AI Speakers are typical cloud-based internet of things (IoT) devices that store a variety of information regarding users on the cloud. Although analyzing encrypted traffic between these devices and the cloud, as well as the artifacts stored there, is an important research topic from the perspective of cloud-based IoT forensics, studies on directly analyzing encrypted traffic between AI Speakers and the cloud remain insufficient. In this study, we propose a forensic model that can collect and analyze encrypted traffic between an AI Speaker and the cloud based on a certificate injection. The proposed model consists of porting AI Speaker image on Android device, porting AI Speaker image using QEMU (Quick EMUlator), running exploit using the AI Speaker app vulnerability, rewriting Flash memory using H/W interface, and reworking and updating Flash memory. These five forensic methods are used to inject the certificate into AI Speakers. The proposed model shows that we can analyze encrypted traffic against various AI Speakers such as an Amazon Echo Dot, Naver Clova, SKT NUGU Candle, SKT NUGU, and KT GiGA Genie, and obtain artifacts stored on the cloud. In addition, we develop a verification tool that collects artifacts stored on KT GiGA Genie cloud.
This research was supported by Energy Cloud R&D Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Science, ICT ( 2019M3F2A1073386 ).This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government( MSIT ) (No. 2018-0-01000 , Development of Digital Forensic Integration Platform).
