Smart Bathtub Vulnerabilities and Remote Control Risks

Slide Note
Embed
Share

Explore the risks associated with a remote-controlled bathtub controlled via a smartphone app, including vulnerabilities in controlling water flow, water level sensing, and potential overflow scenarios. Learn how attackers could manipulate signals wirelessly and the likelihood of causing the bathtub to overflow based on compromised system links.

eng_oam
eng_oam Follow

Uploaded on Oct 02, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Modeling a remote-controlled bathtub and identifying vulnerabilities Roger L. Costello August 29, 2018

  2. Smartphone app controls bathtub Using a Smartphone app you can control the water into and out of the bathtub, so the bath will be all ready for you when you get home.

  3. App controls water valve and drain Electronic devices in the water valve and in the drain enable the app to (wirelessly) control the flow of water into and out of the bathtub.

  4. App receives water level sensor data Water level sensor A water level sensor on the bathtub transmits these water level values: {empty, LL, L, M1, M2, H, HH, OF} OF = OverFlow

  5. Behavior of the bathtub system When the water valve is turned on and the drain is closed, the water level in the tub increases. When the water valve is turned off and the drain is open, the water level in the tub decreases. When the water valve is turned on and the drain is open, the water level in the tub remains the same. When the water valve is turned off and the drain is closed, the water level in the tub remains the same.

  6. Alarm goes off if An alarm goes off on the app if the water in the tub is about to overflow. The bathtub is overflowing when the water level = OF for 3 consecutive time steps.

  7. Attacker capabilities The smartphone app interacts with the bathtub system wirelessly. An attacker is able to intercept and replace signals sent between the smartphone app and the bathtub system.

  8. Can an attacker cause the tub to overflow? An attacker wants to cause the tub to overflow. Note that the fewer things that the attacker has the compromise, the more likely the attack. For example, if the attacker has to compromise the link to the water valve and the link to the drain and the link from the water level sensor, then that greatly reduces the likelihood of an attack than if, say, the attacker just needs to compromise the water level sensor.

  9. Alloy Analyzer searches for vulnerabilities I created an Alloy model of the system and had the Alloy Analyzer explore all possible attack configurations and enumerate ones that lead into an unsafe state, i.e., a configuration which results in the bathtub overflowing. The Analyzer found multiple ways that an attacker can cause the bathtub to overflow. The simplest way (for the attacker) is to compromise the data transmissions from the water level sensor to the app.

  10. App receives water level data from attacker Water level sensor X water level Attacker

  11. The app thinks everything is fine App Bathtub Time Valve Level Drain Time Valve Level Drain Time0 Off empty Open Time0 Off empty Open Time1 On empty Closed Time1 On empty Closed Time2 On LL Closed Time2 On LL Closed Time3 On L Closed Time3 On L Closed Time4 On M1 Closed Time4 On M1 Closed Time5 On M2 Closed Time5 On M1 Closed Time6 On H Closed Time6 On M1 Closed Time7 On HH Closed Time7 On M1 Closed Time8 On OF Closed Time8 On M1 Closes Time9 On OF Closed Time9 On M1 Closed Time10 On OF Closed Time10 On M1 Closed Time11 On OF Closed Time11 On M1 Closed Actual water level, as measured by the water level sensor Water level values sent by attacker Compromised: water level sensor

  12. Alloy Model

  13. One Bathtub, one App onesig Bathtub { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time } onesig App { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time }

  14. One value at each time onesig Bathtub { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time } onesig App { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time } At each time step the bathtub has exactly one WaterValve value, one WaterLevel value, and one Drain value. Ditto for the App.

  15. Enumerate the allowable values enum Drain {Open, Closed} enum WaterValve {On, Off} enum WaterLevel {empty, LL, L, M1, M2, H, HH, OF}

  16. App tells the water valve to turn on/off The App determines whether the water valve should be on or off. So, Bathtub.valve equals App.valve, if the connection is not compromised (more precisely, if the water valve actuator is not compromised).

  17. Enumerate the devices that might be compromised enum Device {DrainActuator, WaterValveActuator, WaterLevelSensor} sig Compromised in Device {}

  18. Threat model A threat model describes a set of actions that an attacker may perform in an attempt to compromise a security property of a system. Building a threat model is an important step in any secure system design; it allows us to identify (possibly invalid) assumptions that we have about the system and its environment and prioritize different types of risks that need to be mitigated. Acknowledgement: Eunsuk Kang

  19. App tells the drain to open/close The App determines whether the drain should be open or closed. So, Bathtub.drain equals App.drain, if the connection is not compromised (more precisely, if the drain actuator is not compromised).

  20. Behavior of the bathtub system Bathtub.valve equals App.valve, if the WaterValveActuator is not compromised. Bathtub.drain equals App.drain, if the DrainActuator is not compromised. When the water valve is turned on and the drain is closed, the water level in the tub increases. When the water valve is turned off and the drain is open, the water level in the tub decreases. When the water valve is turned on and the drain is open, the water level in the tub remains the same. When the water valve is turned off and the drain is closed, the water level in the tub remains the same.

  21. onesig Bathtub { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time }{ all t : Time { -- If the data packets controlling the water valve actuator are not compromised, -- then the bathtub's water valve is the value provided by the App. (WaterValveActuator notin Compromised) implies valve.t = App.valve.t -- If the data packets controlling the drain actuator are not compromised, -- then the bathtub's drain is the value provided by the App. (DrainActuator notin Compromised) implies drain.t = App.drain.t } -- However the water valve and drain obtain their values (via the App or via an attacker), -- the bathtub's water level is determined by their settings. all t : Time - last | let t' = t.next { (valve.t = On and drain.t = Open) implies (level.t' = level.t) (valve.t = Off and drain.t = Closed) implies (level.t' = level.t) (valve.t = On and drain.t = Closed) implies (level.t' = increaseLevel[level.t]) (valve.t = Off and drain.t = Open) implies (level.t' = decreaseLevel[level.t]) } }

  22. App receives water level data from sensor Water level sensor The App receives data from the water level sensor. So, App.level equals Bathtub.level, if the connection is not compromised (more precisely, if the water level sensor is not compromised).

  23. App sends on command when Water level sensor Send an on command when the App s water level value indicates a low level or when the valve is already on and the water level is not high.

  24. Behavior of the App At each time step, the App s water level reading equals the bathtub s water level, provided WaterLevelSensor is not compromised. If WaterLevelSensor is compromised, then the App still receives a water level value, but the value comes from the attacker, not the bathtub. Send an valve on command when the level reading is empty, LL, or L. If the valve is already on, then leave it on provided the level is not H, HH, or OF. To send a valve on command simply means set App.valve equal to on . We abstract away the operations of sending/receiving wireless packets. Send a valve off command when the level reading is H, HH, or OF. If the drain is already off, then leave it off provided the level is not empty, LL, or L. Continued

  25. Behavior of the App (cont.) Send an open drain command when the level reading is H, HH, or OF. If the drain is already open, then leave it open provided the level is not empty, LL, or L. Send a close drain command when the level reading is empty, LL, or L. If the drain is already closed, then leave it closed provided the level is not H, HH, or OF.

  26. onesig App { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time }{ all t : Time { -- If the data packets from the bathtub's water level sensor are not compromised, -- then the app's water level reading is the value provided by the Bathtub. (WaterLevelSensor notin Compromised) implies level.t = Bathtub.level.t } all t : Time - last | let t' = t.next { drain.t' = Open iff ( (drain.t = Open andnot (level.t in (empty + LL + L))) or level.t in (H + HH + OF) ) drain.t' = Closed iff ( (drain.t = Closed andnot (level.t in (H + HH + OF))) or level.t in (empty + LL + L) ) valve.t' = On iff ( (valve.t = On andnot (level.t in (H + HH + OF))) or level.t in (empty + LL + L) ) valve.t' = Off iff ( (valve.t = Off andnot (level.t in (empty + LL + L))) or level.t in (H + HH + OF) ) } }

  27. Overflow alarm raised when water level = OF Water level sensor The App raises an overflow alarm at time t if the App s water level reading value is OF (OverFlow) at time t. Of course, an attacker wants to avoid the alarm being raised, so he will manipulate the signals such that the App never gets into an overflow condition.

  28. Declare Alarm abstractsig Alarm { raised: Time } sig Overflow extends Alarm {}

  29. Condition for generating alarm fact { // if the water level reads OF, raise the overflow alarm all t : Time | App.level.t = OF impliessome Overflow & raised.t elseno Overflow & raised.t }

  30. Initial state of App and bathtub fact init { no Alarm & raised.first App.valve.first = Off App.drain.first = Open Bathtub.level.first = empty }

  31. onesig Bathtub { valve: WaterValve one -> Time, level: WaterLevel one -> Time, drain: Drain one -> Time }{ all t : Time { -- If the data packets controlling the water valve actuator are not compromised, -- then the bathtub's water valve is the value provided by the App. (WaterValveActuator notin Compromised) implies valve.t = App.valve.t How to define these? -- If the data packets controlling the drain actuator are not compromised, -- then the bathtub's drain is the value provided by the App. (DrainActuator notin Compromised) implies drain.t = App.drain.t } -- However the water valve and drain obtain their values (via the App or via an attacker), -- the bathtub's water level is determined by their settings. all t : Time - last | let t' = t.next { (valve.t = On and drain.t = Open) implies (level.t' = level.t) (valve.t = Off and drain.t = Closed) implies (level.t' = level.t) (valve.t = On and drain.t = Closed) implies (level.t' = increaseLevel[level.t]) (valve.t = Off and drain.t = Open) implies (level.t' = decreaseLevel[level.t]) } }

  32. -- step function that takes a water level and returns the next higher one fun increaseLevel : WaterLevel -> WaterLevel { levelOrder + OF -> OF } -- step function that takes a water level and returns the next lower one fun decreaseLevel : WaterLevel -> WaterLevel { ~levelOrder + empty -> empty } -- total ordering on the water levels: empty, LL, L, M1, M2, H, HH, OF fun levelOrder : WaterLevel -> WaterLevel { empty -> LL + LL -> L + L -> M1 + M1 -> M2 + M2 -> H + H -> HH + HH -> OF } Acknowledgement: Eunsuk Kang

  33. 3 consecutive time steps with level = OF // Bathtub overflows if the water level is OF for 3 times // and no alarm is raised pred overflow[t : Time] { let t0 = t.prev.prev, t1 = t.prev, t2 = t { some t0 andsome t1 andsome t2 Bathtub.level.(t0 + t1 + t2) = OF and no Overflow & raised.(t0 + t1 + t2) } }

  34. Run the Alloy Analyzer run generateOverflowAttack { #Compromised <= 1 some t : Time | overflow[t] } for 1 but 12 Time, 12 Alarm

  35. Bathtub overflows! App Bathtub Time Valve Level Drain Time Valve Level Drain Time0 Off empty Open Time0 Off empty Open Time1 On empty Closed Time1 On empty Closed Time2 On LL Closed Time2 On LL Closed Time3 On L Closed Time3 On L Closed Time4 On M1 Closed Time4 On M1 Closed Time5 On M2 Closed Time5 On M1 Closed Time6 On H Closed Time6 On M1 Closed Time7 On HH Closed Time7 On M1 Closed Time8 On OF Closed Time8 On M1 Closes Time9 On OF Closed Time9 On M1 Closed Time10 On OF Closed Time10 On M1 Closed Time11 On OF Closed Time11 On M1 Closed Compromised: water level sensor

  36. Filling up and draining a bathtub is analogous to filling up and draining a water tank at a water treatment plant Raw Water Motorized Valve Raw Water Tank other stuff Pump

  37. Water treatment plant

  38. Check out this paper

Related


Understanding Systems Thinking: Concepts Illustrated with a Bathtub Example

Understanding Systems Thinking: Concepts Illustrated with a Bathtub Example

killgore_l
Security Analysis of Networked Control Systems in Smart Vehicles

Security Analysis of Networked Control Systems in Smart Vehicles

mcdermitt_l
Software Security Principles and Practices: Enhancing Program Code Security

Software Security Principles and Practices: Enhancing Program Code Security

abcde
Understanding Programming Language Vulnerabilities and ISO/IEC/SC22/WG23

Understanding Programming Language Vulnerabilities and ISO/IEC/SC22/WG23

ely_wi
Progress on Selected Smart Cities in South Africa

Progress on Selected Smart Cities in South Africa

keilani
Cybersecurity Risks for Remote CISTAR Facilities Study

Cybersecurity Risks for Remote CISTAR Facilities Study

regulus
Understanding Computer Security and Software Vulnerabilities

Understanding Computer Security and Software Vulnerabilities

chriss
Understanding Network Security Vulnerabilities and Attacks

Understanding Network Security Vulnerabilities and Attacks

leyo_5
Understanding Security Threats and Vulnerabilities in Computer Systems

Understanding Security Threats and Vulnerabilities in Computer Systems

nathanlo
Understanding Control Plans in Process Management

Understanding Control Plans in Process Management

iga
Understanding the Importance of OWASP Dependency-Check Project

Understanding the Importance of OWASP Dependency-Check Project

gwilk
Understanding Web Application Vulnerabilities in Information Warfare

Understanding Web Application Vulnerabilities in Information Warfare

vanvliet_h
Addressing 5G Signaling Protocol Vulnerabilities

Addressing 5G Signaling Protocol Vulnerabilities

lyon
Analysis of file:// Vulnerabilities in Android Browser Apps

Analysis of file:// Vulnerabilities in Android Browser Apps

coto_ch
Understanding Vulnerabilities of Individuals with Autism in Disciplinary Hearings and Employment Tribunals

Understanding Vulnerabilities of Individuals with Autism in Disciplinary Hearings and Employment Tribunals

manu
Understanding Marketing Control and Its Importance in Business

Understanding Marketing Control and Its Importance in Business

rebekah
Password Cracking Techniques and Remote Desktop Access Setup

Password Cracking Techniques and Remote Desktop Access Setup

wmck
Understanding Form-Based File Upload Vulnerabilities

Understanding Form-Based File Upload Vulnerabilities

akush
Revolutionizing Home Energy Consumption with Smart Grid Solutions

Revolutionizing Home Energy Consumption with Smart Grid Solutions

fara_man
Exploring Smart City Solutions and Applications

Exploring Smart City Solutions and Applications

deen
Smart Homes Infrastructure Pvt. Ltd. - Developing Affordable Housing Projects in India

Smart Homes Infrastructure Pvt. Ltd. - Developing Affordable Housing Projects in India

alexeyde
Data Disaggregation Taskforce: Assessment and Recommendations on Vulnerabilities

Data Disaggregation Taskforce: Assessment and Recommendations on Vulnerabilities

kaja_886
Understanding Spectre and Meltdown Security Vulnerabilities

Understanding Spectre and Meltdown Security Vulnerabilities

mcsherry_k
Overview of Global Farmed Salmon and Organic Production

Overview of Global Farmed Salmon and Organic Production

xing_igo

More Related Content

Understanding Cloud Security Threats and Vulnerabilities
Understanding Cloud Security Threats and Vulnerabilities
Enhancing Worker Productivity with Atheer AiR Glasses
Enhancing Worker Productivity with Atheer AiR Glasses
Server-Side Technologies and Security Vulnerabilities in Mobile Services
Server-Side Technologies and Security Vulnerabilities in Mobile Services
Remote Exam Administration and Support Information
Remote Exam Administration and Support Information
Understanding Buffer Overflow Vulnerabilities in Programming
Understanding Buffer Overflow Vulnerabilities in Programming
Automated Detection of SSL Vulnerabilities in Applications
Automated Detection of SSL Vulnerabilities in Applications
Understanding Blockchain Vulnerabilities to Quantum Attacks
Understanding Blockchain Vulnerabilities to Quantum Attacks
Understanding Remote Sensing Sensor Resolutions & Colour Composite
Understanding Remote Sensing Sensor Resolutions & Colour Composite
Remote Diagnostic Assessment Explained by Clinical Neuropsychologist
Remote Diagnostic Assessment Explained by Clinical Neuropsychologist
Remote Informed Consent Process for Research Studies
Remote Informed Consent Process for Research Studies
Windows Security Overview and Best Practices
Windows Security Overview and Best Practices
Proflame System Connectivity and Functionality Overview
Proflame System Connectivity and Functionality Overview
Remote Sensing for Blue Whale Conservation: Enhancing Maritime Policy
Remote Sensing for Blue Whale Conservation: Enhancing Maritime Policy
Understanding Artificial Intelligence Risks in Short and Long Term
Understanding Artificial Intelligence Risks in Short and Long Term
Smart Energy and Autonomous Vehicles Pilot Projects in Helsinki and Tallinn
Smart Energy and Autonomous Vehicles Pilot Projects in Helsinki and Tallinn
Spectral and Radiometric Considerations for Government Remote Sensing Instruments
Spectral and Radiometric Considerations for Government Remote Sensing Instruments
The Importance of Asset Stock Accumulation for Sustainable Competitive Advantage
The Importance of Asset Stock Accumulation for Sustainable Competitive Advantage
Understanding Customary Units of Capacity
Understanding Customary Units of Capacity
Payment Card Industry (PCI) Awareness Training Overview
Payment Card Industry (PCI) Awareness Training Overview
Understanding Wireless Network Threats and Vulnerabilities
Understanding Wireless Network Threats and Vulnerabilities
Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security
Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security
Understanding Complex Needs of Children in Justice System
Understanding Complex Needs of Children in Justice System
Impact of COVID-19 on Older Adults: Vulnerabilities and Management
Impact of COVID-19 on Older Adults: Vulnerabilities and Management
Understanding Software Weaknesses and Exploits
Understanding Software Weaknesses and Exploits