Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes

Abstract

Z-Wave smart home Internet of Things devices are used to save energy, increase comfort, and remotely monitor home activities. In the past, security researchers found Z-Wave device vulnerabilities through reverse engineering, manual audits, and penetration testing. However, they did not fully use fuzzing, which is an automated cost-effective testing technique. Thus, in this paper, we present VFUZZ, a protocol-aware blackbox fuzzing framework for quickly assessing vulnerabilities in Z-Wave devices. VFUZZ assesses the target device capabilities and encryption support to guide seed selection and tests the target for new vulnerability discovery. It uses our field prioritization algorithm (FIPA), which mutates specific Z-Wave frame fields to ensure the validity of the generated test cases. We assessed VFUZZ on a real Z-Wave network consisting of 19 Z-Wave devices ranging from legacy to recent ones, as well as different device types. Our VFUZZ evaluation found 10 distinct security vulnerabilities and seven crashes among the tested devices and yielded six unique common vulnerabilities and exposures (CVE) identifiers related to the Z-Wave chipset. © 2013 IEEE.