Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes
Z-Wave smart home Internet of Things devices are used to save energy, increase comfort, and remotely monitor home activities. In the past, security researchers found Z-Wave device vulnerabilities through reverse engineering, manual audits, and penetration testing. However, they did not fully use fuz...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2022-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/9663293/ |
| _version_ | 1798035695472738304 |
|---|---|
| author | Carlos Kayembe Nkuba Seulbae Kim Sven Dietrich Heejo Lee |
| author_facet | Carlos Kayembe Nkuba Seulbae Kim Sven Dietrich Heejo Lee |
| author_sort | Carlos Kayembe Nkuba |
| collection | DOAJ |
| description | Z-Wave smart home Internet of Things devices are used to save energy, increase comfort, and remotely monitor home activities. In the past, security researchers found Z-Wave device vulnerabilities through reverse engineering, manual audits, and penetration testing. However, they did not fully use fuzzing, which is an automated cost-effective testing technique. Thus, in this paper, we present VFUZZ, a protocol-aware blackbox fuzzing framework for quickly assessing vulnerabilities in Z-Wave devices. VFUZZ assesses the target device capabilities and encryption support to guide seed selection and tests the target for new vulnerability discovery. It uses our field prioritization algorithm (FIPA), which mutates specific Z-Wave frame fields to ensure the validity of the generated test cases. We assessed VFUZZ on a real Z-Wave network consisting of 19 Z-Wave devices ranging from legacy to recent ones, as well as different device types. Our VFUZZ evaluation found 10 distinct security vulnerabilities and seven crashes among the tested devices and yielded six unique common vulnerabilities and exposures (CVE) identifiers related to the Z-Wave chipset. |
| first_indexed | 2024-04-11T21:01:44Z |
| format | Article |
| id | doaj.art-495e3f93e1524cb3b987b5e7a1c674c4 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-04-11T21:01:44Z |
| publishDate | 2022-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-495e3f93e1524cb3b987b5e7a1c674c42022-12-22T04:03:28ZengIEEEIEEE Access2169-35362022-01-01101775178910.1109/ACCESS.2021.31387689663293Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart HomesCarlos Kayembe Nkuba0https://orcid.org/0000-0002-6424-9054Seulbae Kim1https://orcid.org/0000-0001-9990-7953Sven Dietrich2Heejo Lee3https://orcid.org/0000-0002-5831-0787Department of Computer Science and Engineering, Korea University, Seoul, Republic of KoreaDepartment of Computer Science, Georgia Institute of Technology, Atlanta, GA, USADepartment of Computer Science, Hunter College, City University of New York (CUNY), New York, NY, USADepartment of Computer Science and Engineering, Korea University, Seoul, Republic of KoreaZ-Wave smart home Internet of Things devices are used to save energy, increase comfort, and remotely monitor home activities. In the past, security researchers found Z-Wave device vulnerabilities through reverse engineering, manual audits, and penetration testing. However, they did not fully use fuzzing, which is an automated cost-effective testing technique. Thus, in this paper, we present VFUZZ, a protocol-aware blackbox fuzzing framework for quickly assessing vulnerabilities in Z-Wave devices. VFUZZ assesses the target device capabilities and encryption support to guide seed selection and tests the target for new vulnerability discovery. It uses our field prioritization algorithm (FIPA), which mutates specific Z-Wave frame fields to ensure the validity of the generated test cases. We assessed VFUZZ on a real Z-Wave network consisting of 19 Z-Wave devices ranging from legacy to recent ones, as well as different device types. Our VFUZZ evaluation found 10 distinct security vulnerabilities and seven crashes among the tested devices and yielded six unique common vulnerabilities and exposures (CVE) identifiers related to the Z-Wave chipset.https://ieeexplore.ieee.org/document/9663293/Smart home securityZ-WaveInternet of Thingsfuzzingvulnerabilities discovery |
| spellingShingle | Carlos Kayembe Nkuba Seulbae Kim Sven Dietrich Heejo Lee Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes IEEE Access Smart home security Z-Wave Internet of Things fuzzing vulnerabilities discovery |
| title | Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes |
| title_full | Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes |
| title_fullStr | Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes |
| title_full_unstemmed | Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes |
| title_short | Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes |
| title_sort | riding the iot wave with vfuzz discovering security flaws in smart homes |
| topic | Smart home security Z-Wave Internet of Things fuzzing vulnerabilities discovery |
| url | https://ieeexplore.ieee.org/document/9663293/ |
| work_keys_str_mv | AT carloskayembenkuba ridingtheiotwavewithvfuzzdiscoveringsecurityflawsinsmarthomes AT seulbaekim ridingtheiotwavewithvfuzzdiscoveringsecurityflawsinsmarthomes AT svendietrich ridingtheiotwavewithvfuzzdiscoveringsecurityflawsinsmarthomes AT heejolee ridingtheiotwavewithvfuzzdiscoveringsecurityflawsinsmarthomes |