Notes

In their research, Obermaier et al. performed a study on the security of Internet-based surveillance systems and demonstrated that these device types could have a significant effect on the security and privacy of the networks where they are installed. Their paper was mainly focussed on the communication vulnerabilities between the devices they were studying and the cloud-based servers the devices used to store user data and video footage. (Obermaier & Hutle, 2016)
Obermaier et al. decided not to reveal the manufacturers of the devices in which they uncovered flaws due to the severity of and nature of the uncovered vulnerabilities. However, they did share the information with the manufacturers of these devices, which would have been the ethically sound choice. As it seemed well thought out, the same approach was chosen for this paper. (Obermaier & Hutle, 2016)
Obermaier et al. chose a selection of devices to test across a broad range of market values, which could provide an indication of the level of research and development budgeted for in differing market segments. Alhough the idea was sound, it may have been better do their investigation against a larger sample size but with less time spent on each device as they only performed their research on four devices. On the other hand, this smaller sample size provided them extra time to perform more in-depth research on each device, extending to the extraction of device firmware from the memory chips themselves for analysis. (Obermaier & Hutle, 2016)
Obermaier et al. tackled the security of the cameras from the perspective of two different types of attack, a local attacker, and a remote attacker. The local attacker residing on the local network/LAN and the remote attacker being a remote party trying to access the cloud servers or cameras while external to the local network. Their paper went onto to describe several significant and well-known flaws found in the surveillance systems as described later on. (Obermaier & Hutle, 2016)
While the approach of a local and remote attack was effective, the focus of Obermaier et al.’s research was studying the communications security of the devices use of cloud storage rather than on the full set of possible vulnerabilities the devices may have. Further research could have been performed on the vulnerabilities not related to
14
communications protocols inherent in these devices, which expose these devices and the networks they are on to further risks. (Obermaier & Hutle, 2016)
Siboni et al. went in another research direction and focused on methods to discover multiple vulnerabilities and attack types for the devices themselves as well as the infrastructure the devices used. Siboni et al. wrote two papers on the subject, one focused on developing a test-bed for wearable IoT devices (Siboni S. , Shabtai, Tippenhaur, & Lee, 2016). The second paper was focused on further developing and automating their testbed to generate a risk profile for IoT devices of all types (Siboni S. , Shabtai, Sachidananda, & Elovici, 2016).
Siboni et al. created a test environment for multiple devices in an isolated space and while they included some form of passmark and risk level per scanning category, they had no formal risk categorization. They went a step further and produced automated tools for recording, reporting and analysis of their results using automated tools to feed the results and analysis thereof into a database. (Siboni S. , Shabtai, Sachidananda, & Elovici, 2016)
Siboni et al.’s papers devised practical methods for analysis of devices in an automated way; however, the use of automated vulnerability scanning is not always effective or recommended in testing the overall security of a device according to Chothia and Ruiter. (Chothia & Ruiter, 2016)
In Chothia et al.’s paper, they provided two sets of devices to groups of students who had been trained in meticulous penetration testing and reporting over several weeks. The first round of devices given to the students for testing had known and published vulnerabilities, and the students were able to find all the vulnerabilities except one. The second round of devices were provided to students without any known vulnerabilities and on the provision that scoring would be based on systematic testing and reporting methods rather than finding a device vulnerability. Despite the lack of incentive to find any device weaknesses, the students managed to find several vulnerabilities. Returning to the idea of automated vulnerability scanning, Chothia et al. tested the first set of devices again using several automated scanning tools and found no vulnerabilities despite the devices having well known published vulnerabilities. (Chothia & Ruiter, 2016)