TY - GEN
T1 - Who's in Control? On Security Risks of Disjointed IoT Device Management Channels
AU - Jia, Yan
AU - Yuan, Bin
AU - Xing, Luyi
AU - Zhao, Dongfang
AU - Zhang, Yifan
AU - Wang, Xiaofeng
AU - Liu, Yijing
AU - Zheng, Kaimin
AU - Crnjak, Peyton
AU - Zhang, Yuqing
AU - Zou, Deqing
AU - Jin, Hai
N1 - We would like to thank our shepherd Prof. Z. Berkay Celik and the anonymous reviewers for their insightful comments. Special thanks to Haoran Lu’s discussion and Yiyu Yang’s help for testing. Yan Jia is funded by China Postdoctoral Science Foundation (No. 2021M691673) and in part by China Scholarship Council. The authors of Huazhong University of Science and Technology are supported by the National Natural Science Foundation of China (No. 61902138). Yuqing Zhang is supported by the National Natural Science Foundation of China(U1836210), and the Key Research and Development Science and Technology of Hainan Province (ZDYF202012). IU authors are supported in part by NSF CCF-2124225 and Indiana University FRSP-SF and REF.
PY - 2021/11/13
Y1 - 2021/11/13
N2 - An IoT device today can be managed through different channels, e.g., by its device manufacturer's app, or third-party channels such as Apple's Home app, or a smart speaker. Supporting each channel is a management framework integrated in the device and provided by different parties. For example, a device that integrates Apple HomeKit framework can be managed by Apple Home app. We call the management framework of this kind, including all its device- and cloud-side components, a device management channel (DMC). 4 third-party DMCs are widely integrated in today's IoT devices along with the device manufacturer's own DMC: HomeKit, Zigbee/Z-Wave compatible DMC, and smart-speaker Seamless DMC. Each of these DMCs is a standalone system that has full mandate on the device; however, if their security policies and control are not aligned, consequences can be serious, allowing a malicious user to utilize one DMC to bypass the security control imposed by the device owner on another DMC. We call such a problem Chaotic Device Management (Codema). This paper presents the first systematic study on Codema, based on a new model-guided approach. We purchased and analyzed 14 top-rated IoT devices and their integration and management of multiple DMCs. We found that Codema is both general and fundamental: these DMCs are generally not designed to coordinate with each other for security policies and control. The Codema problems enable the adversary to practically gain unauthorized access to sensitive devices (e.g., locks, garage doors, etc.). We reported our findings to affected parties (e.g., Apple, August, Philips Hue, ismartgate, Abode), which all acknowledged their importance. To mitigate this new threat, we designed and implemented CGuard, a new access control framework that device manufacturers can easily integrate into their IoT devices to protect end users. Our evaluation shows that CGuard is highly usable and acceptable to users, easy to adopt by manufacturers, and efficient and effective in security control.
AB - An IoT device today can be managed through different channels, e.g., by its device manufacturer's app, or third-party channels such as Apple's Home app, or a smart speaker. Supporting each channel is a management framework integrated in the device and provided by different parties. For example, a device that integrates Apple HomeKit framework can be managed by Apple Home app. We call the management framework of this kind, including all its device- and cloud-side components, a device management channel (DMC). 4 third-party DMCs are widely integrated in today's IoT devices along with the device manufacturer's own DMC: HomeKit, Zigbee/Z-Wave compatible DMC, and smart-speaker Seamless DMC. Each of these DMCs is a standalone system that has full mandate on the device; however, if their security policies and control are not aligned, consequences can be serious, allowing a malicious user to utilize one DMC to bypass the security control imposed by the device owner on another DMC. We call such a problem Chaotic Device Management (Codema). This paper presents the first systematic study on Codema, based on a new model-guided approach. We purchased and analyzed 14 top-rated IoT devices and their integration and management of multiple DMCs. We found that Codema is both general and fundamental: these DMCs are generally not designed to coordinate with each other for security policies and control. The Codema problems enable the adversary to practically gain unauthorized access to sensitive devices (e.g., locks, garage doors, etc.). We reported our findings to affected parties (e.g., Apple, August, Philips Hue, ismartgate, Abode), which all acknowledged their importance. To mitigate this new threat, we designed and implemented CGuard, a new access control framework that device manufacturers can easily integrate into their IoT devices to protect end users. Our evaluation shows that CGuard is highly usable and acceptable to users, easy to adopt by manufacturers, and efficient and effective in security control.
KW - access control
KW - attack
KW - device management channel
KW - IoT
KW - smart home
UR - https://www.scopus.com/pages/publications/85119361124
UR - https://www.scopus.com/pages/publications/85119361124#tab=citedBy
U2 - 10.1145/3460120.3484592
DO - 10.1145/3460120.3484592
M3 - Conference contribution
AN - SCOPUS:85119361124
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1289
EP - 1305
BT - CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 27th ACM Annual Conference on Computer and Communication Security, CCS 2021
Y2 - 15 November 2021 through 19 November 2021
ER -