The Experts below are selected from a list of 2982 Experts worldwide ranked by ideXlab platform
Yossi Oren - One of the best experts on this subject based on the ideXlab platform.
-
Reverse Engineering IoT Devices: Effective Techniques and Methods
IEEE Internet of Things Journal, 2018Co-Authors: Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici, Yossi OrenAbstract:Recent Internet of Things (IoT) botnet attacks have called the attention to the fact that there are many vulnerable IoT devices connected to the Internet today. Some of these Web-connected devices lack even basic security practices such as strong Password authentication. As a consequence, many IoT devices are already infected with malware and many more are vulnerable to exploitation. In this paper we analyze the security level of 16 popular IoT devices. We evaluate several low-cost black-box techniques for reverse engineering these devices, including software and fault injection-based techniques used to bypass Password Protection. We use these techniques to recover device firmware and Passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically add these devices to a botnet. We also discuss how to improve the security of IoT devices without significantly increasing their cost or affecting their usability.
-
Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices
Smart Card Research and Advanced Applications, 2018Co-Authors: Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici, Yossi OrenAbstract:With the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security Protections such as secure Password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.In this paper we analyze the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. We present several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing Password Protection. We use these techniques to recover device firmware and Passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.
David Pointcheval - One of the best experts on this subject based on the ideXlab platform.
-
A simple threshold authenticated key exchange from short secrets
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2005Co-Authors: Michel Abdalla, Olivier Chevassut, Pierre-alain Fouque, David PointchevalAbstract:This paper brings the Password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for the client. And to achieve these goals, the most appropriate choices seem to be to keep the client’s Password private even from the back-end server and use threshold-based cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification except during the registration and update of clients’ Passwords since clients do not use the public-key to authenticate to the gateway. Clients only need to have their Password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server Password Protection against dishonest gateways and key privacy against curious authentication servers.
-
ASIACRYPT - A simple threshold authenticated key exchange from short secrets
Lecture Notes in Computer Science, 2005Co-Authors: Michel Abdalla, Olivier Chevassut, Pierre-alain Fouque, David PointchevalAbstract:This paper brings the Password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for the client. And to achieve these goals, the most appropriate choices seem to be to keep the client’s Password private even from the back-end server and use threshold-based cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification except during the registration and update of clients’ Passwords since clients do not use the public-key to authenticate to the gateway. Clients only need to have their Password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server Password Protection against dishonest gateways and key privacy against curious authentication servers.
Varatharaj Mounasamy - One of the best experts on this subject based on the ideXlab platform.
-
“WhatsApp”ening in orthopedic care: a concise report from a 300-bedded tertiary care teaching center
European Journal of Orthopaedic Surgery & Traumatology, 2015Co-Authors: Vishesh Khanna, Senthil Nathan Sambandam, Arif Gul, Varatharaj MounasamyAbstract:Smartphones have emerged as essential tools providing assistance in patient care, monitoring, rehabilitation, communication, diagnosis, teaching, research and reference. Among innumerable communication apps, WhatsApp has been widely popular and cost effective. The aim of our study was to report the impact of introduction of a smartphone app “WhatsApp” as an intradepartmental communication tool on (1) awareness of patient-related information, (2) efficiency of the handover process and (3) duration of traditional morning handovers among orthopedic residents in a 300-bedded tertiary care teaching center. Written handovers and paging used for communication at our center led to occasional inefficiencies among residents. Widespread use, low cost, availability and double Password Protection (phone lock and WhatsApp lock) made WhatsApp’s group conversation feature an ideal tool for intradepartmental patient-related communication. Twenty - five consecutive admissions before and after WhatsApp (BW, AW) were included in the study. Eight orthopedic residents attempted fifty randomly arranged questions based on the twenty - five patients in each study period. A null hypothesis that introduction of WhatsApp group would neither increase the awareness of patient-related information nor improve the efficiency of the handovers among residents was assumed. A significant improvement observed in scores obtained by residents in the AW group led to rejection of the null hypothesis. The residents also reported swifter and efficient handovers after the introduction of WhatsApp. Our results indicate that the introduction of a smartphone app “WhatsApp” as an intradepartmental communication tool can bring about an improvement in patient-related awareness, communication and handovers among orthopedic residents.
-
whatsapp ening in orthopedic care a concise report from a 300 bedded tertiary care teaching center
European Journal of Orthopaedic Surgery and Traumatology, 2015Co-Authors: Vishesh Khanna, Senthil Nathan Sambandam, Varatharaj MounasamyAbstract:Smartphones have emerged as essential tools providing assistance in patient care, monitoring, rehabilitation, communication, diagnosis, teaching, research and reference. Among innumerable communication apps, WhatsApp has been widely popular and cost effective. The aim of our study was to report the impact of introduction of a smartphone app “WhatsApp” as an intradepartmental communication tool on (1) awareness of patient-related information, (2) efficiency of the handover process and (3) duration of traditional morning handovers among orthopedic residents in a 300-bedded tertiary care teaching center. Written handovers and paging used for communication at our center led to occasional inefficiencies among residents. Widespread use, low cost, availability and double Password Protection (phone lock and WhatsApp lock) made WhatsApp’s group conversation feature an ideal tool for intradepartmental patient-related communication. Twenty-five consecutive admissions before and after WhatsApp (BW, AW) were included in the study. Eight orthopedic residents attempted fifty randomly arranged questions based on the twenty-five patients in each study period. A null hypothesis that introduction of WhatsApp group would neither increase the awareness of patient-related information nor improve the efficiency of the handovers among residents was assumed. A significant improvement observed in scores obtained by residents in the AW group led to rejection of the null hypothesis. The residents also reported swifter and efficient handovers after the introduction of WhatsApp. Our results indicate that the introduction of a smartphone app “WhatsApp” as an intradepartmental communication tool can bring about an improvement in patient-related awareness, communication and handovers among orthopedic residents.
Omer Shwartz - One of the best experts on this subject based on the ideXlab platform.
-
Reverse Engineering IoT Devices: Effective Techniques and Methods
IEEE Internet of Things Journal, 2018Co-Authors: Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici, Yossi OrenAbstract:Recent Internet of Things (IoT) botnet attacks have called the attention to the fact that there are many vulnerable IoT devices connected to the Internet today. Some of these Web-connected devices lack even basic security practices such as strong Password authentication. As a consequence, many IoT devices are already infected with malware and many more are vulnerable to exploitation. In this paper we analyze the security level of 16 popular IoT devices. We evaluate several low-cost black-box techniques for reverse engineering these devices, including software and fault injection-based techniques used to bypass Password Protection. We use these techniques to recover device firmware and Passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically add these devices to a botnet. We also discuss how to improve the security of IoT devices without significantly increasing their cost or affecting their usability.
-
Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices
Smart Card Research and Advanced Applications, 2018Co-Authors: Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici, Yossi OrenAbstract:With the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security Protections such as secure Password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.In this paper we analyze the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. We present several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing Password Protection. We use these techniques to recover device firmware and Passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.
Michel Abdalla - One of the best experts on this subject based on the ideXlab platform.
-
A simple threshold authenticated key exchange from short secrets
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2005Co-Authors: Michel Abdalla, Olivier Chevassut, Pierre-alain Fouque, David PointchevalAbstract:This paper brings the Password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for the client. And to achieve these goals, the most appropriate choices seem to be to keep the client’s Password private even from the back-end server and use threshold-based cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification except during the registration and update of clients’ Passwords since clients do not use the public-key to authenticate to the gateway. Clients only need to have their Password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server Password Protection against dishonest gateways and key privacy against curious authentication servers.
-
ASIACRYPT - A simple threshold authenticated key exchange from short secrets
Lecture Notes in Computer Science, 2005Co-Authors: Michel Abdalla, Olivier Chevassut, Pierre-alain Fouque, David PointchevalAbstract:This paper brings the Password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for the client. And to achieve these goals, the most appropriate choices seem to be to keep the client’s Password private even from the back-end server and use threshold-based cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification except during the registration and update of clients’ Passwords since clients do not use the public-key to authenticate to the gateway. Clients only need to have their Password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server Password Protection against dishonest gateways and key privacy against curious authentication servers.
