TY - JOUR
T1 - SUPnP
T2 - Secure Access and Service Registration for UPnP-Enabled Internet of Things
AU - Kayas, Golam
AU - Hossain, Mahmud
AU - Payton, Jamie
AU - Islam, S. M.Riazul
N1 - Funding Information:
Manuscript received December 24, 2020; accepted January 27, 2021. Date of publication February 11, 2021; date of current version July 7, 2021. This work was supported in part by the U.S. National Science Foundation under Grant CNS-1828363, and in part by the Sejong University Research Faculty Program under Grant 20212023. (Golam Kayas, Mahmud Hossain, Jamie Payton, and S. M. Riazul Islam contributed equally to this work.) (Corresponding author: Golam Kayas.) Golam Kayas and Jamie Payton are with the Department of Computer and Information Science, Temple University, Philadelphia, PA 19122 USA (e-mail: [email protected]; [email protected]).
Publisher Copyright:
© 2014 IEEE.
PY - 2021/7/15
Y1 - 2021/7/15
N2 - The service-oriented nature of the Universal Plug-and-Play (UPnP) protocol supports the creation of flexible, open, and dynamic systems. As such, it is widely used in Internet-of-Things (IoT) deployments. However, the protocol's service access mechanism does not consider security from the first principles and is therefore vulnerable to various attacks. In this article, we present an in-depth analysis of the service advertisement, discovery, and access methods of the UPnP protocol stack and identify security issues in an IoT network. Our analysis shows that adversaries can perform resource exhaustion, buffer overflow, reflection, and amplification attacks by exploiting the vulnerabilities of the UPnP protocol. To address these issues, we propose a capability-based security model for UPnP to ensure secure discovery, advertisement, and access of the UPnP services that considers the resource limitations of IoT devices. Our analysis shows the effectiveness of the proposed model against potential attacks, and our experimental evaluation highlights the feasibility of implementing our Secure UPnP (SUPnP) protocol in a network of IoT devices, incurring minimal network and performance overhead.
AB - The service-oriented nature of the Universal Plug-and-Play (UPnP) protocol supports the creation of flexible, open, and dynamic systems. As such, it is widely used in Internet-of-Things (IoT) deployments. However, the protocol's service access mechanism does not consider security from the first principles and is therefore vulnerable to various attacks. In this article, we present an in-depth analysis of the service advertisement, discovery, and access methods of the UPnP protocol stack and identify security issues in an IoT network. Our analysis shows that adversaries can perform resource exhaustion, buffer overflow, reflection, and amplification attacks by exploiting the vulnerabilities of the UPnP protocol. To address these issues, we propose a capability-based security model for UPnP to ensure secure discovery, advertisement, and access of the UPnP services that considers the resource limitations of IoT devices. Our analysis shows the effectiveness of the proposed model against potential attacks, and our experimental evaluation highlights the feasibility of implementing our Secure UPnP (SUPnP) protocol in a network of IoT devices, incurring minimal network and performance overhead.
KW - Access
KW - discovery
KW - Internet of Things (IoT)
KW - network attacks
KW - registration
KW - security
KW - Universal Plug and Play (UPnP)
UR - http://www.scopus.com/inward/record.url?scp=85100848453&partnerID=8YFLogxK
U2 - 10.1109/JIOT.2021.3058699
DO - 10.1109/JIOT.2021.3058699
M3 - Article
AN - SCOPUS:85100848453
VL - 8
SP - 11561
EP - 11580
JO - IEEE Internet of Things Journal
JF - IEEE Internet of Things Journal
SN - 2327-4662
IS - 14
M1 - 9352973
ER -