Page 139 - Kaleidoscope Academic Conference Proceedings 2021
P. 139
Connecting physical and virtual worlds
3.1 Security risks interception capabilities for malicious URL/IP and zombie
worm files.
3.1.1 Security risks for service subsystems
Insecure chips, such as chips using Meltdown and Spectre
Lack of security warning mechanism: Lack of a security vulnerabilities
monitoring mechanism for domotics devices, unable to
collect operating data (such as operating status, network The hardware interface(such as console interface, serial
traffic, port operation, etc.) of IoT-domotics devices to port, debugging interface, etc.) physically invaded.
analyze possible security threats.
3.1.3 Security risks for IoT-domotics devices and
Web application has security vulnerabilities: An attacker physical entities
can use SQL injection to steal the content of the cloud
database, and then obtain the user account and password, so Lack of child protection mechanisms. Lack of security
as to check user privacy and illegally manipulate the user's protection mechanisms in the case of interoperability, such
smart home equipment and other illegal activities. as pets, children accidentally touching the buttons, causing
health threats. Washing machines, microwave ovens and
Access control flaw: The access control mechanism of the other devices lack control mechanisms to prevent children
existing platform has the problem of too coarse granularity from operating.
of the permission model. The application can obtain
excessive authorization that exceeds the user's expectations, Lack of fault tolerance mechanism. IoT-domotics devices
which may threaten the user's life and property [9]. fail to effectively recognize user instructions, resulting in
unexpected abnormal activation or unsafe operation.
Lack of effective authentication: No appropriate
authentication mechanism is designed for IoT-domotics Application security is insufficient. No obfuscation and
devices to be shared. Malicious applications installed by the hardening of the code. No support update package
owner of the IoT-domotics devices access the platform verification mechanism. No weak password or default
service without valid authentication. Unable to effectively password detection reminder function.
authenticate counterfeit IoT-domotics devices.
Improper authentication mechanism: Failure to
3.1.2 Security risks for IoT-domotics gateway authenticate or use weak authentication.
Lack of a security management mechanism for IoT- The firmware lacks a hardware protection mechanism,
domotics devices. Failure to provide appropriate security for example, IoT-domotics devices are deployed in the IoT-
management strategies based on the diversity and differences domotics. The owner of the IoT-domotics devices may be an
of IoT-domotics devices. Lack of monitoring, abnormal attacker. If the firmware of the IoT-domotics devices are not
warning, and port threat shielding capabilities for the protected by hardware, the attacker can easily export the
operating status of IoT-domotics devices connected to the firmware for analysis.
IoT-domotics gateway. Lack of network isolation and access
control mechanism for connected IoT-domotics devices Exposure of chip information, for example, chip model and
chip interface on PCB.
Insecure firmware: The firmware has security
vulnerabilities, such as PIN code vulnerabilities, WiFi Lack of hardware anti-tampering and anti-reverse
vulnerabilities, weak password vulnerabilities, buffer protection mechanisms. No tamper detection switches,
overflow vulnerabilities, CSRF vulnerabilities, remote code sensors or circuits are designed to be added to the IoT-
execution vulnerabilities, etc. Leakage of sensitive firmware domotics devices.
data, such as backdoor account numbers, hard-coded
passwords, encryption keys, encryption algorithms, sensitive 3.1.4 Security risks for networks
URLs, etc. Lack of access control mechanism for third-party
applications to access system APIs. The integrity and source Network protocol not encrypted. If data transmission
legality of the firmware installation package were not adopts clear text protocol transmission, it will greatly
verified during the update. increase the risk of information leakage. For example, some
smart cameras use the unencrypted RTSP protocol for video
Lack of an effective authentication mechanism to prevent transmission. The attacker only needs to copy the address to
unauthorized devices from accessing the IoT-domotics a player that can support the RTSP protocol to obtain the
network. current camera's shooting image.
Unable to protect the IoT-domotics intranet from The network protocol is cracked. Pairing and discovery
external threats. Lack of the function of hiding the IP protocols may leak information about devices in the
address of IoT-domotics devices to avoid IP address leakage. domotics [10]. An attacker can easily analyze the user login
Does not support protection and disposal capabilities for process of an IoT-domotics device, crack the business logic
DDoS attack source traffic. Lack of detection, warning and relationship between the user account and the IoT-domotics
– 77 –