George Mason University Team Develops IoT Security Fuzzer

By Claire Swedberg

The first version of the technology challenges IoT based sensors and actuators with simulated malicious attacks and has identified vulnerabilities in some existing products

Researchers at George Mason University (GMU) have developed a technology that tests new IoT devices for security weaknesses before they are released into the market or deployed by an end user.

The IoT fuzzing solution is aimed at identifying whether an IoT product is prone to attacks, leveraging a low-cost dongle—for transmission—and software accessed by a laptop or desktop computer to generate attacks and analyze the results.

The project was led by GMU’s Department of Computer Science associate professor Qiang Zeng. Zeng, who has been researching IoT security and privacy concerns for the past five years, determined that fuzzing was a good approach to analyzing vulnerable IoT devices.

RFID Journal Live

Attacks Aimed at IoT Device Vulnerabilities

The resulting technology puts a product through a series of increasingly severe attacks. Tested with ZigBee and Z-Wave based IoT sensors and actuators, several dozen vulnerabilities were identified in commercially released products thus far, the research team reported.

Fuzzing is an existing software testing technique in which invalid or unexpected data is introduced to a program. The program is then monitored for crashes, memory leaks or vulnerability to foreign code. In the case of IoT technology, a fuzzing device can generate a variety of inputs aimed at testing the security of the software residing on an IoT device.

The fuzzer can be used with manipulated inputs to launch more severe attacks such as injecting a malicious code aimed at remotely controlling the device.

“Number one step you find something that can crash the device,” said Zeng. “Number, two, you further manipulate the input to make it to something more serious.”

For the project, Zeng and his researchers, including Xiaoyue Ma whom he cited as "main developer," emulated an IoT device and then set about using its fuzzer to attempt to crash it. They then tested off-the-shelf IoT products that are used for functions such as smart meters, lighting controls or locks that communicate with a wireless network.

Challenges Facing the IoT Industry

There are two ongoing challenges for technology makers and users as IoT solutions proliferate, Zeng said. One is that devices are becoming increasingly inexpensive (some sensors can cost $ 10 or 20).

Due to the low cost and low profit-margin, he pointed out, “[Device companies] have lots of constraints in terms of resources. They do not have that luxury to install an antivirus system or intrusion detection system,” into each device he said, the way companies can do in high value connected devices “like our desktop or our laptop.”

The second challenge many in the industry face is producing the IoT devices for a small- or medium-sized business that does not have the techniques or resources to afford extensive security testing. GMU’s fuzzer solution could be targeted specifically to such companies Zeng pointed out.

“We can do their work,” by providing a device that challenges the new device before it is released to customers, said Zeng.

How it Works

The solution consists of a dongle plugged into a laptop or other computer. The early version can transmit via IEEE 802.15.4-based Zigbee or Z-Wave (a building automation protocol that transmits in the 900 MHz range). It transmits without any “per device” effort, Zeng added. Such a dongle could be low cost ($20).

The software enables the dongle to begin transmitting attacks to a specific device. Because most devices in which the software would be running have the ability to transmit via Bluetooth, BLE or Wi-Fi, fuzzing attacks could be sent via those communication protocols.

The user could either be a company installing a set of new IoT devices—such as sensors or actuators–or an IoT device maker that wants to test products before releasing them to the market. In either case, they would select a sample device and then launch the software to begin its attacks. The system can then test that device to attempt to crash or invade its software.

The software would then report the results to the user. If the device was found invulnerable, the users could then trust its security and install all of the devices the sample represented.

Additionally, the system can be used before making software updates, by first updating the software on a sample device and then putting it through the same fuzzing process.

Communicating Across Common IoT Protocols

While the system currently can transmit with ZigBee and Z-Wave, the researchers are now testing other common wireless protocols. “That's probably the hardest part of the development,” Zeng said, since it’s very difficult to make a solution that can communicate across the many protocols that wireless devices use.

Protocols such as Matter and Thread may be the future of many IoT solutions, especially related to smart buildings. The research team is targeting both for the next version of their fuzzer.

The goal is to offer a technology that can test any product, without requiring an interaction with the company that makes the product.

“IoT devices are so diverse, we have different communication protocols we have even the application design standards, so we want to extend our research,” he said.

Testing Has Found Existing Weaknesses

Early testing has already discovered weaknesses—23 vulnerabilities so far— in some existing IoT products and researchers have contacted the companies whose devices fell to the fuzzing attacks.

The group has registered six Common Vulnerabilities and Exposures (CVE) identifier certifications thus far, a reference system used by the U.S. government and maintained by the Mitre Corporation to identify software security weaknesses.

In the meantime, Zeng argued that by identifying the vulnerabilities, the technology has proven the need, and value of low cost, easily accessed security testing.

“These are the kind of results that demonstrate this kind of research is important,” he said.

Future Opportunities for Technology

The future goal for the researchers is to gain funding for further research and commercialization of the technology. Long term, Zeng expects the device could be used with the majority of IoT products.

Versions of the hardware that transmits data could consist of a unit built directly into a testing product rather than a dongle as well. The system could be provided as a software service that users could access with the purchase of the dongle or similar hardware device.

The solution serves as a tool for those whose products may be secure but require reinforcement as well. The expectation of the GMU researchers is that the fuzzer technology will provide one more tool to test IoT devices, trust them as a result, and then install.

Key Takeaways:
  • George Mason University research has led to a dongle device and software that challenges IoT devices with fuzzing attacks intended to attack or crash the wireless sensor or actuator.
  • The team has proven it can interact with devices via Zigbee and has already identified 23 vulnerabilities in existing commercial products.