IoT Mobility Forensics
4 likes1,150 views
The document presents an overview of mobility forensics in the context of Internet of Things (IoT) devices, focusing on data collection, classification, and potential forensic scenarios. It discusses the properties of specific devices like the sen.se mother and motion cookies, detailing how they capture movement and environmental data, which can be utilized in forensic investigations. Limitations of the current model and suggestions for future work are also highlighted, emphasizing challenges in data trustworthiness and the need for robust forensic methodologies.
![More Questions!
9/23/2016 16
•Can the attacker “get into” the sensors? Kasinathan et al. [19] suggests that attackers
can gain access to sensors under the right conditions.
•Can the attacker “get into” the Hub? The Hub is directly connected to the Internet and
interacts with the web portal. Work on IoT intrusion detection [23] suggests such attacks
on hubs are feasible.
•What is the communication medium? In addition to traditional wireless networks, IoT
devices are connected through cellular networks, radio, Bluetooth and other low power
communication media. This diversity makes the communication more vulnerable than
otherwise, and makes using generic protections against attacks harder.
•Can we knock down the sensors with a classic flooding attack? Although we did not
try this on our devices, Kassinathan et al. [19] suggest that DoS and flooding attacks may
disable IoT devices.
•Can data be manipulated deliberately to obstruct or mislead justice in a court of
law? We have discussed this issue in the previous section; it needs more attention from
the security community.
•Is it possible to sniff the hub and sensors? In our experimental set-up, we were able to
derive device identity (specifically, the MAC address of the Hub) by observing network
packets. Copos et al. [12] provide an example of how sniffing can lead to a major security
breach.](https://image.slidesharecdn.com/iotmobilityforensicsinsurecon16-160923205626/85/IoT-Mobility-Forensics-16-320.jpg)
IoT Mobility Forensics
- 1. INTERNET OF THINGS MOBILITY FORENSICS K M Sabidur Rahman, Matt Bishop and Al Holt Speaker: K M Sabidur Rahman (krahman@ucdavis.edu) INSuRECon16 9/23/20161
- 2. Agenda • Motivation and literature review • About the device: Sen.se Mother • Collection of data • Classification of data • Attack scenarios • Forensic model • Limitations and future work 9/23/20162
- 3. IoT is here • Smart city • Smart grid • Smart home • Smart car (V2V) • Mobile-to-mobile (M2M) 9/23/20163 But, are we ready? “Mobility Forensics addresses technology’s movement toward mobile devices (smart phones, tablets, small computers) and the specialized tools and techniques needed to successfully recover data and evidence from those devices” http://mobility-forensics.com/
- 4. Literature review, device information and data collection 9/23/20164
- 5. Related papers (1) Bogdan Copos, Karl Levitt, Matt Bishop and Jeff Rowe, “Is Anybody Home? Inferring Activity From Smart Home Network Traffic”, MoST, 2016 • Collected network data • Used dumpcap, a network traffic collection tool • Used the collected data to predict if anyone is home or not E. Oriwoh, D. Jazani, G. Epiphaniou and P. Sant, “Internet of Things Forensics: Challenges and Approaches”, CollaborateCom, 2013 •Worked on IoT Forensics by going about scenario based approach •Introduced hypothetical attack/crime scenarios and discussed how IoT devices changes the investigation
- 6. Related papers (2) Orlando Arias, Jacob Wurm, Khoa Hoang, and Yier Jin, “Privacy and Security in Internet of Things and Wearable Devices”, IEEE Tran. On Multi-scale Computing Systems, 2015 • Worked on Google Nest Thermostat and the Nike+ Fuelband • Looked under the hood of the device in details • Details about the device hardware, operating system, booting/remote installation and communication system • Discussed on the security measures built in the device
- 8. Properties of the cookies 1.Motion Cookies can save up to ten days of events. As soon as they are reconnected to a Sense Mother, they upload all the contents of their memory 2.1 CR2016 replaceable button cell with one year of life 3.Radio: 915 MHz (North America), 868 MHz (Europe) 4.Every movement has its signature. Place a Motion Cookie on an object or person. It will capture and analyze its movements. It will recognize the specific actions you want to monitor and transmit them to your chosen Application 5.Motion Cookies also contain a thermometer. They regularly send the ambient temperature to Mother, as well as sudden abnormal changes 6.Signaling presence or absence https://sen.se/store/cookie/
- 9. Properties of the Hub https://sen.se/store/mother/ 1.Wired connection to the router 2.Radio connectivity with the cookies 3.Connects to cloud to store data for the apps
- 10. Deployed sensors Deployed the sensors for testing purpose: 1.At bedroom door: security notification 2.One inside room for room temperature detection: thermostat 3.One in the bagpack: physical exercise sensing 4.The last one also in my pocket: to sense when am I home or not. This can essentially detect if your child/pet is inside home or not.
- 12. Data classification 9/23/2016 12 Information Source Location Daily routine Severity Forensics implication Door movement-time Door activity sensor No Yes Medium What time someone entered/left the room or tried to open the door? Door movement- location Door activity sensor Yes No Medium Someone entering/leaving the room or trying to open the door Temperature Temperature sensor No Yes (partially) Low If the temperature is not comfortable, there may be something wrong with the room Presence at home Presence/absence sensor Yes Yes High If the subject was present at home at the time of attack, can he/she provide vital information on the crime? Steps taken Walk sensor No No Low How long will the subject be out of home? Distance walked Walk sensor No No Low How long will the subject be out of home and how far will he/she go? Time spent in walk Walk sensor No Yes Medium How long will the subject be out of home? Calories burnt Walk sensor No Yes Medium Physical condition/activity trail of subject
- 13. Forensic scenarios Event 1: Burglary Identification: Door sensor data indicates the time when the owner left home. Data indicates that there has been an activity at 11:40 am, even though the owner was not home at that time. The burglary happened on the same day. Interpretation: Does the data suggest that the burglar knew the owner’s daily schedule? This would help us investigate the incident. For example, would looking into CCTV camera footage from across the street that was collected at 11:40 am be useful? Preservation: Data collected by the sensor was stored in the cloud at near real-time. Analysis and presentation: Data presented on graphs is easy to understand and present to court, so graph correlating events with burglaries would be helpful.
- 14. IoT mobility forensics model 9/23/2016 14
- 15. Data manipulation and counter measures 9/23/2016 15 •How much can we trust the data extracted from IoT devices? •How will the attacker changing the data before or after collection affect the forensics analysis? •Can we prevent or detect such manipulations? False positives and negatives •The user of IoT data and solution providers should be aware of the existence of false positives and false negatives •Proper steps should be taken to detect and minimize false results
- 16. More Questions! 9/23/2016 16 •Can the attacker “get into” the sensors? Kasinathan et al. [19] suggests that attackers can gain access to sensors under the right conditions. •Can the attacker “get into” the Hub? The Hub is directly connected to the Internet and interacts with the web portal. Work on IoT intrusion detection [23] suggests such attacks on hubs are feasible. •What is the communication medium? In addition to traditional wireless networks, IoT devices are connected through cellular networks, radio, Bluetooth and other low power communication media. This diversity makes the communication more vulnerable than otherwise, and makes using generic protections against attacks harder. •Can we knock down the sensors with a classic flooding attack? Although we did not try this on our devices, Kassinathan et al. [19] suggest that DoS and flooding attacks may disable IoT devices. •Can data be manipulated deliberately to obstruct or mislead justice in a court of law? We have discussed this issue in the previous section; it needs more attention from the security community. •Is it possible to sniff the hub and sensors? In our experimental set-up, we were able to derive device identity (specifically, the MAC address of the Hub) by observing network packets. Copos et al. [12] provide an example of how sniffing can lead to a major security breach.
- 17. Limitations 9/23/2016 17 •Data is collected only from smart home devices •The forensic model proposed here has not been implemented, deployed, and tested •We assume implementation of the model will be scalable for the fast growing number of devices, which may not be true •Our findings depend on data collected from one type of device. Perhaps different kinds of devices would produce more consistent results.
- 18. Future work 9/23/2016 18 • More generic scenario with multiple types of IoT devices and their data • In-depth analysis and discussion of the data collected •Working towards more robust and mature model for IoT Mobility Forensics •Privacy of the data •The reverse question, “given a digital forensics scenario and a forensic model, what useful data can IoT devices collect for us?” • Focus on one specific question discussed in this paper.