Authorisation inconsistency in IoT third‐party integration
Abstract Today's IoT platforms provide rich functionalities by integrating with popular third‐party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross‐cloud IoT environments. In this study, the authors rep...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2022-03-01
|
| Series: | IET Information Security |
| Subjects: | |
| Online Access: | https://doi.org/10.1049/ise2.12043 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850211767099064320 |
|---|---|
| author | Jiongyi Chen Fenghao Xu Shuaike Dong Wei Sun Kehuan Zhang |
| author_facet | Jiongyi Chen Fenghao Xu Shuaike Dong Wei Sun Kehuan Zhang |
| author_sort | Jiongyi Chen |
| collection | DOAJ |
| description | Abstract Today's IoT platforms provide rich functionalities by integrating with popular third‐party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross‐cloud IoT environments. In this study, the authors report the first systematic study on authorisation management of IoT third‐party integration by: (1) presenting two attacks that leak control permissions of the IoT device in the integration of third‐party services; (2) conducting a measurement study over 19 real‐world IoT platforms and three major third‐party services. Results show that eight of the platforms are vulnerable to the threat. To educate IoT developers, the authors provide in‐depth discussion about existing design principles and propose secure design principles for IoT cross‐cloud control frameworks. |
| format | Article |
| id | doaj-art-8fd06dec1ab547b096ec4dbffe1fc40f |
| institution | OA Journals |
| issn | 1751-8709 1751-8717 |
| language | English |
| publishDate | 2022-03-01 |
| publisher | Wiley |
| record_format | Article |
| series | IET Information Security |
| spelling | doaj-art-8fd06dec1ab547b096ec4dbffe1fc40f2025-08-20T02:09:29ZengWileyIET Information Security1751-87091751-87172022-03-0116213314310.1049/ise2.12043Authorisation inconsistency in IoT third‐party integrationJiongyi Chen0Fenghao Xu1Shuaike Dong2Wei Sun3Kehuan Zhang4School of Electronic Science and Engineering National University of Defense Technology Changsha ChinaDepartment of Information Engineering The Chinese University of Hong Kong Hong Kong ChinaTianQian Security Lab Ant Group Hangzhou ChinaDepartment of Electric Engineering Columbia University New York USASchool of Electronic Science and Engineering National University of Defense Technology Changsha ChinaAbstract Today's IoT platforms provide rich functionalities by integrating with popular third‐party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross‐cloud IoT environments. In this study, the authors report the first systematic study on authorisation management of IoT third‐party integration by: (1) presenting two attacks that leak control permissions of the IoT device in the integration of third‐party services; (2) conducting a measurement study over 19 real‐world IoT platforms and three major third‐party services. Results show that eight of the platforms are vulnerable to the threat. To educate IoT developers, the authors provide in‐depth discussion about existing design principles and propose secure design principles for IoT cross‐cloud control frameworks.https://doi.org/10.1049/ise2.12043authorisationcomputer network securityinternet of things |
| spellingShingle | Jiongyi Chen Fenghao Xu Shuaike Dong Wei Sun Kehuan Zhang Authorisation inconsistency in IoT third‐party integration IET Information Security authorisation computer network security internet of things |
| title | Authorisation inconsistency in IoT third‐party integration |
| title_full | Authorisation inconsistency in IoT third‐party integration |
| title_fullStr | Authorisation inconsistency in IoT third‐party integration |
| title_full_unstemmed | Authorisation inconsistency in IoT third‐party integration |
| title_short | Authorisation inconsistency in IoT third‐party integration |
| title_sort | authorisation inconsistency in iot third party integration |
| topic | authorisation computer network security internet of things |
| url | https://doi.org/10.1049/ise2.12043 |
| work_keys_str_mv | AT jiongyichen authorisationinconsistencyiniotthirdpartyintegration AT fenghaoxu authorisationinconsistencyiniotthirdpartyintegration AT shuaikedong authorisationinconsistencyiniotthirdpartyintegration AT weisun authorisationinconsistencyiniotthirdpartyintegration AT kehuanzhang authorisationinconsistencyiniotthirdpartyintegration |