Authorisation inconsistency in IoT third‐party integration
Abstract Today's IoT platforms provide rich functionalities by integrating with popular third‐party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross‐cloud IoT environments. In this study, the authors rep...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2022-03-01
|
| Series: | IET Information Security |
| Subjects: | |
| Online Access: | https://doi.org/10.1049/ise2.12043 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Abstract Today's IoT platforms provide rich functionalities by integrating with popular third‐party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross‐cloud IoT environments. In this study, the authors report the first systematic study on authorisation management of IoT third‐party integration by: (1) presenting two attacks that leak control permissions of the IoT device in the integration of third‐party services; (2) conducting a measurement study over 19 real‐world IoT platforms and three major third‐party services. Results show that eight of the platforms are vulnerable to the threat. To educate IoT developers, the authors provide in‐depth discussion about existing design principles and propose secure design principles for IoT cross‐cloud control frameworks. |
|---|---|
| ISSN: | 1751-8709 1751-8717 |