A team of cybersecurity researchers from Indiana University in Bloomington (USA) and Nankai University in Tianjin (China) has discovered security gaps in IoT devices access control.

Access control to IoT products is often managed through clouds operated by device vendors (Philips Hue, LIFX, and Tuya) or cloud providers (Google and Amazon). The clouds control user access to specific devices by granting permission to unlock smart locks.

Researchers were interested in the capability to delegate IoT products access between multiple clouds and users. Some vendors let Google Home control devices access under their clouds. Problems emerge when one cloud unknowingly violates the security operations of another cloud. In such cases, devices may not fully revoke access in response to a user request. The problem lies in vendor's protocols. Each vendor independently develops its own delegation protocol with implicit security assumptions, but the protocols from different vendors have to work together.

"When these protocols work together, their security assumptions may conflict with each other, and one vendor may not fully understand the implications or the assumptions of another vendor's operation in terms of security," the experts explained.

One of the problems allows to continue accessing a device after temporary permissions were removed. For example, owner provides a guest with temporary access to a home's smart lock, but the guest will still be able to unlock it even after leaving.

Experts have found five dangerous problems, the exploitation of which allows unauthorized access to IoT devices.

Researchers believe that cross-vendor delegation is helpful to users, however, the protocols behind it must be designed with more caution. Researchers reported all found issues to vendors.

Source: securitylab.ru