Discovering and Understanding the Security Flaws of Authentication and Authorization in IoT Cloud APIs for Smart Home

The IoT cloud is a vital component of smart homes, responsible for entities’ authentication and authorization (A&A). Additionally, the IoT cloud provides many APIs to address complex functional requirements. This paper reports a systematic analysis of A&A security issues in IoT cloud APIs for smart home. To investigate the problem, we first analyze authenticated entities (i.e., devices, users, and families) and identify two categories of flaws based on the existing policies. Next, we introduce a semi-automated tool calledIoTAuthCheckto discover security flaws in A&A of IoT cloud APIs.IoTAuthCheckautomatically identifies and replaces credentials in the request, and checks security flaws of the target API by comparing responses before and after the replacement. We conducted experiments usingIoTAuthCheckon seven popular smart home vendors and found 26 APIs with vulnerabilities that can be classified into six specific types of security flaws. Based on proof-of-concept attacks, we demonstrate that these flaws can cause severe security risks, including sensitive information leakage, malicious data injection, and even unauthorized device control.