scholarly journals Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device

2018 ◽  
Vol 2018 ◽  
pp. 1-15 ◽  
Author(s):  
Dong Wang ◽  
Xiaosong Zhang ◽  
Jiang Ming ◽  
Ting Chen ◽  
Chao Wang ◽  
...  
Keyword(s):  
Short Message ◽  
Brute Force ◽  
Authentication Code ◽  
Prototype Tool ◽  
Important Target ◽  
Smart Watch ◽  
Message Service ◽  
Iot Devices ◽  
Brute Force Attack ◽  
Security Study

Firmware vulnerability is an important target for IoT attacks, but it is challenging, because firmware may be publicly unavailable or encrypted with an unknown key. We present in this paper an attack on Short Message Service (SMS for short) authentication code which aims at gaining the control of IoT devices without firmware analysis. The key idea is based on the observation that IoT device usually has an official application (app for short) used to control itself. Customer needs to register an account before using this app, phone numbers are usually suggested to be the account name, and most of these apps have a common feature, called Reset Your Password, that uses an SMS authentication code sent to customer phone to authenticate the customer when he forgot his password. We found that an attacker can perform brute-force attack on this SMS authentication code automatically by overcoming several challenges, then he can steal the account to gain the control of IoT devices. In our research, we have implemented a prototype tool, called SACIntruder, to enable performing such brute-force attack test on IoT devices automatically. We evaluated it and successfully found 12 zero-day vulnerabilities including smart lock, sharing car, smart watch, smart router, etc. We also discussed how to prevent this attack.

scholarly journals Investigating Brute Force Attack Patterns in IoT Network

2019 ◽  
Vol 2019 ◽  
pp. 1-13 ◽  
Author(s):  
Deris Stiawan ◽  
Mohd. Yazid Idris ◽  
Reza Firsandaya Malik ◽  
Siti Nurmaini ◽  
Nizar Alsharif ◽  
...  
Keyword(s):  
Brute Force ◽  
File Transfer ◽  
Iot Security ◽  
Insider Attack ◽  
Attack Pattern ◽  
Internal Network ◽  
Attack Patterns ◽  
Iot Devices ◽  
Set Up ◽  
Brute Force Attack

Internet of Things (IoT) devices may transfer data to the gateway/application server through File Transfer Protocol (FTP) transaction. Unfortunately, in terms of security, the FTP server at a gateway or data sink very often is improperly set up. At the same time, password matching/theft holding is among the popular attacks as the intruders attack the IoT network. Thus, this paper attempts to provide an insight of this type of attack with the main aim of coming up with attack patterns that may help the IoT system administrator to analyze any similar attacks. This paper investigates brute force attack (BFA) on the FTP server of the IoT network by using a time-sensitive statistical relationship approach and visualizing the attack patterns that identify its configurations. The investigation focuses on attacks launched from the internal network, due to the assumption that the IoT network has already installed a firewall. An insider/internal attack launched from an internal network endangers more the entire IoT security system. The experiments use the IoT network testbed that mimic the internal attack scenario with three major goals: (i) to provide a topological description on how an insider attack occurs; (ii) to achieve attack pattern extraction from raw sniffed data; and (iii) to establish attack pattern identification as a parameter to visualize real-time attacks. Experimental results validate the investigation.

scholarly journals Implicit Secondary Authentication for Sustainable SMS Authentication

2019 ◽  
Vol 11 (1) ◽  
pp. 279
Author(s):  
Gwonsang Ryu ◽  
Seung-Hyun Kim ◽  
Daeseon Choi
Keyword(s):  
Error Rate ◽  
Access Point ◽  
Environmental Information ◽  
Behavioral Pattern ◽  
Environmental Data ◽  
Smart Device ◽  
Short Message ◽  
Equal Error Rate ◽  
Smart Watch ◽  
Message Service

Short message service (SMS) is the most widely adopted multi-factor authentication method for consumer-facing accounts. However, SMS authentication is susceptible to vulnerabilities such as man-in-the-middle attack, smishing, and device theft. This study proposes implicit authentication based on behavioral pattern of users when they check an SMS verification code and environmental information of user proximity to detect device theft. User behavioral pattern is collected by using the accelerometer and gyroscope of a smart device such as a smartphone and smart watch. User environmental information is collected using device fingerprint, wireless access point, Bluetooth, and global positioning system information. To evaluate the performance of the proposed scheme, we perform experiments using a total of 1320 behavioral and environmental data collected from 22 participants. The scheme achieves an average equal error rate of 6.27% when using both behavioral and environmental data collected from only a smartphone. Moreover, it achieves an average equal error rate of 0% when using both behavioral and environmental data collected from a smartphone and smart watch. Therefore, the proposed scheme can be employed for more secure SMS authentication.

scholarly journals Implementasi Keyed-Hash Message Authentatication Code Pada Sistem Keamanan Rumah

MIND Journal ◽  
2018 ◽  
Vol 1 (1) ◽  
pp. 9
Author(s):  
M Ichwan ◽  
Milda Gustian ◽  
Novan Rizky Nurjaman
Keyword(s):  
Hash Function ◽  
Message Authentication ◽  
Brute Force ◽  
Message Authentication Code ◽  
Authentication Code ◽  
Avalanche Effect ◽  
Brute Force Attack

Keyed-Hash Message Authentication Code (HMAC) adalah algoritma untuk menghitung nilai MAC (Message Authentication Code) yang menggunakan Fungsi Hash dikombinasikan dengan sebuah kunci rahasia, Fungsi Hash yang digunakan dalam penelitian ini adalah Secure Ha sh Algorithm 256 (SHA256). Nilai MAC digunakan sebagai otentikasi untuk menjamin integritas data dan keaslian pesan. Algoritma ini di implementasikan pada sistem keamanan rumah, dimana pertukaran pesan antara user dan sistem keamanan di otentikasi dengan menggunakan HMAC. Keamanan  algoritma  HMAC ini  dibuktikan  dengan  hasil  pengujian  Avalanche  effect  yang mencapai 87.5% pada fungsi Hash yang digunakan ,dan dibutuhkan waktu sampai 84 tahun untuk serangan Brute force berhasil pada kunci dengan panjang 8 karakter. Kata kunci: keyed-Hash Message Authentication Code, Hash function, Avalanche  effect, Brute force attack

The “Trigger” Experience

2012 ◽  
pp. 1736-1753
Author(s):  
Joan Richardson ◽  
John Lenarcic
Keyword(s):  
Information Transfer ◽  
Student Response ◽  
Short Message ◽  
Student Responses ◽  
Administrative Services ◽  
Assessment Feedback ◽  
Prototype Tool ◽  
Message Service ◽  
A Current

This case study chapter will outline the results of a 2006 pilot test into the use of Short Message Service (SMS) to augment the provision of student administrative services currently available through a university website. The pilot conducted utilised an SMS Prototype Tool Trigger that enabled dynamic information transfer between staff and students. Trigger facilitated live update reminders that assisted students to schedule their time and better organise themselves. Specifically, SMS technology was used to deliver physical class locations, availability and web addresses of iPod resources, important events, alerts for multimedia, examination schedules, and, assessment feedback by ‘pushing’ information to students. Trigger also provided students with pull access to study schedules and requirements. The aim of the test was to evaluate student response to the use of Trigger to improve the learning environment. The case study will identify student responses to the 2006 pilot and describe a current project that has extended the number of students participating in the study.

scholarly journals Implementing IoT Lottery on Data Encryption Standard

2020 ◽  
pp. 735-740
Author(s):  
Mohammed M. Alani ◽  
◽  
Muath Alrammal ◽  
Munir Naveed
Keyword(s):  
Cluster Size ◽  
Data Encryption ◽  
Brute Force ◽  
Data Encryption Standard ◽  
The Past ◽  
Security Challenges ◽  
Iot Devices ◽  
Brute Force Attack

As the number of IoT devices grow rapidly, and soon to exceed 40 billion, security challenges grow rapidly as well. One challenge proven to wreak havoc in the past few years is the use of IoT devices as attacking tools. This paper presents the results of implementing a brute-force attack on Data Encryption Standard using clusters of IoT devices. The implementation presented was successful. Results have shown that a cluster size of 200 IoT devices was able on average to find the key within 350 seconds. Another experiment of a cluster of 2000 IoT devices succeeded in finding the key within 0.015 seconds.

scholarly journals On Novel Access and Scheduling Schemes for IoT Communications

2016 ◽  
Vol 2016 ◽  
pp. 1-9 ◽  
Author(s):  
Zheng Jiang ◽  
Bin Han ◽  
Peng Chen ◽  
Fengyi Yang ◽  
Qi Bi
Keyword(s):  
Random Access ◽  
Short Message ◽  
Brute Force ◽  
Scheduling Scheme ◽  
Access Scheme ◽  
Code Domain ◽  
Spatial Degree ◽  
Lower Complexity ◽  
Iot Devices ◽  
The Internet Of Things

The Internet of Things (IoT) is expected to foster the development of 5G wireless networks and requires the efficient support for a large number of simultaneous short message communications. To address these challenges, some existing works utilize new waveform and multiuser superposition transmission schemes to improve the capacity of IoT communication. In this paper, we will investigate the spatial degree of freedom of IoT devices based on their distribution, then extend the multiuser shared access (MUSA) which is one of the typical MUST schemes to spatial domain, and propose two novel schemes, that is, the preconfigured access scheme and the joint spatial and code domain scheduling scheme, to enhance IoT communication. The results indicate that the proposed schemes can reduce the collision rate dramatically during the IoT random access procedure and improve the performance of IoT communication obviously. Based on the simulation results, it is also shown that the proposed scheduling scheme can achieve the similar performance to the corresponding brute-force scheduling but with lower complexity.

scholarly journals Using Improved d-HMAC for Password Storage

2017 ◽  
Vol 10 (3) ◽  
pp. 1 ◽  
Author(s):  
Mohannad Najjar
Keyword(s):  
Public Key ◽  
Message Authentication ◽  
Brute Force ◽  
Message Authentication Code ◽  
Dictionary Attack ◽  
Authentication Code ◽  
Rainbow Table ◽  
Brute Force Attack ◽  
Dynamic Key ◽  
Improved Algorithm

Password storage is one of the most important cryptographic topics through the time. Different systems use distinct ways of password storage. In this paper, we developed a new algorithm of password storage using dynamic Key-Hashed Message Authentication Code function (d-HMAC). The developed improved algorithm is resistant to the dictionary attack and brute-force attack, as well as to the rainbow table attack. This objective is achieved by using dynamic values of dynamic inner padding d-ipad, dynamic outer padding d-opad and user’s public key as a seed.

The "Trigger" Experience

2010 ◽  
pp. 273-291
Author(s):  
Joan Richardson ◽  
John Lenarcic
Keyword(s):  
Information Transfer ◽  
Student Response ◽  
Short Message ◽  
Student Responses ◽  
Administrative Services ◽  
Assessment Feedback ◽  
Prototype Tool ◽  
Message Service ◽  
A Current

This case study chapter will outline the results of a 2006 pilot test into the use of Short Message Service (SMS) to augment the provision of student administrative services currently available through a university website. The pilot conducted utilised an SMS Prototype Tool Trigger that enabled dynamic information transfer between staff and students. Trigger facilitated live update reminders that assisted students to schedule their time and better organise themselves. Specifically, SMS technology was used to deliver physical class locations, availability and web addresses of iPod resources, important events, alerts for multimedia, examination schedules, and, assessment feedback by ‘pushing’ information to students. Trigger also provided students with pull access to study schedules and requirements. The aim of the test was to evaluate student response to the use of Trigger to improve the learning environment. The case study will identify student responses to the 2006 pilot and describe a current project that has extended the number of students participating in the study.

scholarly journals Implementasi Algoritma Advanced Encryption Standard (AES) pada Layanan SMS Desa

2020 ◽  
Vol 5 (3) ◽  
pp. 153
Author(s):  
Intan Fitriani ◽  
Aryo Baskoro Utomo
Keyword(s):  
Data Security ◽  
Short Message Service ◽  
Advanced Encryption Standard ◽  
Short Message ◽  
Brute Force ◽  
Test Results ◽  
Avalanche Effect ◽  
Cryptographic Algorithms ◽  
Message Service

Along with the development of technology, Short Message Service (SMS) has begun to be used to communicate between someone and the system in an agency. But in some cases, the security of messages sent through the SMS application has not been well protected. To improve data security and confidentiality, cryptographic algorithms with Advanced Encryption Standard (AES) can be done. The method used is the Waterfall method. AES encryption testing is done by comparing the manual calculations and the results of the encryption on the system. Blackbox test, CrackStation test, and Avalanche Effect (AE) test were also carried out. Brute force test results using CrackStation software that ciphertext cannot be solved. And in the avalanche effect (AE) test, the AE value of each 128-bit AES key is 44.53%, 192-bit is 48.44%, and 256-bit is 56.25%. Therefore, 192-bit and 256-bit AES keys are recommended for use because AE values are in the range of 45% - 60%.

Sign in / Sign up

Export Citation Format

Share Document