is inspected by using empirical case study approach. The amount of IoT devices has grown rapidly over the recent years and even normal household apparatus have started to be connected to the internet. This leads to the rapid growth of attack surface and the security of the IoT devices cannot keep up. This is why it is necessary to continuously inspect the level of security and vulnerabilities of the IoT devices at the market.\nBy reviewing the literature, it was observed that the most common security hindering things were default credentials and unnecessary network services. In the research however it was found out that the IoT devices currently in the market do not use default credentials or unnecessary network services any-more. It was discovered that currently the most common security hindering thing was the missing or disabled automatic updates and not checking for current firmware version for new updates when setting up the device. This may leave devices with known critical vulnerabilities in the home network for long periods of time before newest update is installed. \nIn this research new attack technique was discovered (response size amplification), which made it possible to cause a Denial-of-Service situation to the router in research. This vulnerability received CVE-ID: CVE-2023-25644. In this research total of three security findings were made which were seen as necessary to report further to the team in charge of the vulnerabilities in the corresponding company.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Miia Hakanen (mihakane@jyu.fi) on 2023-05-03T04:57:15Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2023-05-03T04:57:15Z (GMT). No. of bitstreams: 0\n Previous issue date: 2023", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "58", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": null, "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "Penetration testing", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Vulnerabilities", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Exploit", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Denial-of-Service", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Amplification attack", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Response size amplification", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202305032824", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "esineiden internet", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "turvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "verkkohy\u00f6kk\u00e4ykset", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "Internet of things", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "safety and security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber attacks", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}]
id jyx.123456789_86729
language eng
last_indexed 2025-02-18T10:56:51Z
main_date 2023-01-01T00:00:00Z
main_date_str 2023
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/e42d8ea4-2802-4421-ac66-5243deb1bd08\/download","text":"URN:NBN:fi:jyu-202305032824.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2023
record_format qdc
source_str_mv jyx
spellingShingle Jokela, Patrik A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices Penetration testing Vulnerabilities Exploit Denial-of-Service Amplification attack Response size amplification Kyberturvallisuus 601 esineiden internet kyberturvallisuus turvallisuus verkkohyökkäykset Internet of things cyber security safety and security cyber attacks
title A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
title_full A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
title_fullStr A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
title_full_unstemmed A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
title_short A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
title_sort quantitative analysis of vulnerabilities and exploits in home iot devices
title_txtP A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
topic Penetration testing Vulnerabilities Exploit Denial-of-Service Amplification attack Response size amplification Kyberturvallisuus 601 esineiden internet kyberturvallisuus turvallisuus verkkohyökkäykset Internet of things cyber security safety and security cyber attacks
topic_facet 601 Amplification attack Denial-of-Service Exploit Internet of things Kyberturvallisuus Penetration testing Response size amplification Vulnerabilities cyber attacks cyber security esineiden internet kyberturvallisuus safety and security turvallisuus verkkohyökkäykset
url https://jyx.jyu.fi/handle/123456789/86729 http://www.urn.fi/URN:NBN:fi:jyu-202305032824
work_keys_str_mv AT jokelapatrik aquantitativeanalysisofvulnerabilitiesandexploitsinhomeiotdevices AT jokelapatrik quantitativeanalysisofvulnerabilitiesandexploitsinhomeiotdevices

Samankaltaisia teoksia