Individualized Cybersecurity Research Mentoring (iMentor) Workshop 2023

Title: IoTFlow the Making-Of: Inferring IoT Device Behavior at Scale through Static Mobile Companion App Analysis

Abstract: The number of “smart” devices, that is, devices making up the Internet of Things (IoT), is steadily growing. They suffer from vulnerabilities just as other software and hardware. Automated analysis techniques can detect and address weaknesses before attackers can misuse them. Applying existing techniques or developing new approaches that are sufficiently general is challenging though. Contrary to other platforms, the IoT ecosystem features various software and hardware architectures.

We introduce IoTFlow, a new static analysis approach for IoT devices that leverages their mobile companion apps to address the diversity and scalability challenges. IoTFlow combines Value Set Analysis (VSA) with more general data-flow analysis to automatically reconstruct and derive how companion apps communicate with IoT devices and remote cloud-based backends, what data they receive or send, and with whom they share it. We analyzed 9,889 manually verified companion apps with IoT-Flow to understand and characterize the current state of security and privacy in the IoT ecosystem. We discovered various IoT security and privacy issues, such as abandoned domains, hard-coded credentials, expired certificates, and sensitive personal information being shared.

In this work I will talk about the making-of of the IoTFlow paper, from its overall inception, through various iterations and revisions until we now finally will present it at ACM CCS 2023.

Bio: Martina Lindorfer is an associate professor at TU Wien, which she joined at the end of 2018, and a key researcher at SBA Research, the largest research center in Austria which exclusively addresses information security. She received her PhD from TU Wien in 2016 and spent two years as a postdoc at the University of California, Santa Barbara. Her research and outreach activities have been recognized with the ERCIM Cor Baayen Young Researcher Award, the ACM CyberW Early Career Award for Women in Cybersecurity Research, as well as the Hedy Lamarr Award from the City of Vienna.

Her research focuses on applied systems security and privacy, with a special interest in automated static and dynamic analysis techniques for the large-scale analysis of applications for malicious behavior, security vulnerabilities, and privacy leaks. Building on her background on malware analysis, she currently focuses on the analysis of mobile apps to enable transparency and accountability in the way they process and share private information. The resulting tools help uncover new and unexpected ways in which apps are violating users' privacy expectations.