Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

End of Bibblio RCM includes -->
4/16/2021
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Security Gaps in IoT Access Control Threaten Devices and Users

Researchers spot problems in how IoT vendors delegate device access across multiple clouds and users.

A team of Internet of Things security researchers has discovered vulnerabilities in the way IoT device vendors manage access across multiple clouds and users, putting both individuals and vendors at risk.

Related Content:

Rethinking IoT Security: It's Not About the Devices

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

IoT devices are increasingly managed through clouds operated by device vendors such as Philips Hue, LIFX, and Tuya, or by cloud providers such as Google and Amazon. These clouds mediate the users' access to specific devices — for example, granting them permission to unlock a smart lock.

The researchers were especially interested in the emerging capability to delegate device access across multiple clouds and users. Some vendors let Google Home control devices under their clouds, so a person can manage multiple devices from different vendors via their Google Home. It's a win for usability — normally, someone with devices from various vendors would install multiple apps to control them, which becomes a hassle as their IoT device collection grows.

"[The IoT] keeps evolving, and we keep observing new security issues, new security risks coming up, especially when a vendor tries to strike a balance between usability and security," says Luyi Xing, assistant professor of computer science at Indiana University Bloomington and a member of the research team.

While being able to manage multiple devices from a single hub is convenient, access delegation across IoT clouds is distributed and unverified, researchers report. The problems emerge when one cloud unknowingly violates the security operations and assumptions of another cloud. When this happens, devices may not fully revoke access when someone instructs them to.

"Security always comes behind the functionality, so that's why this is important," adds Bin Yuan, post-doc at Huazhong University of Science and Technology and Indiana University Bloomington. "That's why we did our research in this area, to better understand it and try to solve the security risks here."

The problem lies in vendors' protocols, Xing explains. Each vendor independently develops its own delegation protocol with implicit security assumptions, but the protocols from different vendors have to work together to establish the delegation chain between vendor and user.

"When these protocols work together, their security assumptions may conflict with each other, and one vendor may not fully understand the implications [or] the assumptions of another vendor's operation in terms of security," he says. One of the vulnerabilities they discovered let a user continue accessing a device after temporary permissions were removed. When someone attempted to revoke the permission, it turned out the user still had control over the device.

In the real world, this could happen with something as simple as a smart lock, Xing says. An Airbnb host may grant temporary access to a guest, but that guest could still have access to their home after the host thinks they've checked out.

An Industrywide Problem
This problem affects a broad range of IoT device vendors and clouds. Given this, the researchers sought to develop an approach to verify the protocols of different device manufacturers and determine whether a protocol might be vulnerable to an attack. They created a verification tool to model the operations and data flows of an IoT vendor and automatically discover flaws.

From there, they conducted a systematic study on cross-cloud IoT delegation, in which they investigated 10 mainstream IoT clouds, including Google Home, SmartThings, Philips Hue, LIFX, August, and others. They discovered five serious flaws that, if exploited, could give someone unauthorized access to IoT devices such as smart locks, switches, and safety sensors, they say.

"We can find the individual vulnerabilities for a specific protocol, for a specific vendor, but that doesn't solve the problem," Xing says of why they wanted to create a systematic approach. All of the flaws they discovered were reported to the respective vendors, which have deployed or scheduled fixes.

The researchers believe cross-vendor delegation is helpful to users; however, the protocols behind it must be designed with more caution. Protocols they saw in the wild had not undergone rigorous security analysis or verification, Xing says. The team hopes that protocols will eventually become more transparent, so vendors know one another's security assumptions.

Xing and Yuan will join their fellow researchers, Yan Jia, research associate at Nankai University, and Dongfang Zhao, PhD student at Indiana University Bloomington, to present their research findings in a Black Hat Asia briefing: "How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control," on May 7.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-24806
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2013-10017
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...
CVE-2013-10018
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file htdocs/prospection/save_contact.php. The manipulation of the argument nom/prenom/email/tel/mobile/client/fonction/note leads to sql injection....
CVE-2023-23082
PUBLISHED: 2023-02-03
A heap buffer overflow vulnerability in Kodi Home Theater Software up to 19.5 allows attackers to cause a denial of service due to an improper length of the value passed to the offset argument.
CVE-2023-23615
PUBLISHED: 2023-02-03
Discourse is an open source discussion platform. The embeddable comments can be exploited to create new topics as any user but without any clear title or content. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. As a workaround, disable embeddable comments by ...