All Your IoT Devices Are Belong to Us: Security Weaknesses in IoT Management Platforms

Abstract

IoT devices have become an integral part of our day to day activities, and are also being deployed to fulfil a number of industrial, enterprise and agricultural use cases. To efficiently manage and operate these devices, the IoT ecosystem relies on several IoT management platforms. Given the security-sensitive nature of the operations performed by these platforms, analyzing them for security vulnerabilities is critical to protect the ecosystem from potential cyber threats. In this work, by exploring the core functionalities offered by leading platforms, we first design a security evaluation framework. Subsequently, we use our framework to analyze 42 IoT management platforms. Our analysis uncovers a number of high severity unauthorized access vulnerabilities in 9/42 platforms, which could lead to attacks such as remote SIM deactivation, IoT SIM overcharging and device data forgery. Furthermore, we find broken authentication in 11/42 platforms, including complete account takeover on 7/42 platforms, along with remote code execution on one of the platforms. Overall, on 11/42 platforms, we find vulnerabilities that could lead to platform-wide attacks, that affect all users and all devices connected to those platforms.