Fernando Kuipers

Aaron van Diepen, Adrian Zapletal, Fernando Kuipers

TLS stripping attacks expose sensitive web traffic by forcing secure HTTPS connections to fall back to unencrypted HTTP. At present, protection against these attacks relies on website operators explicitly opting into security by deploying mechanisms such as HTTP Strict Transport Security (HSTS) headers. These mechanisms have significant limitations: some are weak or difficult to configure, which raises the risk of misconfiguration and reduces practical adoption; others violate HTTP backward compatibility; at least one can even be abused to enable unintended user tracking. We introduce HSTS-Enforced, a mechanism that eliminates the remaining attack surface for TLS stripping while still allowing operators to securely specify that their websites need to be accessed over HTTP when necessary, thereby maintaining accessibility. To achieve this, we flip the current opt-in security model to an opt-out model: all connections default to HTTPS, and operators can explicitly opt out if their websites require HTTP using so-called HTTP-Required indicators. We propose two such HTTP-Required indicators: a new DNS record and an HTTP-Required Preload list. We evaluate HSTS-Enforced under multiple deployment scenarios, demonstrating that it blocks all practical TLS stripping attempts while maintaining compatibility for sites that require HTTP - without introducing overhead in the typical case. Finally, we outline a practical transition path to accelerate global adoption.

Meng Wang, Javier Santillan, Fernando Kuipers

The Mirai Distributed Denial-of-Service (DDoS) attack exploited security vulnerabilities of Internet-of-Things (IoT) devices and thereby clearly signalled that attackers have IoT on their radar. Securing IoT is therefore imperative, but in order to do so it is crucial to understand the strategies of such attackers. For that purpose, in this paper, a novel IoT honeypot called ThingPot is proposed and deployed. Honeypot technology mimics devices that might be exploited by attackers and logs their behavior to detect and analyze the used attack vectors. ThingPot is the first of its kind, since it focuses not only on the IoT application protocols themselves, but on the whole IoT platform. A Proof-of-Concept is implemented with XMPP and a REST API, to mimic a Philips Hue smart lighting system. ThingPot has been deployed for 1.5 months and through the captured data we have found five types of attacks and attack vectors against smart devices. The ThingPot source code is made available as open source.

Joris Belder, Anup Bhattacharjee, Fernando Kuipers

In cellular networks, base stations broadcast configurations that devices use for the random access procedure, which is a vital part of the connection setup. Ideally, the network should choose configurations based on the deployment scenario to optimize radio resource management. Doing so can, for example, decrease collisions of random access messages. We captured 112,806 data points of cellular broadcast information from nine network operators across three countries and analyzed how the operators configure the random access procedure. We found that configurations often do not fit the deployment scenario, and neighboring cells often use the same configuration, causing an unnecessarily high risk of collisions and, hence, delay in the connection setup. Furthermore, we simulated the random access procedure in NS-3 and found that by varying the configurations in a large area with many cells, the number of collisions can be reduced by 43% on average and up to 61%, and the connection delay can be lowered by 11% on average and up to 42%. Our findings indicate that simple adaptations in the random access configurations can greatly improve the performance of cellular networks.