IoTica : Network Level IoT Protection Lab

Computer networks have undergone and continue to experience a major transformation, whereby billions of low-cost devices are being connected to the network to provide additional functionality and better user experience.
Unlike traditional network devices, these devices, collectively known as the "Internet of Things" (IoT), typically have very limited computational, memory, and power resources .
These IoT devices became a major security concern, both due to human factors and to technical challenges in deploying security mechanisms on devices with low resources.
The number and diversity of IoT devices creates a huge attack surface that is often exploited by attackers to launch large-scale attacks, sometimes exploiting well-known vulnerabilities.
Our group talk focus is on the security aspects of IoT devices from a networking perspective.


Prof. Yehuda Afek, Tel-Aviv University
Prof. Anat Bremler-Barr, Interdisciplinary Center Herzliya
Prof. David Hay, Hebrew University

Students (past and present):

Lior Shafir
Haim Levy
Avraham Shalev
Gafnit Abraham
Ido Goldbaum


NFV-based IoT Security for Home Networks using MUD
Yehuda Afek, Anat Bremler-Barr, David Hay, Ran Goldschmidt, Lior Shafir, Gafnit Abraham, Avraham Shalev
Accepted to NOMS 2019

A new scalable ISP level system architecture to secure and protect all IoT devices in a large number of homes is presented. The system is based on whitelisting, as in the Manufacturer Usage Description (MUD) framework, implemented as a VNF. Unlike common MUD suggestions that place the whitelist application at the home/enterprise network, our approach is to place the enforcement upstream at the provider network, combining an NFV (Network Function Virtualization) with router/switching filtering capabilities, e.g., ACLs. The VNF monitors many home networks simultaneously, and therefore, is a highly-scalable managed service solution that provides both the end customers and the ISP with excellent visibility and security of the IoT devices at the customer premises.
The system includes a mechanism to distinguish between flows of different devices at the ISP level despite the fact that most home networks (and their IoT devices) are behind a NAT and all the flows from the same home come out with the same source IP address. Moreover, the NFV system needs to receive only the first packet of each connection at the VNF, and rules space is proportional to the number of unique types of IoT devices rather than the number of IoT devices. The monitoring part of the solution is off the critical path and can also uniquely protect from incoming DDoS attacks.
To cope with internal traffic, that is not visible outside the customer premise and often consists of P2P communication, we suggest a hybrid approach, where we deploy a lightweight component at the CPE, whose sole purpose is to monitor P2P communication. As current MUD solution does not provide a secure solution to P2P communication, we also extend the MUD protocol to deal also with peer-to-peer communicating devices. A PoC with a large national level ISP proves that our technology works as expected.

IoT or NoT: Identifying IoT Devices in a ShortTime Scale
Anat Bremler-Barr, Haim Levy, Zohar Yakhini
Accepted to NOMS 2019

In recent years the number of IoT devices in home networks has increased dramatically. Whenever a new device connects to the network, it must be quickly managed and secured using the relevant security mechanism or QoS policy. Thus a key challenge is to distinguish between IoT and NoT devices in a matter of minutes. Unfortunately, there is no clear indication of whether a device in a network is an IoT. In this paper, we propose different classifiers that identify a device as IoT or non-IoT, in a short time scale, and with high accuracy.
Our classifiers were constructed using machine learning techniques on a seen (training) dataset and were tested on an unseen (test) dataset. They successfully classified devices that were not in the seen dataset with accuracy above 95%. The first classifier is a logistic regression classifier based on traffic features. The second classifier is based on features we retrieve from DHCP packets. Finally, we present a unified classifier that leverages the advantages of the other two classifiers.

Eradicating Attacks on the Internal Network with Internal Network Policy
Yehuda Afek, Anat Bremler-Barr, Alon Noy
Under submission

In this paper we present three attacks on private internal networks behind a NAT and a corresponding new protection mechanism, Internal Network Policy, to mitigate a wide range of attacks that penetrate internal networks behind a NAT. In the attack scenario, a victim is tricked to visit the attacker's website, which contains a malicious script that lets the attacker access the victim's internal network in different ways, including opening a port in the NAT or sending a sophisticated request to local devices. The first attack utilizes DNS Rebinding in a particular way, while the other two demonstrate different methods of attacking the network, based on application security vulnerabilities. Following the attacks, we provide a new browser security policy, Internal Network Policy (INP), which protects against these types of vulnerabilities and attacks. This policy is implemented in the browser just like Same Origin Policy (SOP) and prevents malicious access to internal resources by external entities.