Abstract
With the interconnectedness of heterogeneous IoT devices being deployed in smart living spaces, it is imperative to assure that connected devices are resilient against Denial-of-Service (DoS) attacks. DoS attacks may cause economic damage but may also jeopardize the life of individuals, e.g., in a smart home healthcare environment since there might be situations (e.g., heart attacks), when urgent and timely actions are crucial. To achieve a better understanding of the DoS attack scenario in the ever so private home environment, we conduct a vulnerability assessment of five commercial-off-the-shelf IoT devices: a gaming console, media player, lighting system, connected TV, and IP camera, that are typically found in a smart living space. This study was conducted using an automated vulnerability scanner – Open Vulnerability Assessment System (OpenVAS) – and focuses on semantic DoS attacks. The results of the conducted experiment indicate that the majority of the tested devices are prone to DoS attacks, in particular those caused by a failure to manage exceptional conditions, leading to a total compromise of their availability. To understand the root causes for successful attacks, we analyze the payload code, identify the weaknesses exploited, and propose some mitigations that can be adopted by smart living developers and consumers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
https://www.openvas.org/ [accessed December 21, 2019].
- 2.
https://www.virtualbox.org/ [accessed December 21, 2019].
- 3.
https://www.kali.org/ [accessed December 21, 2019].
- 4.
https://www.securityfocus.com/ [accessed December 21, 2019].
- 5.
https://www.cvedetails.com/ [accessed December 21, 2019].
- 6.
https://vulners.com/ [accessed December 21, 2019].
- 7.
http://www.cve.mitre.org/ [accessed December 21, 2019].
- 8.
https://www.mitre.org/ [accessed December 21, 2019].
- 9.
https://cesanta.com/ [accessed December 21, 2019].
- 10.
https://www.shodan.io/ [accessed December 21, 2019].
References
Alanazi, S., Al-Muhtadi, J., Derhab, A., Saleem, K., AlRomi, A.N., Alholaibah, H.S., Rodrigues, J.J.: On resilience of wireless mesh routing protocol against DoS attacks in IoT-based ambient assisted living applications. In: 17th International Conference on E-health Networking, Application & Services (HealthCom), pp. 205–210. IEEE (2015)
Alhazmi, O.H., Woo, S.-W., Malaiya, Y.K.: Security vulnerability categories in major software systems. Commun. Netw. Inf. Secur. 2006, 138–143 (2006)
Andersson, S., Josefsson, O.: On the assessment of denial of service vulnerabilities affecting smart home systems (2019)
Arboi, M.: Format string on http method name. https://vulners.com/openvas/OPENVAS:11801
Arboi, M.: Http unfinished line denial. https://vulners.com/openvas/OPENVAS:136141256231011171
Arboi, M.: Http windows 98 MS/DOS device names DOS. https://vulners.com/openvas/OPENVAS:136141256231010930
Arboi, M.: Jigsaw webserver MS/DOS device DOS. https://vulners.com/openvas/OPENVAS:11047
Arboi, M.: Linksys WRT54G DOS. https://vulners.com/openvas/OPENVAS:136141256231011941
Arboi, M.: LiteServe URL decoding DOS. https://vulners.com/openvas/OPENVAS:11155
Barnard-Wills, D., Marinos, L., Portesi, S.: Threat landscape and good practice guide for smart home and converged media. In: European Union Agency for Network and Information Security (ENISA) (2014)
Bonguet, A., Bellaiche, M.: A survey of denial-of-service and distributed denial of service attacks and defenses in cloud computing. Future Internet 9(3), 43 (2017)
Bugeja, J., Davidsson, P., Jacobsson, A.: Functional classification and quantitative analysis of smart connected home devices. In: Global Internet of Things Summit (GIoTS), pp. 1–6. IEEE (2018)
Carl, G., Kesidis, G., Brooks, R.R., Rai, R.: Denial-of-service attack-detection techniques. IEEE Internet Comput. 10(1), 82–89 (2006)
Douligeris, C., Mitrokotsa, A.: DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput. Netw. 44(5), 643–666 (2004)
FIRST: Cvss v3.1 specification document. https://www.first.org/cvss/specification-document
Geneiatakis, D., Kounelis, I., Neisse, R., Nai-Fovino, I., Steri, G., Baldini, G.: Security and privacy issues for an IoT based smart home. In: 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO)
GmbH, G.N.: Mereo ‘get’ request remote buffer overflow vulnerability. https://vulners.com/openvas/OPENVAS:100776
Gordin, I., Graur, A., Potorac, A., Balan, D.: Security assessment of OpenStack cloud using outside and inside software tools. In: International Conference on Development and Application Systems (DAS), pp. 170–174. IEEE (2018)
Greenbone.net: 16. performance—greenbone security manager (gsm) 4 documentation. https://docs.greenbone.net/GSM-Manual/gos-4/en/performance.html#about-ports
Herzberg, B., Bekerman, D., Zeifman, I.: Breaking down mirai: An IoT DDoS botnet analysis. Incapsula Blog, Bots and DDoS, Security (2016)
Hussain, A., Heidemann, J., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 99–110. ACM (2003)
Karig, D., Lee, R.: Remote denial of service attacks and countermeasures. Princeton University Department of Electrical Engineering, Technical report CE-L2001-002, 17 (2001)
Kasinathan, P., Pastrone, C., Spirito, M.A., Vinkovits, M.: Denial-of-service detection in 6LoWPAN based internet of things. In: IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 600–607. IEEE (2013)
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017)
Kupreev, A.G.O., Badovskaya, E.: Ddos attacks in q1 2019—securelist. https://securelist.com/ddos-report-q1-2019/90792/
Liang, L., Zheng, K., Sheng, Q., Huang, X.: A denial of service attack method for an IoT system. In: 8th International Conference on Information Technology in Medicine and Education (ITME), pp. 360–364. IEEE (2016)
Mahjabin, T., Xiao, Y., Sun, G., Jiang, W.: A survey of distributed denial-of-service attack, prevention, and mitigation techniques. Int. J. Distrib. Sens. Netw. 13(12), 1550147717741463 (2017)
Mansfield-Devine, S.: DDoS goes mainstream: how headline-grabbing attacks could make this threat an organisation’s biggest nightmare. Netw. Secur. 2016(11), 7–13 (2016)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)
Mosenia, A., Jha, N.K.: A comprehensive study of security of internet-of-things. IEEE Trans. Emerg. Top. Comput. 5(4), 586–602 (2016)
Muncaster, P.: DDoS attacks jump 18% YoY in Q2—infosecurity magazine. https://www.infosecurity-magazine.com/news/ddos-attacks-jump-18-yoy-in-q2/
OWASP: OWASP testing guide. https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Pascu, L.: The IoT threat landscape and top smart home vulnerabilities in 2018. https://www.bitdefender.com/files/News/CaseStudies/study/229/Bitdefender-Whitepaper-The-IoT-Threat-Landscape-and-Top-Smart-Home-Vulnerabilities-in-2018.pdf
Patrick Wardle, C.M.: Optical surgery; implanting a dropcam. https://www.defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf
Pătru, I.-I., Carabaş, M., Bărbulescu, M., Gheorghe, L.: Smart home IoT system. In: 15th RoEduNet Conference: Networking in Education and Research, pp. 1–6. IEEE (2016)
SecPod: Mongoose webserver content-length denial of service vulnerability. https://vulners.com/openvas/OPENVAS:1361412562310900268
Security, O.: Openvas 8.0 vulnerability scanning—kali linux. https://www.kali.org/penetration-testing/openvas-vulnerability-scanning
SecurityFocus: Apache mod\_access\_referer null pointer dereference denial of service vulnerability. https://www.securityfocus.com/bid/7375/exploit
SecurityFocus: IBM Tivoli policy director WebSeal denial of service vulnerability. https://www.securityfocus.com/bid/3685/exploit
SecurityFocus: Polycom ViaVideo denial of service vulnerability. https://www.securityfocus.com/bid/5962/exploit
Tundis, A., Mazurczyk, W., Mühlhäuser, M.: A review of network vulnerabilities scanning tools: types, capabilities and functioning. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, p. 65. ACM (2018)
Yoon, S., Park, H., Yoo, H.S.: Security issues on smarthome in IoT environment. In: Park, J., Stojmenovic, I., Jeong, H., Yi, G. (eds.) Computer Science and Its Applications, pp. 691–696. Springer, Heidelberg (2015)
Acknowledgments
This work has been carried out within the research profile “Internet of Things and People,” funded by the Knowledge Foundation and Malmö University in collaboration with 10 industrial partners.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bugeja, J., Jacobsson, A., Spalazzese, R. (2020). On the Analysis of Semantic Denial-of-Service Attacks Affecting Smart Living Devices. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Intelligent Computing. SAI 2020. Advances in Intelligent Systems and Computing, vol 1229. Springer, Cham. https://doi.org/10.1007/978-3-030-52246-9_32
Download citation
DOI: https://doi.org/10.1007/978-3-030-52246-9_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-52245-2
Online ISBN: 978-3-030-52246-9
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)