KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Threat-Based Security Analysis for the Domestic Smart Home Appliance

위협 모델링을 이용한 국내 스마트 홈 보안 분석에 대한 연구

  • 홍바울 (고려대학교 정보보호대학원 정보보호학과) ;
  • 이상민 (고려대학교 정보보호대학원 정보보호학과) ;
  • 박민수 (고려대학교 정보보호대학원 정보보호학과) ;
  • 김승주 (고려대학교 사이버국방학과/정보보호대학원)
  • Received : 2016.11.11
  • Accepted : 2016.12.10
  • Published : 2017.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Smart Home Appliance which makes people to operate machines in the home by remote control is service or technology to provide convenience. It is close to home, so it has privacy problem and security problem. If Smart Home Applications is attacked, Scale of damage is anticipated. In case of products from overseas country, various vulnerability has been announced every year. Therefore, It is necessary to identify and to analysis threats of Smart Home Appliance using systematically method for using safe Smart home appliance service. In this paper, we present check list for identifying and analyzing threats using Threat Modeling and then we analyzed the Domestic Smart Home Appliance using check list which we present.

스마트 홈은 집에서 사용하는 가전기기를 집 밖에 있는 사람이 원격으로 제어할 수 있는 기술 및 서비스로서 사용자에게 편의성을 제공한다. 사람과 가장 밀접한 장소인 집 내부에 서비스를 제공하기 때문에 공격자에 의한 악의적인 기기제어, 사생활 침해와 같은 보안 사고가 있는 경우 피해 규모가 클 것으로 예상된다. 현재 해외 제품의 경우 가전기기의 취약점들이 매년 지속적으로 발표되고 있으며 이러한 취약점들은 사용자의 안전과 개인 자산에 심각한 문제를 발생할 수 있다. 따라서 국내의 스마트 홈 서비스를 안전하게 이용하기 위해서는 스마트 홈 환경에서 발생할 수 있는 전체적인 위협을 체계적으로 식별하고 분석하는 것이 필요하다. 본 논문에서는 위협 모델링을 사용하여 스마트 홈 환경에서 발생할 수 있는 위협을 체계적으로 식별하고 스마트 홈 환경의 보안을 분석하기 위한 체크리스트를 제안한다. 제안한 체크리스트의 실효성을 위해 실제 서비스에 적용하여 스마트 홈을 분석한다.

Keywords

References

  1. ITU, ITU Internet Reports 2005, Internet of Things(2005).
  2. ITU-T Y.2060, Overview of the Internet of Things(2012).
  3. 미래창조과학부, "사물인터넷기본계획," 2014
  4. STRATEGY ANALYTICS, "About Smart Home," [Internet], https://www.strategyanalytics.com/access-services/devices/ connected-home/smart-home/about-smart-home#.WBmnDfmLRGo.
  5. Behrang Fouladi and Sahand Ghanoun, 'Honey, I'm Home!!: Hacking Z-Wave Home Automation System', Black Hat 2013, USA, 2013.
  6. Tobias Zillner, 'Zigbee Exploited: The Good, the Bad, the Ugly,' Black Hat USA 2015, USA, 2015.
  7. Joseph Hall, 'Breaking Bulbs Briskly by Bogus Broadcasts,' ShmooCon 2016, USA, 2016.
  8. Daniel Crowley, "Home Invasion V2.0 - Attacking Network-Controlled Hardware," BlackHat USA, USA, 2013.
  9. Grant Hernandez, "Smart Nest Themostat A Smart Spy in Your Home," Black Hat USA, USA, 2014.
  10. Mungmung, "Home Network Hacking," SECUINSIDE, Korea, 2015.
  11. Thomas Reuter, "Security analysis of wireless communication standards for home automation," Technische Universitat Munchen, 2013.
  12. Fuller, Jonathan D. and Benjamin W. Ramsey, "Rogue Z-Wave controllers: A persistent attack channel," Local Computer Networks Conference Workshops (LCN Workshops), 2015 IEEE 40th, IEEE, 2015.
  13. E. Fernandes, J. Jung, and A. Prakash, "Security Analysis of Emerging Smart Home Applications," in Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, pp.636-654, 2016.
  14. OWASP, "OWASP Internet of Things(IoT) Project," [Internet], https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project.
  15. OWASP, "OWASP Internet of Things(IoT) Project_Firmware Analysis Project," [Internet], https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Firmware_Analysis.
  16. OWASP, "OWASP Internet of Things(IoT) Project_IoT Attack Surface Areas Project," [Internet], https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas.
  17. Noel Poore, "Internet of Things Security Architecture [BOF3029]," ORACLE OPENWOLRD 2014, San Francisco, 2014.
  18. Yuri Diogenes, "Internet of Things security architecture," 2016 [Internet], https://azure.microsoft.com/en-us/documentation/articles/iot-security-architecture/.
  19. Shellphish, "Using static binary analysis to find vulnerabilities and backdoors in Firmware," BalckHat USA, USA, 2015.
  20. Wen Xu, "Ah! Universal Android Rooting is Back!," BlackHat USA, USA, 2015.
  21. SM Sajjad, "Security analysis of IEEE 802.15.4 MAC in the context of Internet of Things(IoT)," CIACS, 2014.
  22. Mike Ryan, "Bluethooth Smart: The Good, The Bad, The Ugly... and The fix," BlackHat USA, USA, 2013.
  23. Fouladi, Behrang, and Sahand Ghanoun, "Security evaluation of the Z-Wave wireless protocol," Black hat USA 24 (2013).
  24. Zachary Cutlip, "SQL Injection to MIPS overflows: Rooting SOHO Routers," BlackHat USA, USA, 2012.
  25. John Mcnabb, "KillerBee: Practical ZigBee Exploitation Framework," Boston 2010, Boston, 2010.
  26. Travis Goodspeed, "A 16 bit Rookit and Second Generation Zigbee Chips," BlackHat USA, USA, 2009.
  27. LINDNER, "Router Exploitation," BlackHat USA, USA, 2009
  28. John Heasman, "Hacking the Extensible Firmware Interface," BlackHat USA, USA, 2007.
  29. Barnaby Jack, "Exploiting Embedded Systems," BlackHat Amsterdam, Amsterdam, 2006.
  30. Brendan O'Connor, "Vulnerabilities in Not-So Embedded Systems," BlackHat USA, USA, 2006.
  31. Breeuwsma, M. F. "Forensic imaging of embedded systems using JTAG (boundary-scan)," digital investigation 3.1 (2006): 32-42.
  32. The MITRE Corporation, "CAPEC CATEGORY: Software," [Internet], https://capec.mitre.org/data/definitions/513.html.
  33. The MITRE Corporation, "CAPEC CATEGORY: Hardware," [Internet], https://capec.mitre.org/data/definitions/515.html.
  34. OWASP, "OWASP Top Ten Cheat Sheet" [Internet], https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet.
  35. SANS, "CWE/SANS TOP 25 Most Dangerous Software Errors," [Internet], https://www.sans.org/top25-software-errors/.
  36. Common Vulnerabilities and Exposures, "CVE-2015-4080," [Internet], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4080.
  37. Common Vulnerabilities and Exposures, "CVE-2014-8730," [Internet], https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730.