Analysis of IoT Traffic using HTTP Proxy

In this current era of Internet of Things, data privacy and security of internet enabled devices has become a major concern of many users and manufacturers. Massive amount of data is being generated by these IoT devices and there might be possibilities of user's information being exposed without any privacy protection. The rate of data transfer, size, kind of information transmitted and secure channels used by these IoT devices are of utmost importance and demand more exploratory research. It is not all IoT devices that utilize encryption in their data transmission and those devices that incorporate such security measure can be compromised by the interception of generated traffic via proxy server and its decryption. In this paper, we explore and investigate the data being transmitted by six representative IoT devices and analyze the data, using a proxy server to capture both HTTP and HTTPS traffic. Our results show that one of the IoT devices transmit data in plain text while others utilize encryption. User's information, MAC address and IP address were identified in our data analysis. We propose that IoT devices should not allow proxy connections and implement machine learning algorithms to detect proxies using network connection information.

[1]  Jean-Philippe Vasseur,et al.  Interconnecting Smart Objects with IP: The Next Internet , 2010 .

[2]  Dawn Song,et al.  Smart Locks: Lessons for Securing Commodity Internet of Things Devices , 2016, AsiaCCS.

[3]  Carlo Maria Medaglia,et al.  An Overview of Privacy and Security Issues in the Internet of Things , 2010 .

[4]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Srdjan Capkun,et al.  On the requirements for successful GPS spoofing attacks , 2011, CCS '11.

[6]  Ali Saman Tosun,et al.  Investigating Security and Privacy of a Cloud-Based Wireless IP Camera: NetCam , 2015, 2015 24th International Conference on Computer Communication and Networks (ICCCN).

[7]  Apostolis Zarras,et al.  Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces , 2015, AsiaCCS.

[8]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[9]  Mahmudur Rahman,et al.  Secure Management of Low Power Fitness Trackers , 2013, IEEE Transactions on Mobile Computing.

[10]  Atul Prakash,et al.  FlowFence: Practical Data Protection for Emerging IoT Application Frameworks , 2016, USENIX Security Symposium.

[11]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[12]  Serge Vaudenay,et al.  Challenges in Distance Bounding , 2015, IEEE Security & Privacy.

[13]  Nick Feamster,et al.  Detecting Compressed Cleartext Traffic from Consumer Internet of Things Devices , 2018, ArXiv.

[14]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[15]  Nick Feamster,et al.  Cleartext Data Transmissions in Consumer IoT Medical Devices , 2017, IoT S&P@CCS.

[16]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[17]  Roksana Boreli,et al.  Smart-Phones Attacking Smart-Homes , 2016, WISEC.

[18]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[19]  Ali Saman Tosun,et al.  Blackbox security evaluation of chromecast network communications , 2014, 2014 IEEE 33rd International Performance Computing and Communications Conference (IPCCC).