Uncovering Access Token Security Flaws in Multiuser Scenario of Smart Home Platforms

Yiyu Yang, Jice Wang, Peng Liu, Anmin Fu, Yuqing Zhang

Research output: Contribution to journalArticlepeer-review

Abstract

Access tokens have been thoroughly researched in website and mobile application security. However, we believe that the traditional application of access tokens must fulfill new security requirements in smart home environments due to the distinct features of multiuser sharing usage. Smart home platforms allow different types of users to share access to a single IoT device through mobile apps, with varying levels of permissions that are closely tied to access tokens. One security concern is that existing security standards or literature, as well as the development and implementation by vendors, may overlook these features, thereby introducing potential security risks to the application of access tokens. In this work, we propose a novel testing framework and conduct a systematic study to test the extent to which real-world smart home platform implementations neglect these new requirements. The testing results show that seven out of the 11 real-world smart home platforms are plagued by access token management flaws, which collectively violate four security properties. We have found that these security flaws can be exploited to enable unrestricted file upload, DoS attack, remote command execution, and illegal surveillance in real-world scenarios. Finally, we conducted responsible disclosure of these flaws and attacks and obtained seven China national vulnerability database vulnerability IDs and one CVE vulnerability ID. Additionally, we also provide suggestions for mitigating the vulnerabilities.

Original languageEnglish (US)
Pages (from-to)36841-36857
Number of pages17
JournalIEEE Internet of Things Journal
Volume11
Issue number22
DOIs
StatePublished - 2024

All Science Journal Classification (ASJC) codes

  • Signal Processing
  • Information Systems
  • Hardware and Architecture
  • Computer Science Applications
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Uncovering Access Token Security Flaws in Multiuser Scenario of Smart Home Platforms'. Together they form a unique fingerprint.

Cite this