An Overview of UPnP-based IoT Security: Threats, Vulnerabilities, and Prospective Solutions

Advances in the development and increased availability of smart devices ranging from small sensors to complex cloud infrastructures as well as various networking technologies and communication protocols have supported the rapid expansion of Internet of Things deployments. The Universal Plug and Play (UPnP) protocol has been widely accepted and used in the IoT domain to support interactions among heterogeneous IoT devices, in part due to zero configuration implementation which makes it feasible for use in large-scale networks. The popularity and ubiquity of UPnP to support IoT systems necessitate an exploration of security risks associated with the use of the protocol for IoT deployments. In this work, we analyze security vulnerabilities of UPnP-based IoT systems and identify attack opportunities by the adversaries leveraging the vulnerabilities. Finally, we propose prospective solutions to secure UPnP-based IoT systems from adversarial operations.

[1]  Sylvia L. Osborn,et al.  Current Research and Open Problems in Attribute-Based Access Control , 2017, ACM Comput. Surv..

[2]  Mohammed Nazim Uddin,et al.  User-agent based access control for DLNA devices , 2014, 2014 6th International Conference on Knowledge and Smart Technology (KST).

[3]  Vesa Pehkonen,et al.  Secure Universal Plug and Play network , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[4]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[5]  Binxing Fang,et al.  A Survey on Access Control in the Age of Internet of Things , 2020, IEEE Internet of Things Journal.

[6]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[7]  Kemal Akkaya,et al.  U-PoT: A Honeypot Framework for UPnP-Based IoT Devices , 2018, 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC).

[8]  Xiaojiang Du,et al.  HeapTherapy+: Efficient Handling of (Almost) All Heap Vulnerabilities Using Targeted Calling-Context Encoding , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[9]  Chatschik Bisdikian,et al.  An overview of the Bluetooth wireless technology , 2001, IEEE Commun. Mag..

[10]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[11]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[12]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[13]  Omar Alrawi,et al.  SoK: Security Evaluation of Home-Based IoT Deployments , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Hyggo Oliveira de Almeida,et al.  Multilevel security in UPnP networks for pervasive environments , 2013, IEEE Transactions on Consumer Electronics.

[15]  Zeeshan Ali Khan,et al.  Reputation Management Using Honeypots for Intrusion Detection in the Internet of Things , 2020, Electronics.

[16]  Xiao Guo,et al.  Secure UPnP services based on group signature algorithm , 2013, Proceedings of 2013 3rd International Conference on Computer Science and Network Technology.

[17]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[18]  Carsten Bormann,et al.  6LoWPAN: The Wireless Embedded Internet , 2009 .

[20]  Tongbo Luo,et al.  IoTCandyJar : Towards an Intelligent-Interaction Honeypot for IoT Devices , 2017 .

[21]  Andrew S. Tanenbaum,et al.  The Design of a Capability-Based Distributed Operating System , 1986, Comput. J..

[22]  Shahin Farahani,et al.  ZigBee Wireless Networks and Transceivers , 2008 .

[23]  Lawrence Snyder,et al.  Formal Models of Capability-Based Protection Systems , 1981, IEEE Transactions on Computers.