Sharing Can be Threatening: Uncovering Security Flaws of RBAC Model on Smart Home Platforms

The “sharing” feature provided by smart home platforms enables multiple users to access the device simultaneously with different roles and permissions, but it also presents new security challenges for the design and implementation of the permission management. The key issue is that the platform adopts two different permission assignments on the app side and the cloud side, and these two assignments must maintain consistency in authorizing. Unfortunately, real-world smart home platforms may not be able to ensure this when implementing RBAC (Role-Based Access Control) model. The inconsistency between these assignments may lead to security vulnerabilities, which can be easily exploited by malicious users. Although many existing studies have revealed security issues with smart home platforms, less attention has been paid to the sharing feature and permission assignments, as well as security issues that arise from this. In this work, we conducted a systematic study on the RBAC model and permission management of smart home platforms. To overcome technical challenges imposed by the “black-box” platform, we also proposed a novel testing framework. By testing 10 smart home platforms that all belong to the “device-connected, black-box, and multi-user supported” category, we collected each platform's “configurable permission assignment” and inferred “enforced permission assignment”. At last, we identified 44 inconsistencies that could lead to security vulnerabilities. Malicious users could exploit these vulnerabilities to initiate attacks such as device hijacking, unauthorized access, illegal control, and eavesdropping. We promptly reported these vulnerabilities to vendors and CNVD, and proposed mitigation measures.