iTieProbe: How Vulnerable Your IoT Provisioning via Wi-Fi AP Mode or EZ Mode?

IF 6.3 1区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS IEEE Transactions on Information Forensics and Security Pub Date : 2024-09-30 DOI:10.1109/TIFS.2024.3471080

Anand Agrawal;Rajib Ranjan Maiti

{"title":"iTieProbe: How Vulnerable Your IoT Provisioning via Wi-Fi AP Mode or EZ Mode?","authors":"Anand Agrawal;Rajib Ranjan Maiti","doi":"10.1109/TIFS.2024.3471080","DOIUrl":null,"url":null,"abstract":"IoT provisioning is a critical phase in IoT communication, where a number of security parameters are exchanged that are used both in this phase and later. Due to the headless nature of IoT devices, the exchange of these parameters faces challenges of balancing security and convenience. Some proprietary (e.g., “SmartConfig” by Texas Instruments) and open de-facto standards (e.g., AP mode and EZ mode by Tuya Inc.) are proposed to address these challenges, leaving scopes for certain vendor-specific settings. The analysis of vulnerability and threats thereby is a challenging task due to the lack of a common model of IoT provisioning in commercial IoT devices over Wi-Fi AP mode and EZ mode. In this paper, we propose a model using a sequence diagram for such provisioning and fuse seven research questions (RQs) to discover vendor-agnostic vulnerabilities. We develop a system, called iTieProbe to resolve the RQs. We discover six non-trivial potential vulnerabilities, identified as \n<inline-formula> <tex-math>$\\mathcal {V}1$ </tex-math></inline-formula>\n to \n<inline-formula> <tex-math>$\\mathcal {V}6$ </tex-math></inline-formula>\n. We evaluate the efficacy of testing these six vulnerabilities using iTieProbe by applying it to nine commercial IoT devices that include seven types, like a smart plug, IoT doorbell, spy bulb, smart speaker, spy clock, smart camera, and air quality monitor. We show that using iTieProbe, among others, an attacker can find \n<inline-formula> <tex-math>$\\mathcal {V}1$ </tex-math></inline-formula>\n - leads to access neighbor’s Wi-Fi AP - in five devices, \n<inline-formula> <tex-math>$\\mathcal {V}3$ </tex-math></inline-formula>\n and \n<inline-formula> <tex-math>$\\mathcal {V}4$ </tex-math></inline-formula>\n in three devices, and \n<inline-formula> <tex-math>$\\mathcal {V}5$ </tex-math></inline-formula>\n and \n<inline-formula> <tex-math>$\\mathcal {V}6$ </tex-math></inline-formula>\n - both lead to successful provisioning using either an expired authentication token or a valid token belonging to an attacker - in three devices. We have reported all these vulnerabilities to respective vendors via email and received acknowledgment from some of them with three registered vulnerability (CVE-2024-7408, CVE-2024-46040, CVE-2024-46041). The average runtime of iTieProbe to test a vulnerability of any individual IoT provisioning is about 48.95 seconds, which is much less than the provisioning itself (typically in the range of a few minutes). We believe that our revelation can help the vendors or the developers of these IoT devices to fix the security vulnerabilities in their implementations of the provisioning.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10058-10070"},"PeriodicalIF":6.3000,"publicationDate":"2024-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Forensics and Security","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10700797/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

IoT provisioning is a critical phase in IoT communication, where a number of security parameters are exchanged that are used both in this phase and later. Due to the headless nature of IoT devices, the exchange of these parameters faces challenges of balancing security and convenience. Some proprietary (e.g., “SmartConfig” by Texas Instruments) and open de-facto standards (e.g., AP mode and EZ mode by Tuya Inc.) are proposed to address these challenges, leaving scopes for certain vendor-specific settings. The analysis of vulnerability and threats thereby is a challenging task due to the lack of a common model of IoT provisioning in commercial IoT devices over Wi-Fi AP mode and EZ mode. In this paper, we propose a model using a sequence diagram for such provisioning and fuse seven research questions (RQs) to discover vendor-agnostic vulnerabilities. We develop a system, called iTieProbe to resolve the RQs. We discover six non-trivial potential vulnerabilities, identified as

$\mathcal {V}1$

$\mathcal {V}6$

. We evaluate the efficacy of testing these six vulnerabilities using iTieProbe by applying it to nine commercial IoT devices that include seven types, like a smart plug, IoT doorbell, spy bulb, smart speaker, spy clock, smart camera, and air quality monitor. We show that using iTieProbe, among others, an attacker can find

$\mathcal {V}1$

- leads to access neighbor’s Wi-Fi AP - in five devices,

$\mathcal {V}3$

and

$\mathcal {V}4$

in three devices, and

$\mathcal {V}5$

and

$\mathcal {V}6$

- both lead to successful provisioning using either an expired authentication token or a valid token belonging to an attacker - in three devices. We have reported all these vulnerabilities to respective vendors via email and received acknowledgment from some of them with three registered vulnerability (CVE-2024-7408, CVE-2024-46040, CVE-2024-46041). The average runtime of iTieProbe to test a vulnerability of any individual IoT provisioning is about 48.95 seconds, which is much less than the provisioning itself (typically in the range of a few minutes). We believe that our revelation can help the vendors or the developers of these IoT devices to fix the security vulnerabilities in their implementations of the provisioning.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

iTieProbe：通过 Wi-Fi AP 模式或 EZ 模式进行物联网供应有多脆弱？

物联网配置是物联网通信的一个关键阶段，在这一阶段和之后都要交换大量安全参数。由于物联网设备的无头性质，这些参数的交换面临着平衡安全性和便利性的挑战。为应对这些挑战，提出了一些专有标准（如德州仪器公司的 "SmartConfig"）和开放的事实标准（如图雅公司的 AP 模式和 EZ 模式），为某些特定供应商的设置留出了余地。由于缺乏通过 Wi-Fi AP 模式和 EZ 模式在商用物联网设备中进行物联网配置的通用模型，因此分析漏洞和威胁是一项具有挑战性的任务。在本文中，我们提出了一个使用序列图进行此类配置的模型，并融合了七个研究问题（RQ），以发现与供应商无关的漏洞。我们开发了一个名为 iTieProbe 的系统来解决 RQs。我们发现了六个非实质性的潜在漏洞，分别为 $\mathcal {V}1$ 至 $\mathcal {V}6$ 。我们通过将 iTieProbe 应用于九个商业物联网设备（包括七种类型，如智能插头、物联网门铃、间谍灯泡、智能扬声器、间谍时钟、智能摄像头和空气质量监测器）来评估使用 iTieProbe 测试这六个漏洞的效果。我们发现，使用iTieProbe，攻击者可以在五台设备中发现$\mathcal {V}1$--导致访问邻居的Wi-Fi AP，在三台设备中发现$\mathcal {V}3$和$\mathcal {V}4$，在三台设备中发现$\mathcal {V}5$和$\mathcal {V}6$--导致使用过期的认证令牌或属于攻击者的有效令牌成功配置。我们已通过电子邮件向相关供应商报告了所有这些漏洞，并收到了其中一些供应商的确认，其中有三个漏洞已注册（CVE-2024-7408、CVE-2024-46040、CVE-2024-46041）。iTieProbe 测试任何单个物联网配置漏洞的平均运行时间约为 48.95 秒，远远少于配置本身的时间（通常在几分钟左右）。我们相信，我们的启示可以帮助这些物联网设备的供应商或开发人员修复他们在实现配置时存在的安全漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Transactions on Information Forensics and Security 工程技术-工程：电子与电气

CiteScore

14.40

自引率

7.40%

发文量

234

审稿时长

6.5 months

期刊介绍： The IEEE Transactions on Information Forensics and Security covers the sciences, technologies, and applications relating to information forensics, information security, biometrics, surveillance and systems applications that incorporate these features

期刊最新文献

Attackers Are Not the Same! Unveiling the Impact of Feature Distribution on Label Inference Attacks Backdoor Online Tracing With Evolving Graphs LHADRO: A Robust Control Framework for Autonomous Vehicles Under Cyber-Physical Attacks Towards Mobile Palmprint Recognition via Multi-view Hierarchical Graph Learning Succinct Hash-based Arbitrary-Range Proofs