-
Client-side Vulnerabilities in Commercial VPNs
Authors:
Thanh Bui,
Siddharth Prakash Rao,
Markku Antikainen,
Tuomas Aura
Abstract:
Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client's traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client's real IP address from online services, and they also shield the user's connections from perceived threats in the access networks. In this paper, we…
▽ More
Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client's traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client's real IP address from online services, and they also shield the user's connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user's username and password. We suggest ways to mitigate each of the discovered vulnerabilities.
△ Less
Submitted 10 December, 2019;
originally announced December 2019.
-
XSS Vulnerabilities in Cloud-Application Add-Ons
Authors:
Thanh Bui,
Siddharth Rao,
Markku Antikainen,
Tuomas Aura
Abstract:
Cloud-application add-ons are microservices that extend the functionality of the core applications. Many application vendors have opened their APIs for third-party developers and created marketplaces for add-ons (also add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower c…
▽ More
Cloud-application add-ons are microservices that extend the functionality of the core applications. Many application vendors have opened their APIs for third-party developers and created marketplaces for add-ons (also add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. We found that many such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons in each marketplace. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.
△ Less
Submitted 27 November, 2019;
originally announced November 2019.
-
IoT-KEEPER: Securing IoT Communications in Edge Networks
Authors:
Ibbad Hafeez,
Markku Antikainen,
Aaron Yi Ding,
Sasu Tarkoma
Abstract:
The increased popularity of IoT devices have made them lucrative targets for attackers. Due to insecure product development practices, these devices are often vulnerable even to very trivial attacks and can be easily compromised. Due to the sheer number and heterogeneity of IoT devices, it is not possible to secure the IoT ecosystem using traditional endpoint and network security solutions. To add…
▽ More
The increased popularity of IoT devices have made them lucrative targets for attackers. Due to insecure product development practices, these devices are often vulnerable even to very trivial attacks and can be easily compromised. Due to the sheer number and heterogeneity of IoT devices, it is not possible to secure the IoT ecosystem using traditional endpoint and network security solutions. To address the challenges and requirements of securing IoT devices in edge networks, we present IoT-Keeper, which is a novel system capable of securing the network against any malicious activity, in real time. The proposed system uses a lightweight anomaly detection technique, to secure both device-to-device and device-to-infrastructure communications, while using limited resources available on the gateway. It uses unlabeled network data to distinguish between benign and malicious traffic patterns observed in the network. A detailed evaluation, done with real world testbed, shows that IoT-Keeper detects any device generating malicious traffic with high accuracy (0.982) and low false positive rate (0.01). The results demonstrate that IoT-Keeper is lightweight, responsive and can effectively handle complex D2D interactions without requiring explicit attack signatures or sophisticated hardware.
△ Less
Submitted 19 October, 2018;
originally announced October 2018.
-
Toward Secure Edge Networks Taming Device to Device (D2D) Communication in IoT
Authors:
Ibbad Hafeez,
Aaron Yi Ding,
Markku Antikainen,
Sasu Tarkoma
Abstract:
The growing popularity of Internet-of-Things (IoT) has created the need for network-based traffic anomaly detection systems that could identify misbehaving devices. In this work, we propose a lightweight technique, IoT-guard, for identifying malicious traffic flows. IoT-guard uses semi-supervised learning to distinguish between malicious and benign device behaviours using the network traffic gener…
▽ More
The growing popularity of Internet-of-Things (IoT) has created the need for network-based traffic anomaly detection systems that could identify misbehaving devices. In this work, we propose a lightweight technique, IoT-guard, for identifying malicious traffic flows. IoT-guard uses semi-supervised learning to distinguish between malicious and benign device behaviours using the network traffic generated by devices. In order to achieve this, we extracted 39 features from network logs and discard any features containing redundant information. After feature selection, fuzzy C-Mean (FCM) algorithm was trained to obtain clusters discriminating benign traffic from malicious traffic. We studied the feature scores in these clusters and use this information to predict the type of new traffic flows. IoT-guard was evaluated using a real-world testbed with more than 30 devices. The results show that IoTguard achieves high accuracy (98%), in differentiating various types of malicious and benign traffic, with low false positive rates. Furthermore, it has low resource footprint and can operate on OpenWRT enabled access points and COTS computing boards.
△ Less
Submitted 16 October, 2018; v1 submitted 16 December, 2017;
originally announced December 2017.
-
XBF: Scaling up Bloom-filter-based Source Routing
Authors:
Markku Antikainen,
Liang Wang,
Dirk Trossen,
Arjuna Sathiaseelan
Abstract:
A well known drawback of IP-multicast is that it requires per-group state to be stored in the routers. Bloom-filter based source-routed multicast remedies this problem by moving the state from the routers to the packets. However, a fixed sized Bloom-filter can only store a limited number of items before the false positive ratio grows too high implying scalability issues. Several proposals have tri…
▽ More
A well known drawback of IP-multicast is that it requires per-group state to be stored in the routers. Bloom-filter based source-routed multicast remedies this problem by moving the state from the routers to the packets. However, a fixed sized Bloom-filter can only store a limited number of items before the false positive ratio grows too high implying scalability issues. Several proposals have tried to address these scalability issues in Bloom-filter forwarding. These proposals, however, unnecessarily increase the forwarding complexity.
In this paper, we present Extensible-Bloom-filter (XBF), a new framing and forwarding solution which effectively circumvents the aforementioned drawbacks. XBF partitions a network into sub-networks that reflect the network topology and traffic patterns, and uses a separate fixed-length Bloom-filter in each of these. We formulate this partition assignment problem into a balanced edge partitioning problem, and evaluate it with simulations on realistic topologies. Our results show that XBF scales to very large networks with minimal overhead and completely eliminates the false-positives that have plagued the traditional Bloom-filter-based forwarding protocols. It furthermore integrates with SDN environments, making it highly suitable for deployments in off-the-shelf SDN-based networks.
△ Less
Submitted 18 February, 2016;
originally announced February 2016.