Security Weaknesses in IoT Management Platforms

TL;DR

This paper systematically evaluates the security of 52 IoT management platforms, uncovering critical vulnerabilities like unauthorized access, broken authentication, and remote code execution, highlighting the urgent need for improved security measures.

Contribution

Introduces a comprehensive framework for security assessment of IoT management platforms and applies it to identify significant vulnerabilities in real-world systems.

Findings

9 platforms had high severity unauthorized access vulnerabilities

13 platforms exhibited broken authentication issues

2 platforms were vulnerable to remote code execution

Abstract

A diverse set of Internet of Things (IoT) devices are becoming an integrated part of daily lives, and playing an increasingly vital role in various industry, enterprise and agricultural settings. The current IoT ecosystem relies on several IoT management platforms to manage and operate a large number of IoT devices, their data, and their connectivity. Considering their key role, these platforms must be properly secured against cyber attacks. In this work, we first explore the core operations/features of leading platforms to design a framework to perform a systematic security evaluation of these platforms. Subsequently, we use our framework to analyze a representative set of 52 IoT management platforms, including 42 web-hosted and 10 locally-deployable platforms. We discover a number of high severity unauthorized access vulnerabilities in 9/52 evaluated IoT management platforms, which could be abused to perform attacks such as remote IoT SIM deactivation, IoT SIM overcharging and IoT device data forgery. More seriously, we also uncover instances of broken authentication in 13/52 platforms, including complete account takeover on 8/52 platforms along with remote code execution on 2/52 platforms. In effect, 17/52 platforms were affected by vulnerabilities that could lead to platform-wide attacks. Overall, vulnerabilities were uncovered in 33 platforms, out of which 28 platforms responded to our responsible disclosure. We were also assigned 11 CVEs and awarded bounty for our findings.