Projects

The SmartHome Lab has produced many impressive projects and papers. Summaries of such achievements can be found below. Further inquiries can be sent to cci-smarthomelab@uncc.edu

Exploiting Memory Corruption Vulnerabilities in Connman for IoT Devices

-K. V. English, Islam Obaidat, and Meera Sridhar

Students and Faculty who work in the UNCC SmartHome Lab conducted research into the feasibility of taking control over consumer IoT devices using memory exploits. Experiments were conducted such as crashing and executing arbitrary code on the targeted software application.

K. V. English, Islam Obaidat, and Meera Sridhar. Practical Experience Report: Exploiting Memory Corruption Vulnerabilities in Connman for IoT Devices. In Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2019.

Realizing Assembly Code Diversification for IoT Software

-Islam Obaidat and Meera Sridhar

Unlike traditional computing systems (such as desktop computers and servers), IoT devices have various constraints, such as low-power and low-cost requirements, that prevent software protection used in traditional systems from being utilized to protect IoT devices. Consequently, IoT devices continue to be susceptible to attacks that compromise their software integrity. In these attacks, attackers can easily exploit software weaknesses and vulnerabilities in IoT devices to execute arbitrary codes and take control of these devices remotely. To thwart an immense software attack surface that utilizes code injection to control these devices, we develop a software diversification tool that randomizes IoT devices' software implementation at the binary code level. Software diversity techniques add probabilistic protection to the IoT binary by randomizing its software implementations (i.e., multiple copies of IoT devices with the same functionality would have different instruction sequences in their software implementation). This probabilistic protection implies that a successful attack on an IoT device is not guaranteed to work on multiple IoT devices, preventing mass attacks from being conducted.

Analyzing security practices in web-based SmartHome IoT mobile apps

-Abhinav Mohanty and Meera Sridhar

With the exponential growth in the number of smarthome IoT devices such as light bulbs, thermostats, power-switches, security cameras, and home security systems, securing the smarthome ecosystem becomes imperative. This work identifies the security issues in the companion apps built using hybrid app development frameworks that can be exploited to launch serious cyberattacks against the IoT device, or the smartphone itself, and compromise user privacy.

Informing End-users' Security and Privacy Perceptions, Concerns, Behaviors, and Needs in the Smart Home

-Madiha Tabassum and Heather Lipford

Smart homes are more connected than ever before, with a variety of commercial internet of things devices available. The use of these devices introduces new security and privacy risks in the home and needs for helping users to understand and mitigate those risks by providing them some level of control over their data. For doing so, it is necessary to have a thorough understanding of smart home users' security and privacy perceptions, behaviors, preferences, and needs, which is still lacking in the literature. In this project, we examine the current state of end-user knowledge of smart home devices data practices, available privacy controls, and their security and privacy concerns and behaviors. The goal is to identify gaps in the current privacy control and awareness mechanisms by comparing those against end-users perceptions, concerns, and needs and provide guidelines for designing such mechanisms to assist users in making better security and privacy decisions in the smart home.

Madiha Tabassum, Tomasz Kosinski, Heather Richter Lipford. "I don't own the data": End User Perceptions of Smart Home Device Data Practices and Risks". In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), August, 2019.

Madiha Tabassum, Jess Kropczynski, Pamela Wisniewski, Heather Richter Lipford. "Smart Home Beyond the Home: A Case for Community-Based Access Control". In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI), April, 2020.

Class-sourced Penetration Testing of IoT Devices

-Abhinav Mohanty, Parag Mhatre, and Meera Sridhar

In this project, we conducted a case-study where we explored an unconventional method of class-sourced penetration testing of IoT devices and presented its preliminary results that include the discovery of two zero-day vulnerabilities in OpenWrt router firmware.

Abhinav Mohanty, Parag Mhatre and Meera Sridhar. POSTER: Class-sourced Penetration Testing of IoT Devices. Presented in IEEE SafeThings (Workshop in IEEE S&P), 2019.

Automated Cross-site Scripting exploit generation using Natural Language Processing

-Yates Snyder, Yaw Frempong, Erfan Al-Hossami, Meera Sridhar, and Samira Shaikh

This research looks into utilizing Automated Exploit Generation and Natural Language Processing to build tools that can create Cross-site Scripting attacks from human intent in the form of English sentences found on the internet(social media, forums, CVE reports, etc). Research is currently being done to improve HIJaX by expanding its domain in web applications to also include IoT mobile applications in addition to increasing the complexity of Cross-Site Scripting attacks it can generate.

Gamifying cybersecurity courses using Artificial Intelligence

-Abhinav Mohanty, Diep Nguyen, Pooja Murarisetty, Julio Bahamon, Harini Ramaprasad, and Meera Sridhar

This research looks into gamifying cybersecurity hands-on activities, and presents Criminal Investigations, a text-based interactive activity for teaching and assessing skills required to reverse-engineer and analyze firmware on Internet-of-things (IoT) devices. Criminal Investigations incorporates elements of gamification into an assignment that will be used in upper-division undergraduate cybersecurity courses. The activity is designed with the goal of increasing student engagement and learning by incorporating game design concepts, such as storytelling, experience points (XP), just-in-time learning content delivery and checkpoints into the game design.