{"title":"你所有的物联网设备都属于我们:物联网管理平台的安全弱点","authors":"B. Tejaswi, Mohammad Mannan, A. Youssef","doi":"10.1145/3577923.3583636","DOIUrl":null,"url":null,"abstract":"IoT devices have become an integral part of our day to day activities, and are also being deployed to fulfil a number of industrial, enterprise and agricultural use cases. To efficiently manage and operate these devices, the IoT ecosystem relies on several IoT management platforms. Given the security-sensitive nature of the operations performed by these platforms, analyzing them for security vulnerabilities is critical to protect the ecosystem from potential cyber threats. In this work, by exploring the core functionalities offered by leading platforms, we first design a security evaluation framework. Subsequently, we use our framework to analyze 42 IoT management platforms. Our analysis uncovers a number of high severity unauthorized access vulnerabilities in 9/42 platforms, which could lead to attacks such as remote SIM deactivation, IoT SIM overcharging and device data forgery. Furthermore, we find broken authentication in 11/42 platforms, including complete account takeover on 7/42 platforms, along with remote code execution on one of the platforms. Overall, on 11/42 platforms, we find vulnerabilities that could lead to platform-wide attacks, that affect all users and all devices connected to those platforms.","PeriodicalId":387479,"journal":{"name":"Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy","volume":"54 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"All Your IoT Devices Are Belong to Us: Security Weaknesses in IoT Management Platforms\",\"authors\":\"B. Tejaswi, Mohammad Mannan, A. Youssef\",\"doi\":\"10.1145/3577923.3583636\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"IoT devices have become an integral part of our day to day activities, and are also being deployed to fulfil a number of industrial, enterprise and agricultural use cases. To efficiently manage and operate these devices, the IoT ecosystem relies on several IoT management platforms. Given the security-sensitive nature of the operations performed by these platforms, analyzing them for security vulnerabilities is critical to protect the ecosystem from potential cyber threats. In this work, by exploring the core functionalities offered by leading platforms, we first design a security evaluation framework. Subsequently, we use our framework to analyze 42 IoT management platforms. Our analysis uncovers a number of high severity unauthorized access vulnerabilities in 9/42 platforms, which could lead to attacks such as remote SIM deactivation, IoT SIM overcharging and device data forgery. Furthermore, we find broken authentication in 11/42 platforms, including complete account takeover on 7/42 platforms, along with remote code execution on one of the platforms. Overall, on 11/42 platforms, we find vulnerabilities that could lead to platform-wide attacks, that affect all users and all devices connected to those platforms.\",\"PeriodicalId\":387479,\"journal\":{\"name\":\"Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy\",\"volume\":\"54 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-04-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3577923.3583636\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3577923.3583636","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
All Your IoT Devices Are Belong to Us: Security Weaknesses in IoT Management Platforms
IoT devices have become an integral part of our day to day activities, and are also being deployed to fulfil a number of industrial, enterprise and agricultural use cases. To efficiently manage and operate these devices, the IoT ecosystem relies on several IoT management platforms. Given the security-sensitive nature of the operations performed by these platforms, analyzing them for security vulnerabilities is critical to protect the ecosystem from potential cyber threats. In this work, by exploring the core functionalities offered by leading platforms, we first design a security evaluation framework. Subsequently, we use our framework to analyze 42 IoT management platforms. Our analysis uncovers a number of high severity unauthorized access vulnerabilities in 9/42 platforms, which could lead to attacks such as remote SIM deactivation, IoT SIM overcharging and device data forgery. Furthermore, we find broken authentication in 11/42 platforms, including complete account takeover on 7/42 platforms, along with remote code execution on one of the platforms. Overall, on 11/42 platforms, we find vulnerabilities that could lead to platform-wide attacks, that affect all users and all devices connected to those platforms.