The Internet of Things (IoT) comes with great possibilities as well as major security and privacy issues. Although digital forensics has long been studied in both academia and industry, mobility forensics is relatively new and unexplored. Mobility forensics deals with tools and techniques that work towards forensically sound recovery of data and evidence from mobile devices [1]. In this paper, we explore mobility forensics in the context of IoT. This paper discusses the data collection and classification process from IoT smart home devices in details. It also contains attack scenario based analysis of collected data and a proposed mobility forensics model that fits into such scenarios.
Cite: K. M. S. Rahman, M. Bishop, and A. Holt, “Internet of Things Mobility Forensics,” INSuRE Conference, 2016.
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
IoT Mobility Forensics
1. INTERNET OF THINGS MOBILITY
FORENSICS
K M Sabidur Rahman, Matt Bishop and Al Holt
Speaker: K M Sabidur Rahman (krahman@ucdavis.edu)
INSuRECon16
9/23/20161
2. Agenda
• Motivation and literature review
• About the device: Sen.se Mother
• Collection of data
• Classification of data
• Attack scenarios
• Forensic model
• Limitations and future work
9/23/20162
3. IoT is here
• Smart city
• Smart grid
• Smart home
• Smart car (V2V)
• Mobile-to-mobile (M2M)
9/23/20163
But, are we ready?
“Mobility Forensics addresses technology’s movement toward
mobile devices (smart phones, tablets, small computers) and the
specialized tools and techniques needed to successfully recover data
and evidence from those devices”
http://mobility-forensics.com/
5. Related papers (1)
Bogdan Copos, Karl Levitt, Matt Bishop and Jeff Rowe, “Is Anybody
Home? Inferring Activity From Smart Home Network Traffic”,
MoST, 2016
• Collected network data
• Used dumpcap, a network traffic collection tool
• Used the collected data to predict if anyone is home or not
E. Oriwoh, D. Jazani, G. Epiphaniou and P. Sant, “Internet of
Things Forensics: Challenges and Approaches”, CollaborateCom,
2013
•Worked on IoT Forensics by going about scenario based approach
•Introduced hypothetical attack/crime scenarios and discussed how
IoT devices changes the investigation
6. Related papers (2)
Orlando Arias, Jacob Wurm, Khoa Hoang, and Yier Jin, “Privacy
and Security in Internet of Things and Wearable Devices”, IEEE
Tran. On Multi-scale Computing Systems, 2015
• Worked on Google Nest Thermostat and the Nike+ Fuelband
• Looked under the hood of the device in details
• Details about the device hardware, operating system,
booting/remote installation and communication system
• Discussed on the security measures built in the device
8. Properties of the cookies
1.Motion Cookies can save up to ten days of events. As soon as they
are reconnected to a Sense Mother, they upload all the contents of
their memory
2.1 CR2016 replaceable button cell with one year of life
3.Radio: 915 MHz (North America), 868 MHz (Europe)
4.Every movement has its signature. Place a Motion Cookie on an
object or person. It will capture and analyze its movements. It will
recognize the specific actions you want to monitor and transmit
them to your chosen Application
5.Motion Cookies also contain a thermometer. They regularly send
the ambient temperature to Mother, as well as sudden abnormal
changes
6.Signaling presence or absence
https://sen.se/store/cookie/
9. Properties of the Hub
https://sen.se/store/mother/
1.Wired connection to the router
2.Radio connectivity with the cookies
3.Connects to cloud to store data for the apps
10. Deployed sensors
Deployed the sensors for testing purpose:
1.At bedroom door: security notification
2.One inside room for room temperature detection: thermostat
3.One in the bagpack: physical exercise sensing
4.The last one also in my pocket: to sense when am I home or not.
This can essentially detect if your child/pet is inside home or not.
12. Data classification
9/23/2016 12
Information Source Location Daily
routine
Severity Forensics implication
Door
movement-time
Door activity
sensor
No Yes Medium What time someone entered/left the
room or tried to open the door?
Door
movement-
location
Door activity
sensor
Yes No Medium Someone entering/leaving the room
or trying to open the door
Temperature Temperature
sensor
No Yes
(partially)
Low If the temperature is not comfortable,
there may be something wrong with
the room
Presence at
home
Presence/absence
sensor
Yes Yes High If the subject was present at home at
the time of attack, can he/she provide
vital information on the crime?
Steps taken Walk sensor No No Low How long will the subject be out of
home?
Distance
walked
Walk sensor No No Low How long will the subject be out of
home and how far will he/she go?
Time spent in
walk
Walk sensor No Yes Medium How long will the subject be out of
home?
Calories burnt Walk sensor No Yes Medium Physical condition/activity trail of
subject
13. Forensic scenarios
Event 1: Burglary
Identification: Door sensor data indicates the time when the owner left home.
Data indicates that there has been an activity at 11:40 am, even though the
owner was not home at that time. The burglary happened on the same day.
Interpretation: Does the data suggest that the burglar knew the owner’s daily
schedule? This would help us investigate the incident. For example, would
looking into CCTV camera footage from across the street that was collected at
11:40 am be useful?
Preservation: Data collected by the sensor was stored in the cloud at near
real-time.
Analysis and presentation: Data presented on graphs is easy to understand
and present to court, so graph correlating events with burglaries would be
helpful.
15. Data manipulation and counter measures
9/23/2016 15
•How much can we trust the data extracted from IoT devices?
•How will the attacker changing the data before or after
collection affect the forensics analysis?
•Can we prevent or detect such manipulations?
False positives and negatives
•The user of IoT data and solution providers should be aware
of the existence of false positives and false negatives
•Proper steps should be taken to detect and minimize false results
16. More Questions!
9/23/2016 16
•Can the attacker “get into” the sensors? Kasinathan et al. [19] suggests that attackers
can gain access to sensors under the right conditions.
•Can the attacker “get into” the Hub? The Hub is directly connected to the Internet and
interacts with the web portal. Work on IoT intrusion detection [23] suggests such attacks
on hubs are feasible.
•What is the communication medium? In addition to traditional wireless networks, IoT
devices are connected through cellular networks, radio, Bluetooth and other low power
communication media. This diversity makes the communication more vulnerable than
otherwise, and makes using generic protections against attacks harder.
•Can we knock down the sensors with a classic flooding attack? Although we did not
try this on our devices, Kassinathan et al. [19] suggest that DoS and flooding attacks may
disable IoT devices.
•Can data be manipulated deliberately to obstruct or mislead justice in a court of
law? We have discussed this issue in the previous section; it needs more attention from
the security community.
•Is it possible to sniff the hub and sensors? In our experimental set-up, we were able to
derive device identity (specifically, the MAC address of the Hub) by observing network
packets. Copos et al. [12] provide an example of how sniffing can lead to a major security
breach.
17. Limitations
9/23/2016 17
•Data is collected only from smart home devices
•The forensic model proposed here has not been implemented,
deployed, and tested
•We assume implementation of the model will be scalable for the
fast growing number of devices, which may not be true
•Our findings depend on data collected from one type of device.
Perhaps different kinds of devices would produce more
consistent results.
18. Future work
9/23/2016 18
• More generic scenario with multiple types of IoT devices and
their data
• In-depth analysis and discussion of the data collected
•Working towards more robust and mature model for IoT
Mobility Forensics
•Privacy of the data
•The reverse question, “given a digital forensics scenario and a
forensic model, what useful data can IoT devices collect for us?”
• Focus on one specific question discussed in this paper.