Page 139 - Kaleidoscope Academic Conference Proceedings 2021
P. 139

Connecting physical and virtual worlds




           3.1   Security risks                               interception capabilities for malicious URL/IP and zombie
                                                              worm files.
           3.1.1   Security risks for service subsystems
                                                              Insecure chips, such as chips using Meltdown and Spectre
           Lack of security warning mechanism: Lack of a security   vulnerabilities
           monitoring  mechanism for domotics  devices, unable  to
           collect operating  data (such as operating status, network   The hardware interface(such as  console interface,  serial
           traffic, port operation,  etc.)  of IoT-domotics devices to   port, debugging interface, etc.) physically invaded.
           analyze possible security threats.
                                                              3.1.3   Security risks for  IoT-domotics  devices and
           Web application has security vulnerabilities: An attacker   physical entities
           can use  SQL  injection to steal the content of the cloud
           database, and then obtain the user account and password, so   Lack  of child protection mechanisms.  Lack of  security
           as to check user privacy and illegally manipulate the user's   protection mechanisms in the case of interoperability, such
           smart home equipment and other illegal activities.   as pets, children accidentally touching the buttons, causing
                                                              health threats. Washing  machines, microwave ovens and
           Access control flaw: The access control mechanism of the   other devices lack control mechanisms to prevent children
           existing platform has the problem of too coarse granularity   from operating.
           of the permission  model. The  application  can  obtain
           excessive authorization that exceeds the user's expectations,   Lack of fault tolerance mechanism. IoT-domotics devices
           which may threaten the user's life and property [9].    fail to effectively recognize  user instructions, resulting in
                                                              unexpected abnormal activation or unsafe operation.
           Lack of  effective authentication:  No appropriate
           authentication mechanism is designed for IoT-domotics   Application security is insufficient.  No obfuscation  and
           devices to be shared. Malicious applications installed by the   hardening of  the  code. No  support update package
           owner  of the IoT-domotics  devices access  the platform   verification  mechanism. No  weak password  or default
           service without valid authentication. Unable to effectively   password detection reminder function.
           authenticate counterfeit IoT-domotics devices.
                                                              Improper   authentication  mechanism:  Failure  to
           3.1.2   Security risks for IoT-domotics gateway    authenticate or use weak authentication.

           Lack of  a security management mechanism  for IoT-  The firmware lacks a hardware protection mechanism,
           domotics devices.  Failure to provide appropriate security   for example, IoT-domotics devices are deployed in the IoT-
           management strategies based on the diversity and differences   domotics. The owner of the IoT-domotics devices may be an
           of IoT-domotics devices. Lack  of  monitoring, abnormal   attacker. If the firmware of the IoT-domotics devices are not
           warning, and port threat  shielding capabilities for the   protected by hardware, the attacker can easily export the
           operating status of IoT-domotics devices connected to the   firmware for analysis.
           IoT-domotics gateway. Lack of network isolation and access
           control mechanism for connected IoT-domotics devices   Exposure of chip information, for example, chip model and
                                                              chip interface on PCB.
           Insecure  firmware:  The   firmware  has  security
           vulnerabilities, such as PIN code vulnerabilities,  WiFi   Lack  of  hardware  anti-tampering  and  anti-reverse
           vulnerabilities, weak password  vulnerabilities, buffer   protection mechanisms. No tamper  detection switches,
           overflow vulnerabilities, CSRF vulnerabilities, remote code   sensors or circuits are designed to  be added to the  IoT-
           execution vulnerabilities, etc. Leakage of sensitive firmware   domotics devices.
           data,  such  as  backdoor  account  numbers,  hard-coded
           passwords, encryption keys, encryption algorithms, sensitive   3.1.4   Security risks for networks
           URLs, etc. Lack of access control mechanism for third-party
           applications to access system APIs. The integrity and source   Network protocol  not encrypted. If  data transmission
           legality of the firmware installation  package were  not   adopts clear text  protocol transmission, it will greatly
           verified during the update.                        increase the risk of information leakage. For example, some
                                                              smart cameras use the unencrypted RTSP protocol for video
           Lack of an effective authentication mechanism to prevent   transmission. The attacker only needs to copy the address to
           unauthorized  devices from accessing the IoT-domotics   a player that can support the RTSP protocol to obtain the
           network.                                           current camera's shooting image.

           Unable to  protect  the  IoT-domotics intranet  from   The network protocol is cracked.  Pairing  and discovery
           external threats.  Lack  of the  function  of hiding the IP   protocols  may  leak  information  about devices  in  the
           address of IoT-domotics devices to avoid IP address leakage.   domotics [10]. An attacker can easily analyze the user login
           Does not support protection and  disposal  capabilities for   process of an IoT-domotics device, crack the business logic
           DDoS attack source traffic. Lack of detection, warning and   relationship between the user account and the IoT-domotics





                                                           – 77 –
   134   135   136   137   138   139   140   141   142   143   144