Abstract

While enjoying widespread popularity, IoT faces numerous threats with both traditional (e.g., Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumerations (CWEs)) and IoT-specific (e.g., device-application interactions) attack vectors. Therefore, gathering threat intelligence for an IoT environment is equally essential if not more (compared to many other IT environments). However, extracting threat intelligence from an IoT deployment poses several unique challenges. First, most IoT implementations are not logging threat-related information and even if they are, their logging mechanisms require significant additional effort to turn those logs to a threat intelligence. Second, there is no clear definition of IOCs (indicators of compromise), which are the key inputs to threat intelligence, in the context of IoT; including how to combine IoT-specific IOCs including that are involved with the dynamic app-device interactions. In this thesis, we propose IoTINT, a solution to obtain IoT-specific threat intelligence while addressing the above-mentioned challenges. Specifically, our key ideas are to first enable logging in IoT devices and apps without requiring any code instrumentation (in contrast to existing approaches), then iteratively finding dynamic interactions between IoT devices and their apps that are defined by automation rules and result in various security threats, and finally, combine both app-device interactions with traditional IOCs (such as, CVEs and CWEs) to build a comprehensive
threat intelligence for IoT. We implement IoTINT for Samsung SmartThings, a major smart home platform, and evaluate its performance (e.g., 100% coverage in extracting threat intelligence within 11 seconds for 10 realistic IoT attack scenarios).