INTERNET OF THINGS MOBILITY

FORENSICS

K M Sabidur Rahman, Matt Bishop and Al Holt

Speaker: K M Sabidur Rahman (krahman@ucdavis.edu)

INSuRECon16

9/23/2016 1

Agenda

• Motivation and literature review

• About the device: Sen.se Mother

• Collection of data

• Classification of data

• Attack scenarios

• Forensic model

• Limitations and future work

9/23/2016 2

IoT is here

• Smart city

• Smart grid

• Smart home

• Smart car (V2V)

• Mobile-to-mobile (M2M)

9/23/2016 3

But, are we ready?

“Mobility Forensics addresses technology’s movement toward

mobile devices (smart phones, tablets, small computers) and the

specialized tools and techniques needed to successfully recover data

and evidence from those devices”

http://mobility-forensics.com/

Literature review, device information and data

collection

9/23/2016 4

Related papers (1)

Bogdan Copos, Karl Levitt, Matt Bishop and Jeff Rowe, “Is Anybody

Home? Inferring Activity From Smart Home Network Traffic”,

MoST, 2016

• Collected network data

• Used dumpcap, a network traffic collection tool

• Used the collected data to predict if anyone is home or not

E. Oriwoh, D. Jazani, G. Epiphaniou and P. Sant, “Internet of

Things Forensics: Challenges and Approaches”, CollaborateCom,

2013

•Worked on IoT Forensics by going about scenario based approach

•Introduced hypothetical attack/crime scenarios and discussed how

IoT devices changes the investigation

Related papers (2)

Orlando Arias, Jacob Wurm, Khoa Hoang, and Yier Jin, “Privacy

and Security in Internet of Things and Wearable Devices”, IEEE

Tran. On Multi-scale Computing Systems, 2015

• Worked on Google Nest Thermostat and the Nike+ Fuelband

• Looked under the hood of the device in details

• Details about the device hardware, operating system,

booting/remote installation and communication system

• Discussed on the security measures built in the device

Sen.se Mother

Properties of the cookies

1.Motion Cookies can save up to ten days of events. As soon as they

are reconnected to a Sense Mother, they upload all the contents of

their memory

2.1 CR2016 replaceable button cell with one year of life

3.Radio: 915 MHz (North America), 868 MHz (Europe)

4.Every movement has its signature. Place a Motion Cookie on an

object or person. It will capture and analyze its movements. It will

recognize the specific actions you want to monitor and transmit

them to your chosen Application

5.Motion Cookies also contain a thermometer. They regularly send

the ambient temperature to Mother, as well as sudden abnormal

changes

6.Signaling presence or absence

https://sen.se/store/cookie/

Properties of the Hub

https://sen.se/store/mother/

1.Wired connection to the router

2.Radio connectivity with the cookies

3.Connects to cloud to store data for the apps

Deployed sensors

Deployed the sensors for testing purpose:

1.At bedroom door: security notification

2.One inside room for room temperature detection: thermostat

3.One in the bagpack: physical exercise sensing

4.The last one also in my pocket: to sense when am I home or not.

This can essentially detect if your child/pet is inside home or not.

Results and findings

9/23/2016 11

Data classification

9/23/2016 12

Information Source Location Daily

routine

Severity Forensics implication

Door

movement-time

Door activity

sensor

No Yes Medium What time someone entered/left the

room or tried to open the door?

Door

movement-

location

Door activity

sensor

Yes No Medium Someone entering/leaving the room

or trying to open the door

Temperature Temperature

sensor

No Yes

(partially)

Low If the temperature is not comfortable,

there may be something wrong with

the room

Presence at

home

Presence/absence

sensor

Yes Yes High If the subject was present at home at

the time of attack, can he/she provide

vital information on the crime?

Steps taken Walk sensor No No Low How long will the subject be out of

home?

Distance

walked

Walk sensor No No Low How long will the subject be out of

home and how far will he/she go?

Time spent in

walk

Walk sensor No Yes Medium How long will the subject be out of

home?

Calories burnt Walk sensor No Yes Medium Physical condition/activity trail of

subject

Forensic scenarios

Event 1: Burglary

Identification: Door sensor data indicates the time when the owner left home.

Data indicates that there has been an activity at 11:40 am, even though the

owner was not home at that time. The burglary happened on the same day.

Interpretation: Does the data suggest that the burglar knew the owner’s daily

schedule? This would help us investigate the incident. For example, would

looking into CCTV camera footage from across the street that was collected at

11:40 am be useful?

Preservation: Data collected by the sensor was stored in the cloud at near

real-time.

Analysis and presentation: Data presented on graphs is easy to understand

and present to court, so graph correlating events with burglaries would be

helpful.

IoT mobility forensics model

9/23/2016 14

Data manipulation and counter measures

9/23/2016 15

•How much can we trust the data extracted from IoT devices?

•How will the attacker changing the data before or after

collection affect the forensics analysis?

•Can we prevent or detect such manipulations?

False positives and negatives

•The user of IoT data and solution providers should be aware

of the existence of false positives and false negatives

•Proper steps should be taken to detect and minimize false results

More Questions!

9/23/2016 16

•Can the attacker “get into” the sensors? Kasinathan et al. [19] suggests that attackers

can gain access to sensors under the right conditions.

•Can the attacker “get into” the Hub? The Hub is directly connected to the Internet and

interacts with the web portal. Work on IoT intrusion detection [23] suggests such attacks

on hubs are feasible.

•What is the communication medium? In addition to traditional wireless networks, IoT

devices are connected through cellular networks, radio, Bluetooth and other low power

communication media. This diversity makes the communication more vulnerable than

otherwise, and makes using generic protections against attacks harder.

•Can we knock down the sensors with a classic flooding attack? Although we did not

try this on our devices, Kassinathan et al. [19] suggest that DoS and flooding attacks may

disable IoT devices.

•Can data be manipulated deliberately to obstruct or mislead justice in a court of

law? We have discussed this issue in the previous section; it needs more attention from

the security community.

•Is it possible to sniff the hub and sensors? In our experimental set-up, we were able to

derive device identity (specifically, the MAC address of the Hub) by observing network

packets. Copos et al. [12] provide an example of how sniffing can lead to a major security

breach.

Limitations

9/23/2016 17

•Data is collected only from smart home devices

•The forensic model proposed here has not been implemented,

deployed, and tested

•We assume implementation of the model will be scalable for the

fast growing number of devices, which may not be true

•Our findings depend on data collected from one type of device.

Perhaps different kinds of devices would produce more

consistent results.

Future work

9/23/2016 18

• More generic scenario with multiple types of IoT devices and

their data

• In-depth analysis and discussion of the data collected

•Working towards more robust and mature model for IoT

Mobility Forensics

•Privacy of the data

•The reverse question, “given a digital forensics scenario and a

forensic model, what useful data can IoT devices collect for us?”

• Focus on one specific question discussed in this paper.

9/23/2016 19

Questions?

krahman@ucdavis.edu