Web-based Attacks on Local IoT Devices

Abstract: In this paper, we present two web-based attacks against local IoT devices that any malicious web page or third-party script can perform, even when the devices are behind NATs. In our attack scenario, a victim visits the attacker's website, which contains a malicious script that communicates with IoT devices on the local network that have open HTTP servers. We show how the malicious script can circumvent the same-origin policy by exploiting error messages on an HTML5 interface or by carrying out DNS rebinding attacks. We demonstrate that the attacker can gather sensitive information from the devices (e.g., unique device identifiers and precise geolocation), track and profile the owners to serve ads, or control the devices by playing arbitrary videos and rebooting. We propose potential countermeasures to our attacks that users, browsers, DNS providers, and IoT vendors can implement.

Explanation of Demonstration: It is difficult for average consumers to know if their IoT devices are insecure and/or violating privacy policies; it would require them to sniff the traffic, on-path, using technical tools such as Wireshark that are not friendly toward average consumers. To this end, we build a tool called IoT Inspector that lets consumers sniff IoT traffic, on-path, and visualize any security and privacy issues.