IET Information Security (Mar 2022)

Authorisation inconsistency in IoT third‐party integration

  • Jiongyi Chen,
  • Fenghao Xu,
  • Shuaike Dong,
  • Wei Sun,
  • Kehuan Zhang

DOI
https://doi.org/10.1049/ise2.12043
Journal volume & issue
Vol. 16, no. 2
pp. 133 – 143

Abstract

Read online

Abstract Today's IoT platforms provide rich functionalities by integrating with popular third‐party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross‐cloud IoT environments. In this study, the authors report the first systematic study on authorisation management of IoT third‐party integration by: (1) presenting two attacks that leak control permissions of the IoT device in the integration of third‐party services; (2) conducting a measurement study over 19 real‐world IoT platforms and three major third‐party services. Results show that eight of the platforms are vulnerable to the threat. To educate IoT developers, the authors provide in‐depth discussion about existing design principles and propose secure design principles for IoT cross‐cloud control frameworks.

Keywords