Moving from the Developer Machine to IoT Devices: An Empirical Study

Document Type

Conference Proceeding

Publication Date

1-1-2024

Abstract

With the growing prevalence of Internet of Things (IoT) devices, IoT cloud platforms have become increasingly vital in the ecosystem that allows heterogeneous IoT devices to be accessed and managed by a wide range of IoT applications. IoT applications are typically hosted on dedicated application servers within the cloud platforms and offer intelligent automation, control, and management features for all connected IoT devices. However, we found that IoT devices can be attacked if the development environment is compromised. In this paper, we conduct the first systematic study on the security risks of IoT cloud platforms that are introduced by compromised development environments. We discover three novel attacks that can invoke commands on the IoT devices, initiate malicious IoT firmware update, and get access to the IoT devices through secure tunneling. We confirm the feasibility of these attacks on mainstream commercial IoT cloud platforms, including Azure IoT Hub, AWS IoT Core, Samsung SmartThings, IBM Watson IoT, and Google IoT, demonstrating their potential to impact a large number of devices. Our work leads to the creation of CVE-2023-38372 by IBM.

Publication Source (Journal or Book title)

Proceedings - 2024 IEEE Secure Development Conference, SecDev 2024

First Page

140

Last Page

152

This document is currently not available here.

Share

COinS