Riassunto analitico
The rapid adoption of IoT devices has brought significant convenience to everyday life but also exposed critical security challenges. This thesis focuses on the reverse engineering and security analysis of an IoT smart lock. The goal is to assess the device’s functionality and identify potential vulnerabilities that could compromise its integrity and user safety.
The research is conducted through a systematic approach, including observation of hardware and software behavior, network traffic analysis, testing for weaknesses in authentication, encryption, communication protocols, and cloud API. Tools such as Wireshark, BurpSuite are employed to monitor interactions between the smart lock and its associated mobile application and cloud services, as well as to analyze its network traffic and response patterns. The findings revealed multiple vulnerabilities in the cloud API, which allows unauthorized access and compromise of user data. By chaining the vulnerabilities found in this work the attacker is able to access any account for which either the email address or the phone number is known and to operate all the linked devices, including remotely unlocking a smartlock.
Based on the vulnerabilities identified, a responsible disclosure was carried out in order to improve the device's security. The vendor confirmed the findings and updated the product to fix the vulnerabilities. This study underscores the importance of robust security measures in IoT devices and highlights how reverse engineering techniques can play a vital role in identifying and addressing security flaws in smart systems.
|
