Towards Lifetime Supply Chain Security for Internet of Things: Testing an Update Before Trusting It

Researchers plan to ensure lifetime supply chain security for the Internet of Things (IoT) by testing devices and updates through on-device fuzzing that will take advantage of the hub-to-device local control channel.

Funded by the CCI Hub

Project Investigator

Principal Investigator (PI): Qiang Zeng, George Mason University’s Computer Science Department

Rationale and Background

The IoT’s global market value is projected to hit almost $2.5 billion by 2029. Because hardware and software supply chains around the world are so complex, devices and updates can contain vulnerabilities and bugs from many sources.

When an IoT device joins a hub, it generates a sequence of setting-up messages. Researchers propose to use these messages to discover the functionalities of a device, then perform systematic functionality-oriented fuzzing.

Creating a local control channel will allow a fuzzer built in a hub to directly command IoT devices without hacking companion apps.

Methodology

Researchers will:

• Study techniques that enable a fuzzer to connect and command IoT devices, leading to a customizable hub that can pair IoT devices and communicate with them. The fuzzer will be built in the hub. 
• Build knowledge bases about various IoT protocols, then exploit setting-up messages to discover functionalities of a device under test.
• Develop rich fuzzing policies to conduct systematic fuzzing.

Projected Outcomes

Researchers seek to ensure lifetime supply chain security of IoT devices by  inventing a new approach to on-device IoT fuzzing that takes advantage of the hub-to-device local control channel. 

The project could make breakthroughs in IoT lifetime supply chain security, while having broader impacts on society, research, education, and industry.

Developed tools can be used by third-party security researchers, IoT vendors, and organizations to enhance lifetime supply chain security of IoT.