Detailed Information
Cited 0 time in 
Cited 0 time in 
Cited 0 time in
Metadata Downloads
Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes
- Issue Date
- 2022
- Publisher
- IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
- Keywords
- Security; Smart homes; Protocols; Testing; Encryption; Fuzzing; Payloads; Smart home security; Z-Wave; Internet of Things; fuzzing; vulnerabilities discovery
- Citation
- IEEE ACCESS, v.10, pp.1775 - 1789
- Indexed
- SCIE
SCOPUS
- Journal Title
- IEEE ACCESS
- Volume
- 10
- Start Page
- 1775
- End Page
- 1789
- ISSN
- 2169-3536
- Abstract
- Z-Wave smart home Internet of Things devices are used to save energy, increase comfort, and remotely monitor home activities. In the past, security researchers found Z-Wave device vulnerabilities through reverse engineering, manual audits, and penetration testing. However, they did not fully use fuzzing, which is an automated cost-effective testing technique. Thus, in this paper, we present VFUZZ, a protocol-aware blackbox fuzzing framework for quickly assessing vulnerabilities in Z-Wave devices. VFUZZ assesses the target device capabilities and encryption support to guide seed selection and tests the target for new vulnerability discovery. It uses our field prioritization algorithm (FIPA), which mutates specific Z-Wave frame fields to ensure the validity of the generated test cases. We assessed VFUZZ on a real Z-Wave network consisting of 19 Z-Wave devices ranging from legacy to recent ones, as well as different device types. Our VFUZZ evaluation found 10 distinct security vulnerabilities and seven crashes among the tested devices and yielded six unique common vulnerabilities and exposures (CVE) identifiers related to the Z-Wave chipset.
- Files in This Item
- There are no files associated with this item.
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.