How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 10:20 a.m. (40 minutes).

<div><span>Internet of Things (IoT) devices are increasingly managed through the clouds, which mediate the users' access to devices, e.g., only authorized users can unlock a door. These clouds are operated by device vendors (Philips Hue, LIFX, Tuya, etc.) or cloud providers (Google Home, Amazon Alexa, IFTTT, etc.). Of particular interest here is the emerging capability, advocated by mainstream IoT vendors, to delegate device access across different clouds and users: for example, Philips Hue, August Lock, etc., allow Google Home to control devices mediated under their clouds, so the user can manage multiple devices from different vendors all through the single console at Google Home. On Google Home, then, an Airbnb host may temporarily delegate the access to their smart lock to a guest during their stay. Such a capability can lead to a convoluted delegation chain, whose authorization operations could easily go wrong. Specifically, access delegation across IoT clouds is distributed, heterogeneous, and unverified: each vendor customizes its delegation protocol with ad-hoc, implicit security assumption; further, we found the complicated delegation service is often coupled across clouds, with one cloud unwittingly violating the other's security operations and assumptions.</span></div><div><span><br><br></span></div><div><span>We report the first systematic study on cross-cloud IoT delegation, based upon a verification tool we developed. We investigated 10 mainstream IoT clouds (Google Home, SmartThings, IFTTT, Philips Hue, LIFX, August, etc.), and discovered 5 serious vulnerabilities that endanger millions of users and hundreds of vendors. Exploiting the vulnerabilities, the adversary (e.g., former employee, Airbnb tenant) can gain unauthorized access to IoT devices (e.g., smart locks, switches, safety sensors). We implemented end-to-end attacks for all vulnerabilities and reported to affected vendors, which have deployed or scheduled fixes. We further propose principles for developing more secure cross-cloud IoT delegation services, before a standardized solution can be widely deployed.</span></div>

Presenters:

  • Bin Yuan - Postdoc, Huazhong University of Science and Technology; Indiana University Bloomington
    Dr. Bin Yuan is currently a postdoc at Huazhong University of Science and Technology (HUST), Wuhan, China. Bin received his B.S. and PhD degrees in Computer Science and Technology from HUST in 2013 and 2018, respectively. His research interests include software-defined network security, network function virtualization, cloud security, privacy, and IoT security. He has published several technical papers in top conferences/journals, such as USENIX Security, IEEE TSC, IEEE TNSM, IEEE TNSE, IEEE IoT Journal, and FGCS.
  • Yan Jia - Research Associate, Nankai University
    Yan Jia, Research Associate in the College of Cyber Science at Nankai University. He received his PhD degree from the School of Cyber Engineering at Xidian University in Dec. 2020. His interests include discovering and understanding new design or logic security vulnerabilities in real-world systems, including IoT (currently main direction), Web/browser, mobile, network, and other systems. His work helped many high-profile vendors improve their products' security, including Amazon, Microsoft, Apple, Google, etc.
  • Dongfang Zhao - PhD Student, Indiana University Bloomington
    Dongfang Zhao is a PhD student at Indiana University Bloomington. He joined the System Security Group led by Prof. Xiaofeng Wang, Prof. Luyi Xing and Prof. Xiaojing Liao, which is considered one of the top system security labs. He is currently conducting research related to system security and IoT security.
  • Luyi Xing - Assistant Professor of Computer Science, Indiana University Bloomington
    Dr. Luyi Xing joined Indiana University Bloomington (IUB) as an Assistant Professor of Computer Science after three years of experience in building large commercial systems at Amazon. Now, he is leading the System Security Group at IUB with Prof. XiaoFeng Wang and Prof. Xiaojing Liao. His group is known to be one of the top productive system security teams in the world in terms of publishing at top 4 security conferences.​ His research interests include discovering new types of design and logic flaws on commodity systems involving IoT, cloud, iOS, OS X, Android, browsers/Web, etc., and popular applications on them. He then invents solutions to protect real-world users of these systems. His research on OS X, iOS, Android and AWS was reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register and more. The official blog of Facebook and 1Password discussed his research on authentication security. Apple, Android, Chrome, AWS, Facebook, Dropbox, Evernote, etc. acknowledged his vulnerability discoveries and efforts to protect their users.

Links:

Similar Presentations: