Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds

Presented at Black Hat Europe 2019, Dec. 4, 2019, 2:30 p.m. (50 minutes)

With the increasing popularity of the Internet of Things (IoT), many IoT clouds have emerged to help device manufacturers connect their devices to customers and offload the communication management to cloud providers. At the center of such IoT cloud services is the mechanism that mediates the communication (e.g., control commands and messages) between IoT devices and users. Such communication is built on existing general messaging protocols, in particular, MQTT, arguably the most popular one and widely used by mainstream IoT cloud providers such as AWS, Microsoft, IBM, Google, Alibaba, etc. Less clear, however, is whether such protocols, which are not designed to work in the adversarial environment of IoT, introduce new security risks. In this presentation, we report the first systematic study on the protection that leading commercial IoT clouds (e.g., AWS IoT Core, IBM Watson IoT, Azure IoT, Google Cloud IoT, Alibaba IoT, Tuya Smart) put in place for integrating MQTT to device-user communication. We found that in the absence of rigorous security analysis, these platforms' security additions (e.g., authentication, authorization, session management, etc.) to the protocol are all vulnerable, allowing the adversary to gain control of the device, launch a large-scale denial-of-service attack, steal the victim's secret data and fake the victim's device status for deception. We successfully performed proof-of-concept (PoC), end-to-end attacks on eight leading IoT clouds using real commercial IoT devices. We further conducted a measurement study, which demonstrates that the security impacts of our attacks are real, severe and broad. We reported our findings to all affected cloud providers and device manufacturers, which all acknowledged the problems (evidenced by Microsoft's Security Researcher Acknowledgments, CVE-2018-12546, and vendor responses in our supporting site). We also reported our findings to the MQTT Technical Committee (OASIS Open Issues MQTT-536), and the possible mitigations are under open discussion now. In conclusion, our research reveals that in the absence of standard guidance and security practices for integrating and managing the general messaging protocol on IoT clouds, secure user-device interactions cannot be guaranteed in practice, due to the underestimated security gap between the protocol and real-world IoT environments.


  • Yuqing Zhang - Professor, NCNIPC, University of Chinese Academy of Sciences; School of Cyber Engineering, Xidian University
    <p class="p1"><span class="s1">Yuqing Zhang received his PhD degree in Cryptography from Xidian University, China. Dr. Zhang is a Professor and the Director of the National Computer Network Intrusion Protection Center at University of Chinese Academy of Sciences.</span></p> <p class="p2"><span class="s1">His research interests include network and system security, and applied cryptography. He has published more than 100 research papers in international journals and conferences, such as ACM CCS, Usenix Security, IEEE TPDS and IEEE TDSC.</span></p>
  • Luyi Xing - Assistant Professor, Indiana University Bloomington
    Dr. Luyi Xing joined Indiana University Bloomington (IUB) as an Assistant Professor of Computer Science after three years experience of building large commercial systems at Amazon. Now, he is leading the System Security Group at IUB with Prof. XiaoFeng Wang and Prof. Xiaojing Liao. His group is known to be one of top productive system security teams in the world in terms of publishing at top 4 security conferences.‚Äč His research interests include discovering new types of design and logic flaws on commodity systems involving IoT, cloud, iOS, OS X, Android, browsers/Web, etc, and popular applications on them. He then invents solutions to protect real-world users of these systems. His research on OS X, iOS, Android and AWS was reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register and more. Official blog of Facebook and 1Password discussed his research on authentication security. Apple, Android, Chrome, AWS, Facebook, Dropbox, Evernote, etc. acknowledged his vulnerability discoveries and efforts to protect their users.
  • Yan Jia - Ph.D. Student, School of Cyber Engineering, Xidian University; NCNIPC,University of Chinese Academy of Sciences
    <p class="p1"><span class="s1" style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Yan Jia is a PhD student at School of Cyber Engineering, Xidian University. His current research interests include system security, Web/browser security, and IoT security. His work helped many popular vendors (e.g., AWS, Microsoft, Google, IBM, Alibaba, Baidu, etc.) improve their system security.</span></p>


Similar Presentations: