Security Analysis of Devolo HomePlug Devices

Vulnerabilities in smart devices often are particular severe from a privacy point of view. If these devices form central components of the underlying infrastructure, such as Wifi repeaters, even an entire network may be compromised. The devastating effects of such a compromise recently became evident in light of the Mirai botnet. In this paper, we conduct a thorough security analysis of so-called HomePlug devices, which are used to establish network communication over power lines. We identify multiple security issues and find that hundreds of vulnerable devices are openly connected to the Internet across Europe. 87 % run an outdated firmware, showing the deficiency of manual updates in comparison to automatic ones. However, even the default configurations of updated devices lack basic security mechanisms.

[1]  Thomas Wollinger,et al.  IT Security and the Internet of Things , 2014 .

[2]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[3]  Marek Jawurek,et al.  Smart metering de-pseudonymization , 2011, ACSAC '11.

[4]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[5]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[6]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Patrick D. McDaniel,et al.  Sensitive Information Tracking in Commodity IoT , 2018, USENIX Security Symposium.

[8]  David A. Wagner,et al.  Detecting Credential Spearphishing in Enterprise Settings , 2017, USENIX Security Symposium.

[9]  Michael Backes,et al.  Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs , 2017, CCS.

[10]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[11]  Tadayoshi Kohno,et al.  Computer security and the modern home , 2013, CACM.

[12]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[13]  Jon Postel,et al.  Telnet Option Specifications , 1983, RFC.

[14]  Dan Boneh,et al.  Protecting browsers from dns rebinding attacks , 2007, CCS '07.

[15]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[16]  Omar Alrawi,et al.  SoK: Security Evaluation of Home-Based IoT Deployments , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Wenyuan Xu,et al.  Neighborhood watch: security and privacy analysis of automatic meter reading systems , 2012, CCS.

[18]  Zhou Li,et al.  Catching predators at watering holes: finding and understanding strategically compromised websites , 2016, ACSAC.

[19]  Sanjay Jha,et al.  Automated Analysis of Secure Internet of Things Protocols , 2017, ACSAC.