Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild
Authors: 
Hongying Dong, Hao Shu, Vijay Prakash, Yizhe Zhang, Muhammad Talha Paracha, 
David Choffnes, Santiago Torres-Arias, Danny Yuxing Huang, and Yixin SunAuthors Info & Claims
Hongying Dong, Hao Shu, Vijay Prakash, Yizhe Zhang, Muhammad Talha Paracha, David Choffnes, Santiago Torres-Arias, Danny Yuxing Huang, and Yixin SunAuthors Info & ClaimsOctober 2023
Pages 457 - 477
Abstract
IoT devices are increasingly used in consumer homes. Despite recent works in characterizing IoT TLS usage for a limited number of in-lab devices, there exists a gap in quantitatively understanding TLS behaviors from devices in the wild and server-side certificate management.
To bridge this knowledge gap, we conduct a new measurement study by focusing on the practice of device vendors, through a crowdsourced dataset of network traffic from 2,014 real-world IoT devices across 721 global users. By quantifying the sharing of TLS fingerprints across vendors and across devices, we uncover the prevalent use of customized TLS libraries (i.e., not matched to any known TLS libraries) and potential security concerns resulting from co-located TLS stacks of different services. Furthermore, we present the first known study on server-side certificate management for servers contacted by IoT devices. Our study highlights potential concerns in the TLS/PKI practice by IoT device vendors. We aim to raise visibility for these issues and motivate vendors to improve security practice.
Supplemental Material
MP4 File
This presentation video introduces the paper "Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild". The study offers a quantitative analysis of the diverse TLS configurations used by IoT devices and highlights contributors to flaws in certificate management practices employed by IoT servers.
- Download
- 32.75 MB
References
[1]
Josh Aas. 2015. Why ninety-day lifetimes for certificates? (2015). https://letsencrypt.org/2015/11/09/why-90-days.html.
[2]
Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J Alex Halderman, Jacob Hoffman-Andrews, James Kasten, Eric Rescorla, et al. 2019. Let's Encrypt: an automated certificate authority to encrypt the entire web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2473--2487.
[3]
Devdatta Akhawe, Johanna Amann, Matthias Vallentin, and Robin Sommer. 2013. Here's my cert, so trust me, maybe? Understanding TLS errors on the web. In Proceedings of the 22nd international conference on World Wide Web.
[4]
Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. Sok: Security evaluation of home-based iot deployments. In 2019 IEEE symposium on security and privacy (sp). IEEE.
[5]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the mirai botnet. In 26th {USENIX} security symposium ({USENIX} Security 17). 1093--1110.
[6]
Apple. 2023 a. Apple's Certificate Transparency policy. (2023). https://support.apple.com/en-us/HT205280.
[7]
Apple. 2023 b. Available trusted root certificates for Apple operating systems. (2023). https://support.apple.com/en-us/HT209143.
[8]
Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. 2014. Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In 2014 IEEE Symposium on Security and Privacy. IEEE.
[9]
Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2016. Measurement and analysis of private key sharing in the https ecosystem. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 628--640.
[10]
Songqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, and Aziz Mohaisen. 2019. Security and Privacy in Communication Networks: 15th EAI International Conference, SecureComm 2019, Orlando, FL, USA, October 23--25, 2019, Proceedings, Part II. Vol. 305. Springer Nature.
[11]
T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). (Aug. 2008). http://www.ietf.org/rfc/rfc5246.txt Updated by RFCs 5746, 5878, 6176.
[12]
Daniel J Dubois, Roman Kolcun, Anna Maria Mandalari, Muhammad Talha Paracha, David Choffnes, and Hamed Haddadi. 2020. When speakers are all ears: Characterizing misactivations of iot smart speakers. Proceedings on Privacy Enhancing Technologies (2020).
[13]
Zakir Durumeric, James Kasten, Michael Bailey, and J Alex Halderman. 2013. Analysis of the HTTPS certificate ecosystem. In Proceedings of the 2013 conference on Internet measurement conference.
[14]
Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, and Vern Paxson. 2017. The Security Impact of HTTPS Interception. In NDSS.
[15]
Sam Edwards and Ioannis Profetis. 2016. Hajime: Analysis of a decentralized internet worm for IoT devices. Rapidity Networks, Vol. 16 (2016), 1--18.
[16]
Let's Encrypt. 2022. ACME Client Implementations. (2022). https://letsencrypt.org/docs/client-options/.
[17]
Enphase Energy. 2023. Envoy 3.8.X. (2023). https://www4.enphase.com/en-us/legal/open-source-license-compliance-envoy-3.8.x.
[18]
Trusted Firmware. 2023. Mbed TLS ChangeLog. (2023). Retrieved September 2023 from https://review.trustedfirmware.org/plugins/gitiles/mirror/mbed-tls//7c94d8bcab1ed7e7a0079c67aa41731243de6f54/ChangeLog
[19]
Sergey Frolov and Eric Wustrow. 2019. The use of TLS in Censorship Circumvention. In NDSS.
[20]
Google. 2023 a. Certificate Lifetimes. (2023). https://chromium.googlesource.com/chromium/src//HEAD/net/docs/certificate_lifetimes.md.
[21]
Google. 2023 b. Chromium.IsSecureTLSCipherSuite function. (2023). https://chromium.googlesource.com/chromium/src/net//master/ssl/.
[22]
Ralph Holz, Lothar Braun, Nils Kammenhuber, and Georg Carle. 2011. The SSL landscape: a thorough analysis of the x. 509 PKI using active and passive measurements. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference.
[23]
Danny Yuxing Huang, Noah Apthorpe, Frank Li, Gunes Acar, and Nick Feamster. 2020. Iot inspector: Crowdsourcing labeled network traffic from smart home devices at scale. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (2020).
[24]
Paul Jaccard. 1912. The distribution of the flora in the alpine zone. 1. New phytologist, Vol. 11, 2 (1912), 37--50.
[25]
Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G Paterson, Narseo Vallina-Rodriguez, and Juan Caballero. 2018. Coming of age: A longitudinal study of tls deployment. In Proceedings of the Internet Measurement Conference 2019.
[26]
Lydia Kraus, Martin Ukrop, Vashek Matyas, and Tobias Fiebig. 2020. Evolution of SSL/TLS Indicators and Warnings in Web Browsers. In Security Protocols XXVII: 27th International Workshop, Cambridge, UK, April 10-12, 2019, Revised Selected Papers 27. Springer, 267--280.
[27]
ABI Laboratory. 2023 a. API/ABI changes review for mbed TLS. (2023). Retrieved September 2023 from https://abi-laboratory.pro/index.php?view=timeline&l=mbedtls
[28]
ABI Laboratory. 2023 b. API/ABI changes review for wolfSSL. (2023). Retrieved September 2023 from https://abi-laboratory.pro/?view=timeline&l=wolfssl
[29]
Ben Laurie, Adam Langley, and Emilia Kasper. 2013. Certificate Transparency. RFC 6962. (June 2013). https://doi.org/10.17487/RFC6962
[30]
Sectigo Limited. 2023. Crt.sh. (2023). Retrieved September 2023 from https://crt.sh/
[31]
Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, and Christo Wilson. 2015. An end-to-end measurement of certificate revocation in the web's PKI. In Proceedings of the 2015 Internet Measurement Conference.
[32]
Zane Ma, James Austgen, Joshua Mason, Zakir Durumeric, and Michael Bailey. 2021. Tracing your roots: exploring the TLS trust anchor ecosystem. In Proceedings of the 21st ACM Internet Measurement Conference.
[33]
Microsoft. 2023. Certificate Stores. (2023). https://docs.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores.
[34]
Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W Felten, Prateek Mittal, and Arvind Narayanan. 2019. Watching you watch: The tracking ecosystem of over-the-top tv streaming devices. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.
[35]
Mozilla. 2023 a. Common CA Database. (2023). https://www.ccadb.org/.
[36]
Mozilla. 2023 b. Mozilla's CA Certificate Program. (2023). https://wiki.mozilla.org/CA.
[37]
Muhammad Talha Paracha, Daniel J Dubois, Narseo Vallina-Rodriguez, and David Choffnes. 2021. IoTLS: understanding TLS usage in consumer IoT devices. In Proceedings of the 21st ACM Internet Measurement Conference.
[38]
The Zeek Project. 2020. Zeek. (2020). https://zeek.org/.
[39]
Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS usage in Android apps. In Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies.
[40]
Jingjing Ren, Daniel J Dubois, David Choffnes, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi. 2019. Information exposure from consumer iot devices: A multidimensional, network-informed measurement approach. In Proceedings of the Internet Measurement Conference.
[41]
Eric Rescorla. 2018. RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3. (2018). Retrieved September 2023 from https://datatracker.ietf.org/doc/html/rfc8446/
[42]
Hans Christian Rudolph and Nils Grundmann. 2022. Ciphersuite Info. (2022). https://ciphersuite.info/.
[43]
Paul Shorey. 1907. Emendation of Plato Charmides 168b. Classical Philology, Vol. 2, 3 (1907), 340--340.
[44]
Sabrina Sicari, Alessandra Rizzardi, Luigi Alfredo Grieco, and Alberto Coen-Porisini. 2015. Security, privacy and trust in Internet of Things: The road ahead. Computer networks, Vol. 76 (2015), 146--164.
[45]
Certificate Transparency. 2023. Google's Certificate Transparency project. (2023). https://certificate.transparency.dev/.
[46]
Bhagyashri Tushir, Hetesh Sehgal, Rohan Nair, Behnam Dezfouli, and Yuhong Liu. 2021. The impact of dos attacks onresource-constrained iot devices: A study on the mirai attack. arXiv preprint arXiv:2104.09041 (2021).
[47]
Yingjie Wang, Guangquan Xu, Xing Liu, Weixuan Mao, Chengxiang Si, Witold Pedrycz, and Wei Wang. 2020. Identifying vulnerabilities of SSL/TLS certificate verification in Android apps with static and dynamic analysis. Journal of Systems and Software, Vol. 167 (2020), 110609.
[48]
WIKIPEDIA. 2023. OpenSSL. (2023). Retrieved September 2023 from https://en.wikipedia.org/wiki/OpenSSL
[49]
Ben Wilson. 2020. Reducing TLS Certificate Lifespans to 398 Days. (2020). https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/.
[50]
wolfSSL. 2023. wolfSSL change log. (2023). Retrieved September 2023 from https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
[51]
Wyze. 2021. Open Source Software. (2021). https://support.wyze.com/hc/en-us/articles/360012546832-Open-Source-Software.
[52]
Liang Zhu, Johanna Amann, and John Heidemann. 2016. Measuring the latency and pervasiveness of TLS certificate revocation. In International Conference on Passive and Active Network Measurement. Springer.
[53]
Serkan Özkan. 2023. OpenSSL verion 1.0.0: Security vulnerabilities. (2023). Retrieved September 2023 from https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-453965/Openssl-Openssl-1.0.0.html/
Index Terms
- Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild
Recommendations
IoTLS: understanding TLS usage in consumer IoT devices
IMC '21: Proceedings of the 21st ACM Internet Measurement ConferenceConsumer IoT devices are becoming increasingly popular, with most leveraging TLS to provide connection security. In this work, we study a large number of TLS-enabled consumer IoT devices to shed light on how effectively they use TLS, in terms of ...
Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols
In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...
Comments
Information & Contributors
Information
Published In
October 2023
746 pages
ISBN:9798400703829
DOI:10.1145/3618257
- General Chairs:
- Marie-José Montpetit,
- Aris Leivadeas,
- Program Chairs:
- Steve Uhlig,
- Mobin Javed
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Data Availability
This presentation video introduces the paper "Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the Wild". The study offers a quantitative analysis of the diverse TLS configurations used by IoT devices and highlights contributors to flaws in certificate management practices employed by IoT servers. https://dl.acm.org/doi/10.1145/3618257.3624815#110-video.mp4
Funding Sources
- NSF (National Science Foundation)
- Consumer Reports Digital Lab Fellowship
Conference
IMC '23
Sponsor:
Acceptance Rates
Overall Acceptance Rate 277 of 1,083 submissions, 26%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 597Total Downloads
- Downloads (Last 12 months)597
- Downloads (Last 6 weeks)81
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in