Convincing my SmartLock that it's really me!

Hello, good afternoon. My name is Christina Scurrotti and together with my colleague, Chema Fernandez, we're going to show you this presentation which is like convincing my smart log that it's really me. So we actually are going to present to you the validation of security measures in IT mobile applications. So please let you know a little bit about the structure.

Okay, I will start with the basics. So, first let you know a little bit about who we are and what we do and then how this all started, this project. So, some basic information about authentication mechanisms in IoT mobile applications and then the methodology that we followed to do the experimental validation of these mobile applications and then the results and the tool that came out of this effort and a demo, not a live demo maybe, we have a video for you, of this tool that we have written and then the conclusions of this research. So, to continue with this, I will start with who we are and what we do. So, we are NISA, we are the European Union Cyber Security

Agency. For those that don't know it, yes, we are and what we do. We have activities that are focusing on raising awareness and reforcing the cybersecurity culture. And we actually divide our activities in three main categories. First, we do capacity building. What can we do with that? We do hands-on trainings. We deliver the pan-European cyber exercise, Cyber Europe. Most of you must know it. You have participated as well. I see some people here. And we also collaborate with the CISER community closely. What else do we do? We do support to the Member States and the European Commission to facilitate policy implementation. So we support and facilitate the implementation of a nice directive in the Member States and also other directives and regulations that come out of the

European Commission. Last but not least, We also develop expertise and what we do exactly is that we draft studies with good practices and security recommendations on many key areas. Critical infrastructures, privacy enhancement technologies, many key areas that are better to the cybersecurity area. So, dipping a little bit deeper, diving a little bit deeper. You will see that we are focusing on IoT security and we have some activities there. This year, we do a study to draft some good practices on Industry 4.0. This is an ongoing project, which is actually a continuation of a very successful product and study that we had last year, the baseline IoT security recommendations. This is a study actually that we

did last year and we had as a field more than 150 sources from many companies and many stakeholders that are dealing with the assembly security topic in this specific area. So, we came up with some security recommendations, some security measures that I'm going to show you in the next slide. And I have to say that this was actually a continuation to the efforts that we started in 2014 to 2015 on the smart infrastructures. where we have a variety of studies covering smart cars, smart hospitals, smart airports, smart hotels, smart bridges, etc. So, to continue with security measures that we have from last year, you can see that we have around 80, I think it was around 80 security measures

for IoT security covered in a horizontal manner.

three main categories which is policies, organizational people and processes and technical. At this point we saw that there were many technical actually recommendations and challenges and recommendations that we had to cover these challenges that were focusing in many different topics. One of them was authentication and this was actually a topic that triggered our interest especially because We see also many news around this topic and about smart locks getting hacked either due to insufficient authentication, either due to insecure communication protocols, unencrypted communication, et cetera. So we had around one year ago a trainee that came to Anissa, Hema, who's going to take over in a bit, who came with to do something technical and to deep dive in the IoT security. So we said that's the first combination to

start with a topic which is really of interest, which we find that it faces security challenges and why don't we give to Hema

to do this study on IoT mobile authentication mechanisms. So this is how it all started.

And Hema will take over here to start with the research questions that she had to initiate on this project. Okay. Thank you, Christina. Okay, I'm Hema and I'm ex-trainee of ENISA. My trainees even did very recently. So as she has explained already, I I wanted to tackle the authentication topic on IoT. So a lot of reference bodies, among them Enisa, issue a lot of recommendations, high-level guidelines on how to secure the IoT in specific of my interest mobile applications. But are these good practices actually very applicable to the real world, let's say? go from high level guidelines to low level implementation actually security. So, the research question were, are good practices for IT security used in practice? Are they actually useful? Can

we translate from high level to secure code development? And can we automate this? So, oh, sorry. As a brief introduction, as Cristina already said, authentication has been identified widely as a main gap in security in securing the IoT environment. And this is because authentication interaction happened all over the environment, as we can see. By the way, this model has been based on the IoT high-level reference model in this study that Cristina mentioned before, the business security recommendations. So, okay, authentication interaction happened all over the environment, but because of time and resource constraint, I was training for one year only, I had to focus, so I decided to focus on the smartphones, because they are an intermediator for the users towards the rest of the environment. And

by means of mobile applications, they can interact, and there are the interfaces by which they can actually interact with the environment. So that's what we did, and for that, we developed a methodology which is actually useful for, it's an instrument to evaluate implementations of, in this case, authentication measures in IoT mobile applications, but it can be generalized and you can look for security measures any kind into any kind of mobile application. It has two different parts and we're gonna go a little bit through them in the next slides. Okay, the first one is the mapping. So as I said before, I was wondering whether high level recommendations could be instantiated into code elements to search in the mobile applications. So for example, in 2016,

Enisa developed smartphone security development guidelines. So from there, We can select the guidelines we want to check, in our case, authentication guidance. We select our target protocol we want to investigate. In our case, it's gonna be authentication protocols. We'll see them later. And look for specific features that cover the security measure we want to evaluate in the mobile applications. And the next step is go from protocol features to actually how they're implemented in a specific language. In our case, it's gonna be Java for Android because we had to instantiate it. So this is the mapping, we go from high level guidance to actual code implementation. And this is the mapping, yes. The next part of the

methodology is actually the application analysis. So once we have the code elements that we want to find in the mobile applications, we build a strategy on how to find them in the code, we will see them in the example. Then we analyze a set of mobile applications and we get the results Actually we get an HTML report, some statistics, so we can show to the other management, for example, it's what they care about. So this is it, we're gonna see this in practice now. We validated this methodology. So for that first, we did a background research on what was out there, which authentication protocols were being used, and how could they fit in the IoT world. The main issues the protocols had

were to deal with the amount and eternity of devices, of IoT devices, their constraints in terms of resource and capability, and their changes in location and time. So after the research, these are more or less the most, some of the most used protocols in the IoT world. in general and specifically some of them in the IoT. So we have both application and communication layer. The communication layer one are not authentication specific, but they have features that cover the authentication part. And again, because of time and resource constraints, we focus on two of them, one of each layer, and we evaluated their implementation in IoT mobile application. And I'm gonna walk you through this. So the first one, Okay,

first of all, because, okay, I didn't say that I'm Spanish, so I have some, let's say, pronunciation issues. This is how you pronounce this protocol, whatever. If you hear me say whatever, you know what I mean now. According to Google Translate, that's the British pronunciation. Anyway, so the combination of these two protocols, and the OpenID Connect, is the most used standard for secure delegated access. And this is because it provides two different services. First the authentication one by OpenID Connect, which it first identifies and verifies the identity of the users by means of an identity token. And then OAuth 2.0 verifies which access rights this user has. So that's the authorization part. So together, they work like this. So,

the first three steps of the methodology are here and the output of these three first steps, the mapping is this table. This is just a part of it. It's way more extent, but just as an example to show you how it would be seen. For example, if we take this measure which is secure the tokens in transit, we want to find a feature In the protocol, for example, there's one thing called ProofKey for CodexC, Pixie, as they commonly refer to it. It's the feature that covers partially the secure tokens in transit. And if we want to implement it specifically in Android, it would be by two parameters, code challenge and code modifier. So that's what we will be looking for in the code. Once we

have this mapping, we go to the part of the analysis. So for this combination of protocols, we have an initial sample of 325 IoT Android mobile applications. We consider like a sufficient sample to get some relevant results. And the thing is that we got very, let's say, poor results in the sense that, for example, the example I was saying before, the code verifier and the code challenge only appeared once. together in the same application, which means it's not done properly. And we got more results. So to sum it up, we interpreted them as

when mobile applications, they want to perform authentications in applications, they delegate these processes, the authentication and authorization to well-established and big authentication services. So they don't have to deal with it themselves. So Either that or if they do it themselves, there's a diversity of implementation of these measures because mainly because there's no reference API for developers. So this is more or less what we found. And yes, the next protocol we investigated was BLE, Bluetooth Low Energy, which is one of the most used protocols for communication between IoT devices. And it has a very interesting feature, which is the pairing. I'm sure all of you heard about this. It has different versions and types of pairing depending

on the version of the protocol and also the characteristics of the device. I'm not gonna go through them. I'm just gonna say that we evaluated just this legacy pairing, the BLE 4.01. And these are the limits of our world, let's say. Okay. the same as before we get the output the table and the mapping of the guidelines features of the protocol and the code search that we want to to do i'm not gonna go further on this but i decided which is more interesting here is that before as you said we could map one code search to one security measure directly but sometimes you need to do some pre-checks let's call them like that actually get to a conclusion. For example, if

you have implemented a method, if you haven't, okay, maybe it's out of scope or this measure is not implemented. But if they actually have another parameter, maybe it's better implemented or worse. So we build this, let's say decision tree with the searches to get more information out of the analysis. To show you more clearly, these are the results of the analysis we had which means we analyze a total of more or less a thousand applications for this. Half of them were using the GAT profile, which means that they're using BLE. And the most relevant results were that only three of them were implementing passkey method properly, which means that they actually, you need the interaction of the user to validate a pin

or whatever, to verify that they're connected. And more interestingly, 275 a lot of them were communicating without even requesting the pairing not talking about which pin no not even requesting them so we interpreted them as a limited number of applications we're actually implementing the pairing process in a complete secure and verifiable way and there actually exist devices that communicate without previous secure pairing so this is it for the analysis Now we wanted to present one tool that we developed because to do this analysis, we have to analyze, to get some relevant results, we have to analyze a lot of applications, so we wanted to do this in an automated way. So we developed this analysis tool. At the beginning, it was just a Linux bus script. It was

fit for purpose, and it did only what I needed, but to make it more interoperable and more complete, we coded it into Python. And what it does, basically, it gets the third column of the mapping that we had before, the security measures and the set of applications we want to analyze. It parses them and you get as output which applications are vulnerable, are not implementing the security measures. And actually an HTML report, very nice, that gives you some statistics along with it. We have, I have to say, that as well as the methodology, we instantiated it for authentication measures in IoT mobile applications. But it actually can be used to look for any security measures in any kind of mobile applications. And

that's it. Now we have a demo, we actually have a video, right? Ah, it's in the next slide. To show you how this tool works. Christine, if you wanna come. So, yes, this is a demo from the application that we have created in Python. So, what you will see here is that we run it actually in Windows. And this is because we use the very popular APK tool to decompile the APKs of the mobile application, of the IAT mobile applications. So, what we do here, we do it for every platform. This is Windows, and we start with the application giving the analysis as a parameter. We can either decode only APKs or analyze them with the methodology that Hema just said. So here we

show the absolute part of the sample of APKs that we have just for the purpose of the demo. So here we have a sample of five APKs that we have now feed the folder that they are located and the application is slowly, slowly decompiling them. This is a relatively slow process, let's say. If you have used APK tool, you might know that. So what we do actually is that we don't get the Java source code of the APKs, but we get the small code, as Yama said before. So here you see that we're just initiated the decoding, the decompiling, sorry, process, and it takes a while. So... do that for these five APKs and as soon as we finish with the compilation then we

can use the application to either search for the BLE API calls that we have spotted for being used as security measures for bearing etc or for any other API calls that we want. Here we just have input space, because with the space we give the BLE API calls feed to the application to search for, we could either look for any API call that we want, that we would like to see in an application, a mobile application, and we consider it as a security measure for, I don't know, secure authentication, for secure communication, for anything else. After that, we see that we have the analysis and here we get some statistics in HTML report. So we see a pie chart. We see that four out of the

five applications are using BLE and some of them are using specific API calls that we have there that we have defined for the BLE protocol. So as a result, we will see also a pie chart which is more interesting downstairs here. So here we see the logic that from the methodology that Hema just described, applied in this file check. So we see that three, sorry, two applications don't pair, one implements that just works, which is that it pairs better with the default P, and one of them requires a pass key to actually do the pairing in Bluetooth. So that's it with the demo. Let's move forward to the conclusions. So just to wrap up briefly, We presented here a methodology

that can be used as a how-to guideline for security implementation or evaluation in mobile application because it helps you to go from high level recommendations or guidelines to specific source code implementations and evaluate a set of mobile applications. With this methodology we found when we applied it that the implementation of authentication in IoT mobile applications is fragmented and occasionally even overlooked. And what we think that could help would be the creation of reference APIs with actually examples on how to securely code or implement security in IoT mobile applications. Because it would be very useful for developers and for whoever has to evaluate the security in the applications. And just as a future work, we have a repository in GitHub with the tool we created so

people can enhance it and collaborate and make it better as GitHub allows us. And that's it, anything else? So thank you very much.