Individualized cybersecurity research mentoring

Martina Lindorfer, an associate professor at TU Wien and a key researcher at SBA Research, joined as a speaker for the iMentor Workshop.

2023-11-26

The iMentor Workshop is dedicated to attracting, mentoring, and providing career guidance to early-stage graduate students from underrepresented communities who aspire to pursue a career in computer security. Attendees also have the opportunity to participate in the main ACM CCS conference, which serves as a premier platform for the rapid and extensive dissemination of groundbreaking research outcomes in the fields of computer and communications security.

Martina gave a talk titled “IoTFlow the Making-Of: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis.” Using the preparation of her article presented at ACM CCS 2023 as an example, she shared with the iMentor cohort the behind-the-scenes journey of the IoTFlow paper — from its initial conception to the different iterations and revisions it underwent.

Abstract: The number of “smart” devices, that is, devices making up the Internet of Things (IoT), is steadily growing. They suffer from vulnerabilities just as other software and hardware. Automated analysis techniques can detect and address weaknesses before attackers can misuse them. Applying existing techniques or developing new approaches that are sufficiently general is challenging though. Contrary to other platforms, the IoT ecosystem features various software and hardware architectures.

We introduce IoTFlow, a new static analysis approach for IoT devices that leverages their mobile companion apps to address the diversity and scalability challenges. IoTFlow combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. We analyzed 9,889 manually verified companion apps with IoT-Flow to understand and characterize the current state of security and privacy in the IoT ecosystem. We discovered various IoT security and privacy issues, such as abandoned domains, hard-coded credentials, expired certificates, and sensitive personal information being shared.