14-829 / 18-638: Mobile and IoT Security - Fall 2020
Lab 6: Analyzing IoT Apps in the Wild
- Due: Nov 6
- Description: This lab will give you an opportunity to study IoT apps in the wild, including any software or firmware on IoT devices,
any corresponding cloud services, any companion mobile apps, or any other software involved in an IoT platform. Your study may include the
use of common firmware analysis tools, generic static analysis tools, or manual inspection. Various tools and techniques have been discussed
in class, and all of these (and anything else you can find) are available to you.
- Tasks:
- Choose your IoT device or app to study - Identify an IoT device, service, or app that you will study and analyze, with the constraints
that (1) it should have some interesting functionality that people would actually use, (2) it is not obfuscated to the point that analyis is
impossible or uninteresting, and (3) devices, firmware, and software are up-to-date versions (not old models, versions with known issues, or
reference samples provided to demonstrate vulnerabilities).
- Analyze the software/firmware components - Use whatever tools you want (if any) to analyze the software and firmware components
that you collected in order to understand the software and identify potential vulnerabilities or violations of best practices. If the
corresponding IoT devices can be controlled via Android applications or web/cloud services, study how the various software components interact
with each other to fully understand the system functionality. However, you should not focus solely on issues of the Android or cloud components;
instead, you should focus on potential information leakage from the devices, potential backdoors in firmware, integrity of the firmware update
processes, device interactions, etc. The OWASP IoT Project may provide helpful guidance.
- Recommend security or privacy improvements - For each device/system that you analyze, provide at least one recommendation that you
would make to the development team in order to help them improve the security or privacy posture of their IoT device. Make sure that your
recommendations are clear and complete, while also keeping in mind the typical business considerations and trade-offs that may compete against
security or privacy.
- Deliverables and Submission: Prepare a written summary of your efforts and responses for the above tasks. The summary
report should include:
- A brief description of the app/service/platform/devices involved in your study, where/how you obtained software / firmware images
to study, how you determined what software components were involved, and what tools (if any) you used to analyze your chosen IoT system.
- A detailed description of your results and recommendations to the developer, including what you were able to learn about the software
components of your target system and any identified security or privacy vulnerabilities, violations of best practices, etc.
- Suitable images or other artifacts to demonstrate that you accomplished the goals of each task. Provide relevant screenshots of successful
or unsuccessful tool use, and any relevant data or observations resulting from your study.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted as a .pdf
document.
- Grading: This lab is worth 20 points, with 5 points allocated to the description of the software components of your
chosen IoT system of study, 5 points for the description of your analysis methods and tools used, 5 points for detailing any
vulnerabilities or best-practice violations (including severity, impact, etc.), and 5 points for providing detailed recommendations to
the developer. We reserve the right to take off points for unreadable reports, poor writing, missing details, inappropriate content, etc.