Vulnerability Analysis: Protecting Information in the IoT

Cusack, B
Zhuang, F
Item type
Conference Contribution
Degree name
Journal Title
Journal ISSN
Volume Title
Edith Cowan University (ECU)

The research was designed to study IoT security vulnerabilities and how to better protect IoT communications. By researching the system a Fitbit uses for communications, this research analyzes and reveals security defects in the IoT architecture. The research first uses a man-in the middle (MITM) attack to intercept and analyze the Fitbit system traffic to identify security weakness. Then uses a replay attack to further validate these flaws. Finally, countermeasures against these security threats are proposed. The research findings show the Fitbit’s IoT communication architecture has serious information security risks. Firstly, the Fitbit tested does not encrypt the raw data between the mobile app and Fitbit servers. It uses HTTPS to secure communication between the mobile phone and the Fitbit servers. Once HTTPS is broken, all raw data can be read and tampered with. Secondly, Fitbit uses Base64 credentials to associate the Fitbit tracker, and Fitbit app with the Fitbit user account. Base64 can be easily broken on the Internet or using other tools. Attackers can generate fake Base64 credentials to hack a user account. According to the experimental results from the study, the IoT should secure every node in its architecture. It is also necessary to encrypt the raw data and not just rely on HTTPS. It is recommended to replace the Base64 algorithm with AES and hashing.

Cusack, B., & Zhuang, F. (2018). Vulnerability analysis: protecting information in the IoT. In proceedings of the 16th Australian Information Security Management Conference (pp. 74-82). Perth, Australia: Edith Cowan University. This Conference Proceeding is posted at Research Online.
Rights statement
As part of the deposit process, the author or creator agrees to grant Edith Cowan University necessary non-exclusive rights to make the material available permanently online, at no charge and with no access restrictions, and the right to alter the format of deposited work, if deemed necessary for preservation and enduring accessibility.