Discovering and Understanding the Security Flaws of Authentication and Authorization in IoT Cloud APIs for Smart Home

Discovering and Understanding the Security Flaws of Authentication and Authorization in IoT Cloud APIs for Smart Home

연구 분야: Strategies

학회: International Conference on Security and Privacy in Communication Systems

The IoT cloud is a vital component of smart homes, responsible for entities’ authentication and authorization (A&A). Additionally, the IoT cloud provides many APIs to address complex functional requirements. This paper reports a systematic analysis of A&A security issues in IoT cloud APIs for smart home. To investigate the problem, we first analyze authenticated entities (i.e., devices, users, and families) and identify two categories of flaws based on the existing policies. Next, we introduce a semi-automated tool called IoTAuthCheck to discover security flaws in A&A of IoT cloud APIs. IoTAuthCheck automatically identifies and replaces credentials in the request, and checks security flaws of the target API by comparing responses before and after the replacement. We conducted experiments using IoTAuthCheck on seven popular smart home vendors and found 26 APIs with vulnerabilities that can be classified into six specific types of security flaws. Based on proof-of-concept attacks, we demonstrate that these flaws can cause severe security risks, including sensitive information leakage, malicious data injection, and even unauthorized device control.