14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2021



Lab 6: Analyzing IoT Apps in the Wild

Due: Oct 29

Description: This lab will give you an opportunity to study IoT apps in the wild, including any software or firmware on IoT devices, any corresponding cloud services, any companion mobile apps, or any other software involved in an IoT platform. Your study may include the use of common firmware analysis tools, generic static analysis tools, or manual inspection. Various tools and techniques have been discussed in class, and all of these (and anything else you can find) are available to you.

Tasks:
  1. Choose your IoT device or app to study - Identify an IoT device, service, or app that you will study and analyze, with the constraints that (1) it should have some interesting functionality that people would actually use, (2) it is not obfuscated to the point that analyis is impossible or uninteresting, and (3) devices, firmware, and software are up-to-date versions (not old models, versions with known issues, or reference samples provided to demonstrate vulnerabilities).
  2. Analyze the software/firmware components - Use whatever tools you want (if any) to analyze the software and firmware components that you collected in order to understand the software and identify potential vulnerabilities or violations of best practices. If the corresponding IoT devices can be controlled via Android applications or web/cloud services, study how the various software components interact with each other to fully understand the system functionality. However, you should not focus solely on issues of the Android or cloud components; instead, you should focus on potential information leakage from the devices, potential backdoors in firmware, integrity of the firmware update processes, device interactions, etc. The OWASP IoT Project may provide helpful guidance.
  3. Recommend security or privacy improvements - For each device/system that you analyze, provide at least one recommendation that you would make to the development team in order to help them improve the security or privacy posture of their IoT device. Make sure that your recommendations are clear and complete, while also keeping in mind the typical business considerations and trade-offs that may compete against security or privacy.

Deliverables and Submission: Prepare a written summary of your efforts and responses for the above tasks. The summary report should include:
  • A brief description of the app/service/platform/devices involved in your study, where/how you obtained software / firmware images to study, how you determined what software components were involved, and what tools (if any) you used to analyze your chosen IoT system.
  • A detailed description of your results and recommendations to the developer, including what you were able to learn about the software components of your target system and any identified security or privacy vulnerabilities, violations of best practices, etc.
  • Suitable images or other artifacts to demonstrate that you accomplished the goals of each task. Provide relevant screenshots of successful or unsuccessful tool use, and any relevant data or observations resulting from your study.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted as a .pdf document.

Grading: This lab is worth 20 points, with 5 points allocated to the description of the software components of your chosen IoT system of study, 5 points for the description of your analysis methods and tools used, 5 points for detailing any vulnerabilities or best-practice violations (including severity, impact, etc.), and 5 points for providing detailed recommendations to the developer. We reserve the right to take off points for unreadable reports, poor writing, missing details, inappropriate content, etc.