Skip to main navigation Skip to search Skip to main content

SUPnP: Secure Access and Service Registration for UPnP-Enabled Internet of Things

  • Golam Kayas* (Corresponding Author)
  • , Mahmud Hossain
  • , Jamie Payton
  • , S. M.Riazul Islam
    • *Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

4   Link opens in a new tab Citations (Scopus)
5 Downloads (Pure)

Abstract

The service-oriented nature of the Universal Plug-and-Play (UPnP) protocol supports the creation of flexible, open, and dynamic systems. As such, it is widely used in Internet-of-Things (IoT) deployments. However, the protocol's service access mechanism does not consider security from the first principles and is therefore vulnerable to various attacks. In this article, we present an in-depth analysis of the service advertisement, discovery, and access methods of the UPnP protocol stack and identify security issues in an IoT network. Our analysis shows that adversaries can perform resource exhaustion, buffer overflow, reflection, and amplification attacks by exploiting the vulnerabilities of the UPnP protocol. To address these issues, we propose a capability-based security model for UPnP to ensure secure discovery, advertisement, and access of the UPnP services that considers the resource limitations of IoT devices. Our analysis shows the effectiveness of the proposed model against potential attacks, and our experimental evaluation highlights the feasibility of implementing our Secure UPnP (SUPnP) protocol in a network of IoT devices, incurring minimal network and performance overhead.

Original languageEnglish
Article number9352973
Pages (from-to)11561-11580
Number of pages20
JournalIEEE Internet of Things Journal
Volume8
Issue number14
Early online date11 Feb 2021
DOIs
Publication statusPublished - 15 Jul 2021

Bibliographical note

Funding Information:
This work was supported in part by the U.S. National Science Foundation under Grant CNS-1828363, and in part by the Sejong University Research Faculty Program under Grant 20212023.

Funding

Manuscript received December 24, 2020; accepted January 27, 2021. Date of publication February 11, 2021; date of current version July 7, 2021. This work was supported in part by the U.S. National Science Foundation under Grant CNS-1828363, and in part by the Sejong University Research Faculty Program under Grant 20212023. (Golam Kayas, Mahmud Hossain, Jamie Payton, and S. M. Riazul Islam contributed equally to this work.) (Corresponding author: Golam Kayas.) Golam Kayas and Jamie Payton are with the Department of Computer and Information Science, Temple University, Philadelphia, PA 19122 USA (e-mail: [email protected]; [email protected]).

Keywords

  • Access
  • discovery
  • Internet of Things (IoT)
  • network attacks
  • registration
  • security
  • Universal Plug and Play (UPnP)

Access to Document

  • Kayas_etal_IEEEIOTJ_SUPnP_Secure_Access_AAM

    © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

    Accepted author manuscript, 5.7 MBLicence: Unspecified

Other files and links

    Fingerprint

    Dive into the research topics of 'SUPnP: Secure Access and Service Registration for UPnP-Enabled Internet of Things'. Together they form a unique fingerprint.
    View full fingerprint

    Cite this