Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices
Broken access control vulnerabilities pose significant security risks to the protected web interfaces of IoT devices, enabling adversaries to gain unauthorized access to sensitive configurations and even use them as stepping stones for attacking the intranet. Despite its ranking as the first in the...
Saved in:
| Main Authors: | , , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-05-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/25/9/2913 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849312687468576768 |
|---|---|
| author | Enze Wang Wei Xie Shuhuan Li Runhao Liu Yuan Zhou Zhenhua Wang Shuoyoucheng Ma Wantong Yang Baosheng Wang |
| author_facet | Enze Wang Wei Xie Shuhuan Li Runhao Liu Yuan Zhou Zhenhua Wang Shuoyoucheng Ma Wantong Yang Baosheng Wang |
| author_sort | Enze Wang |
| collection | DOAJ |
| description | Broken access control vulnerabilities pose significant security risks to the protected web interfaces of IoT devices, enabling adversaries to gain unauthorized access to sensitive configurations and even use them as stepping stones for attacking the intranet. Despite its ranking as the first in the latest OWASP Top 10, there remains a lack of effective methodologies to detect these vulnerabilities systematically. We present ACBreaker, a novel methodology powered by a large language model (LLM), to effectively identify broken access control vulnerabilities in the protected web interfaces of IoT devices. Our methodology consists of three stages. The initial stage transforms firmware code that exceeds the LLM context window into semantically intact code snippets. The second stage involves using an LLM to extract device-specific information from firmware code. The final stage integrates this information into the mutation-based fuzzer to improve fuzzing effectiveness and employ differential analysis to identify vulnerabilities. We evaluated ACBreaker across 11 IoT devices, analyzing 1,274,646 lines of code and discovering 39 previously unknown vulnerabilities. We further analyzed these vulnerabilities, categorizing them into three types that contribute to protected interface evasion, and provided mitigation suggestions. These vulnerabilities were responsibly disclosed to vendors, with CVE IDs assigned to those in six IoT devices. |
| format | Article |
| id | doaj-art-c64e9f620a0c47109adebde8b152986c |
| institution | Kabale University |
| issn | 1424-8220 |
| language | English |
| publishDate | 2025-05-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Sensors |
| spelling | doaj-art-c64e9f620a0c47109adebde8b152986c2025-08-20T03:53:01ZengMDPI AGSensors1424-82202025-05-01259291310.3390/s25092913Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things DevicesEnze Wang0Wei Xie1Shuhuan Li2Runhao Liu3Yuan Zhou4Zhenhua Wang5Shuoyoucheng Ma6Wantong Yang7Baosheng Wang8College of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaCollege of Computer Science and Technology, National University of Defense Technology, No. 137 Yanwachi Street, Changsha 410073, ChinaBroken access control vulnerabilities pose significant security risks to the protected web interfaces of IoT devices, enabling adversaries to gain unauthorized access to sensitive configurations and even use them as stepping stones for attacking the intranet. Despite its ranking as the first in the latest OWASP Top 10, there remains a lack of effective methodologies to detect these vulnerabilities systematically. We present ACBreaker, a novel methodology powered by a large language model (LLM), to effectively identify broken access control vulnerabilities in the protected web interfaces of IoT devices. Our methodology consists of three stages. The initial stage transforms firmware code that exceeds the LLM context window into semantically intact code snippets. The second stage involves using an LLM to extract device-specific information from firmware code. The final stage integrates this information into the mutation-based fuzzer to improve fuzzing effectiveness and employ differential analysis to identify vulnerabilities. We evaluated ACBreaker across 11 IoT devices, analyzing 1,274,646 lines of code and discovering 39 previously unknown vulnerabilities. We further analyzed these vulnerabilities, categorizing them into three types that contribute to protected interface evasion, and provided mitigation suggestions. These vulnerabilities were responsibly disclosed to vendors, with CVE IDs assigned to those in six IoT devices.https://www.mdpi.com/1424-8220/25/9/2913protected web interfacesbroken access controllarge language modelmutation-based fuzzinginternet of things |
| spellingShingle | Enze Wang Wei Xie Shuhuan Li Runhao Liu Yuan Zhou Zhenhua Wang Shuoyoucheng Ma Wantong Yang Baosheng Wang Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices Sensors protected web interfaces broken access control large language model mutation-based fuzzing internet of things |
| title | Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices |
| title_full | Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices |
| title_fullStr | Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices |
| title_full_unstemmed | Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices |
| title_short | Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices |
| title_sort | large language model powered protected interface evasion automated discovery of broken access control vulnerabilities in internet of things devices |
| topic | protected web interfaces broken access control large language model mutation-based fuzzing internet of things |
| url | https://www.mdpi.com/1424-8220/25/9/2913 |
| work_keys_str_mv | AT enzewang largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT weixie largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT shuhuanli largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT runhaoliu largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT yuanzhou largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT zhenhuawang largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT shuoyouchengma largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT wantongyang largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices AT baoshengwang largelanguagemodelpoweredprotectedinterfaceevasionautomateddiscoveryofbrokenaccesscontrolvulnerabilitiesininternetofthingsdevices |