1.
Luis Puche Rondon, Leonardo Babun, Ahmet Aris, Kemal Akkaya, A. Selcuk Uluagac
LGuard: Securing Enterprise-IoT Systems against Serial-Based Attacks via Proprietary Communication Buses Journal Article
ACM Digital Threats: Research and Practice Journal, 2023.
Abstract | Links | BibTeX | Tags: Enterprise Security, IoT Security
@article{PucheIoT,
title = {LGuard: Securing Enterprise-IoT Systems against Serial-Based Attacks via Proprietary Communication Buses},
author = {Luis Puche Rondon and Leonardo Babun and Ahmet Aris and Kemal Akkaya and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3555721},
year = {2023},
date = {2023-03-01},
urldate = {2023-03-01},
journal = {ACM Digital Threats: Research and Practice Journal},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Enterprise Internet of Things (E-IoT) systems allow users to control audio, video, scheduled events, lightning fixtures, door access, and relays in complex smart installations. These systems are widely used in government or smart private offices, smart buildings/homes, conference rooms, schools, hotels, and similar professional settings. However, even with their widespread use, the security of many E-IoT systems and components has not been researched in the literature. To address this research gap, we focus on E-IoT communication buses, one of the core components used to connect E-IoT devices, and introduce LightningStrike attacks that demonstrate several weaknesses with E-IoT proprietary communication protocols used in E-IoT communication buses. Specifically, we show that popular E-IoT proprietary communication protocols are susceptible to Denial-of-Service (DoS), eavesdropping, impersonation, and replay attacks. As such threats cannot be mitigated through traditional defense mechanisms due to the limitations posed by E-IoT, we propose LGuard, a defense system to protect E-IoT systems against the attacks over communication buses. LGuard uses closed-circuit television footage and computer vision techniques to detect replay attacks. For impersonation and DoS attacks, LGuard utilizes traffic analysis. Finally, LGuard obfuscates the E-IoT traffic via inserting redundant traffic to the bus against eavesdropping attacks. We evaluated the performance of LGuard in a realistic E-IoT deployment, and our detailed evaluations show that LGuard achieves an overall accuracy and precision of 99% in detecting DoS, impersonation, and replay attacks while effectively increasing the difficulty of extracting valuable information for eavesdroppers. In addition, LGuard does not incur any operational overhead or modification to the existing E-IoT system.},
keywords = {Enterprise Security, IoT Security},
pubstate = {published},
tppubtype = {article}
}
Enterprise Internet of Things (E-IoT) systems allow users to control audio, video, scheduled events, lightning fixtures, door access, and relays in complex smart installations. These systems are widely used in government or smart private offices, smart buildings/homes, conference rooms, schools, hotels, and similar professional settings. However, even with their widespread use, the security of many E-IoT systems and components has not been researched in the literature. To address this research gap, we focus on E-IoT communication buses, one of the core components used to connect E-IoT devices, and introduce LightningStrike attacks that demonstrate several weaknesses with E-IoT proprietary communication protocols used in E-IoT communication buses. Specifically, we show that popular E-IoT proprietary communication protocols are susceptible to Denial-of-Service (DoS), eavesdropping, impersonation, and replay attacks. As such threats cannot be mitigated through traditional defense mechanisms due to the limitations posed by E-IoT, we propose LGuard, a defense system to protect E-IoT systems against the attacks over communication buses. LGuard uses closed-circuit television footage and computer vision techniques to detect replay attacks. For impersonation and DoS attacks, LGuard utilizes traffic analysis. Finally, LGuard obfuscates the E-IoT traffic via inserting redundant traffic to the bus against eavesdropping attacks. We evaluated the performance of LGuard in a realistic E-IoT deployment, and our detailed evaluations show that LGuard achieves an overall accuracy and precision of 99% in detecting DoS, impersonation, and replay attacks while effectively increasing the difficulty of extracting valuable information for eavesdroppers. In addition, LGuard does not incur any operational overhead or modification to the existing E-IoT system.
2.
Luis Puche Rondon, Leonardo Babun, Ahmet Aris, Kemal Akkaya, Selcuk Uluagac
Ivycide: Smart Intrusion Detection System Against E-IoT Driver Threats Journal Article
IEEE Internet of Things Journal, 2023.
Abstract | Links | BibTeX | Tags: Enterprise Security, IoT Security
@article{LuisiVYCIDE,
title = {Ivycide: Smart Intrusion Detection System Against E-IoT Driver Threats},
author = {Luis Puche Rondon and Leonardo Babun and Ahmet Aris and Kemal Akkaya and Selcuk Uluagac},
url = {https://ieeexplore.ieee.org/document/9849838},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {IEEE Internet of Things Journal},
abstract = {The rise of Internet of Things (IoT) devices has led to the proliferation of smart environments worldwide. Although commodity IoT devices are employed by ordinary end users, complex environments, such as smart buildings, government, or private offices, or conference rooms require customized and highly reliable IoT solutions. Enterprise IoT (E-IoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors As E-IoT systems require specialized training, closed-source software, and proprietary equipment to deploy. In effect, E-IoT systems present an unprecedented, under-researched, and unexplored threat vector for an attacker. In this work, we focus on E-IoT drivers, software modules used to integrate devices into E-IoT systems, as an attack mechanism. We first present PoisonIvy, a series of generalized proof-of-concept attacks used to demonstrate that an attacker can use a malicious driver to perform denial-of-service attacks, gain remote control, and abuse E-IoT system resources. To defend against E-IoT driver-based threats, we introduce Ivycide, a novel intrusion detection system used to detect unexpected E-IoT network traffic from an E-IoT system. Ivycide operates as a passive monitoring system within an E-IoT system using machine learning and signature-based classification to detect Poisonivy attacks. We evaluated the performance of Ivycide in a realistic E-IoT deployment. Our detailed evaluation results show that Ivycide achieves an average accuracy of 97% in classifying the type of Poisonivy attack and operates without modifications or operational overhead to the existing E-IoT systems.},
keywords = {Enterprise Security, IoT Security},
pubstate = {published},
tppubtype = {article}
}
The rise of Internet of Things (IoT) devices has led to the proliferation of smart environments worldwide. Although commodity IoT devices are employed by ordinary end users, complex environments, such as smart buildings, government, or private offices, or conference rooms require customized and highly reliable IoT solutions. Enterprise IoT (E-IoT) connect such environments to the Internet and are professionally managed solutions usually offered by dedicated vendors As E-IoT systems require specialized training, closed-source software, and proprietary equipment to deploy. In effect, E-IoT systems present an unprecedented, under-researched, and unexplored threat vector for an attacker. In this work, we focus on E-IoT drivers, software modules used to integrate devices into E-IoT systems, as an attack mechanism. We first present PoisonIvy, a series of generalized proof-of-concept attacks used to demonstrate that an attacker can use a malicious driver to perform denial-of-service attacks, gain remote control, and abuse E-IoT system resources. To defend against E-IoT driver-based threats, we introduce Ivycide, a novel intrusion detection system used to detect unexpected E-IoT network traffic from an E-IoT system. Ivycide operates as a passive monitoring system within an E-IoT system using machine learning and signature-based classification to detect Poisonivy attacks. We evaluated the performance of Ivycide in a realistic E-IoT deployment. Our detailed evaluation results show that Ivycide achieves an average accuracy of 97% in classifying the type of Poisonivy attack and operates without modifications or operational overhead to the existing E-IoT systems.
3.
Luis Puche, Ahmet Aris, Leonardo Babun, Kemal Akkaya, A. Selcuk Uluagac
Survey on Enterprise Internet-of-Things Systems (E-IoT): A Security Perspective Journal Article
Elsevier Ad Hoc Networks Journal, 2021.
Abstract | Links | BibTeX | Tags: Enterprise Security, IoT Security
@article{puche2021survey,
title = {Survey on Enterprise Internet-of-Things Systems (E-IoT): A Security Perspective},
author = {Luis Puche and Ahmet Aris and Leonardo Babun and Kemal Akkaya and A. Selcuk Uluagac},
url = {https://www.sciencedirect.com/science/article/pii/S1570870521002171},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {Elsevier Ad Hoc Networks Journal},
abstract = {As technology becomes more widely available, millions of users worldwide have installed some form of smart device in their homes or workplaces. These devices are often off-the-shelf commodity systems, such as Google Home or Samsung SmartThings, that are installed by end-users looking to automate a small deployment. In contrast to these plug-and-play systems, purpose-built Enterprise Internet-of-Things (E-IoT) systems such as Crestron, Control4, RTI, Savant offer a smart solution for more sophisticated applications (e.g., complete lighting control, A/V management, security). In contrast to commodity systems, E-IoT systems are usually closed source, costly, require certified installers, and are overall more robust for their use cases. Due to this, E-IoT systems are often found in expensive smart homes, government and academic conference rooms, yachts, and smart private offices. However, while there has},
keywords = {Enterprise Security, IoT Security},
pubstate = {published},
tppubtype = {article}
}
As technology becomes more widely available, millions of users worldwide have installed some form of smart device in their homes or workplaces. These devices are often off-the-shelf commodity systems, such as Google Home or Samsung SmartThings, that are installed by end-users looking to automate a small deployment. In contrast to these plug-and-play systems, purpose-built Enterprise Internet-of-Things (E-IoT) systems such as Crestron, Control4, RTI, Savant offer a smart solution for more sophisticated applications (e.g., complete lighting control, A/V management, security). In contrast to commodity systems, E-IoT systems are usually closed source, costly, require certified installers, and are overall more robust for their use cases. Due to this, E-IoT systems are often found in expensive smart homes, government and academic conference rooms, yachts, and smart private offices. However, while there has
4.
Luis Puche Rondon, Leonardo Babun, Kemal Akkaya, A. Selcuk Uluagac
HDMI-Walk: Attacking HDMI Distribution Networks via Consumer Electronic Control Protocol Conference Paper
In the Proceedings of the 35th Annual Computer Security Applications Conference, 2019.
Abstract | Links | BibTeX | Tags: Enterprise Security, Network Security
@conference{Rondon2019HDMI-walk,
title = {HDMI-Walk: Attacking HDMI Distribution Networks via Consumer Electronic Control Protocol},
author = {Luis Puche Rondon and Leonardo Babun and Kemal Akkaya and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3359789.3359841},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
booktitle = {In the Proceedings of the 35th Annual Computer Security Applications Conference},
abstract = {The High Definition Multimedia Interface (HDMI) is the backbone and the de-facto standard for Audio/Video interfacing between video-enabled devices. Today, almost tens of billions of HDMI devices exist in the world and are widely used to distribute A/V signals in smart homes, offices, concert halls, and sporting events making HDMI one of the most highly deployed systems in the world. An important component in HDMI is the Consumer Electronics Control (CEC) protocol, which allows for the interaction between devices within an HDMI distribution network. Nonetheless, existing network security mechanisms only protect traditional networking components, leaving CEC outside of their scope. In this work, we identify and tap into CEC protocol vulnerabilities, using them to implement realistic proof-of-work attacks on HDMI distribution networks. We study, how current insecure CEC protocol practices and carelessly implemented HDMI distributions may grant an adversary a novel attack surface for HDMI devices otherwise thought to be unreachable through traditional means. To introduce this novel attack surface, in this paper, we present HDMI-Walk, which opens a realm of remote and local CEC attacks to HDMI devices. Specifically, with HDMI-Walk, an attacker can perform malicious analysis of devices, eavesdropping, Denial of Service attacks, targeted device attacks, and even facilitate other well-known existing attacks through HDMI. With HDMI-Walk, we prove that it is feasible for an attacker to gain arbitrary control of HDMI devices. We demonstrate the implementations of both local and remote attacks with commodity HDMI devices including Smart TVs and Media Players. Our work aims to uncover vulnerabilities in a very well deployed system like HDMI distributions. The consequences of which can largely impact HDMI users as well as other systems which depend on these distributions. Finally, we discuss security mechanisms to provide impactful and comprehensive security evaluation to these real-world systems while guaranteeing deployability and providing minimal overhead, while considering the current limitations of the CEC protocol. To the best of our knowledge, this is the first work solely investigating the security of HDMI device distribution networks.},
keywords = {Enterprise Security, Network Security},
pubstate = {published},
tppubtype = {conference}
}
The High Definition Multimedia Interface (HDMI) is the backbone and the de-facto standard for Audio/Video interfacing between video-enabled devices. Today, almost tens of billions of HDMI devices exist in the world and are widely used to distribute A/V signals in smart homes, offices, concert halls, and sporting events making HDMI one of the most highly deployed systems in the world. An important component in HDMI is the Consumer Electronics Control (CEC) protocol, which allows for the interaction between devices within an HDMI distribution network. Nonetheless, existing network security mechanisms only protect traditional networking components, leaving CEC outside of their scope. In this work, we identify and tap into CEC protocol vulnerabilities, using them to implement realistic proof-of-work attacks on HDMI distribution networks. We study, how current insecure CEC protocol practices and carelessly implemented HDMI distributions may grant an adversary a novel attack surface for HDMI devices otherwise thought to be unreachable through traditional means. To introduce this novel attack surface, in this paper, we present HDMI-Walk, which opens a realm of remote and local CEC attacks to HDMI devices. Specifically, with HDMI-Walk, an attacker can perform malicious analysis of devices, eavesdropping, Denial of Service attacks, targeted device attacks, and even facilitate other well-known existing attacks through HDMI. With HDMI-Walk, we prove that it is feasible for an attacker to gain arbitrary control of HDMI devices. We demonstrate the implementations of both local and remote attacks with commodity HDMI devices including Smart TVs and Media Players. Our work aims to uncover vulnerabilities in a very well deployed system like HDMI distributions. The consequences of which can largely impact HDMI users as well as other systems which depend on these distributions. Finally, we discuss security mechanisms to provide impactful and comprehensive security evaluation to these real-world systems while guaranteeing deployability and providing minimal overhead, while considering the current limitations of the CEC protocol. To the best of our knowledge, this is the first work solely investigating the security of HDMI device distribution networks.
5.
Abbas Acar, Long Lu, A. Selcuk Uluagac, Engin Kirda
An Analysis of Malware Trends in Enterprise Networks Conference Paper
In the Proceedings of the Information Security Conference (ISC), 2019.
Abstract | Links | BibTeX | Tags: Enterprise Security, Malware
@conference{Acar2019MalwareTrendsb,
title = { An Analysis of Malware Trends in Enterprise Networks},
author = {Abbas Acar and Long Lu and A. Selcuk Uluagac and Engin Kirda},
url = {https://link.springer.com/chapter/10.1007/978-3-030-30215-3_18},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
booktitle = {In the Proceedings of the Information Security Conference (ISC)},
abstract = {We present an empirical and large-scale analysis of malware samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and time-series analysis on our dataset. Unlike existing malware studies, our analysis is specifically focused on the recent enterprise malware samples. First of all, based on our analysis on the combined datasets of two enterprises, our results confirm the general consensus that AV-only solutions are not enough for real-time defenses in enterprise settings because on average 40% of the malware samples, when first appeared, are not detected by most AVs on VirusTotal or not uploaded to VT at all (i.e., never seen in the wild yet). Moreover, our analysis also shows that enterprise users transfer documents more than executables and other types of files. Therefore, attackers embed malicious codes into documents to download and install the actual malicious payload instead of sending malicious payload directly or using vulnerability exploits. Moreover, we also found that financial matters (e.g., purchase orders and invoices) are still the most common subject seen in Business Email Compromise (BEC) scams that aim to trick employees. Finally, based on our analysis on the timestamps of captured malware samples, we found that 93% of the malware samples were delivered on weekdays. Our further analysis also showed that while the malware samples that require user interaction such as macro-based malware samples have been captured during the working hours of the employees, the massive malware attacks are triggered during the off-times of the employees to be able to silently spread over the networks.},
howpublished = {In the proceedings of the Information Security Conference (ISC)},
keywords = {Enterprise Security, Malware},
pubstate = {published},
tppubtype = {conference}
}
We present an empirical and large-scale analysis of malware samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and time-series analysis on our dataset. Unlike existing malware studies, our analysis is specifically focused on the recent enterprise malware samples. First of all, based on our analysis on the combined datasets of two enterprises, our results confirm the general consensus that AV-only solutions are not enough for real-time defenses in enterprise settings because on average 40% of the malware samples, when first appeared, are not detected by most AVs on VirusTotal or not uploaded to VT at all (i.e., never seen in the wild yet). Moreover, our analysis also shows that enterprise users transfer documents more than executables and other types of files. Therefore, attackers embed malicious codes into documents to download and install the actual malicious payload instead of sending malicious payload directly or using vulnerability exploits. Moreover, we also found that financial matters (e.g., purchase orders and invoices) are still the most common subject seen in Business Email Compromise (BEC) scams that aim to trick employees. Finally, based on our analysis on the timestamps of captured malware samples, we found that 93% of the malware samples were delivered on weekdays. Our further analysis also showed that while the malware samples that require user interaction such as macro-based malware samples have been captured during the working hours of the employees, the massive malware attacks are triggered during the off-times of the employees to be able to silently spread over the networks.
Citations: 8413
h-index: 44
i10-index: 107
