Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices

Internet-of-Things (IoT) devices implement weak authentication and access control schemes. The on-demand nature of IoT devices requires a responsive communications channel, which is often at odds with thorough authentication and access control. This paper seeks to better understand IoT device security by examining the design of authentication and access control schemes. In this work, we explore the challenge of propagating credential revocation and access control list modifications in a shared IoT ecosystem. We evaluate the vulnerability of 19 popular security cameras and doorbells against a straightforward user-interface bound adversary attack. Our results demonstrate that 16 of 19 surveyed devices suffer from flaws that enable unauthorized access after credential modification or revocation. We conclude by discussing these findings and propose a means for balancing authentication and access control schemes while still offering responsive communications channels.

[1]  Nicola Dell,et al.  “A Stalker's Paradise”: How Intimate Partner Abusers Exploit Technology , 2018, CHI.

[2]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[3]  Davino Mauro Junior,et al.  A Study of Vulnerability Analysis of Popular Smart Devices Through Their Companion Apps , 2019, 2019 IEEE Security and Privacy Workshops (SPW).

[4]  Jaehoon Paul Jeong,et al.  IoT security vulnerability: A case study of a Web camera , 2018, 2018 20th International Conference on Advanced Communication Technology (ICACT).

[5]  Zahra Ashktorab,et al.  Identifying Women's Experiences With and Strategies for Mitigating Negative Effects of Online Harassment , 2017, CSCW.

[6]  Tara Matthews,et al.  Stories from Survivors: Privacy & Security Practices when Coping with Intimate Partner Abuse , 2017, CHI.

[7]  Kim-Kwang Raymond Choo,et al.  Stalking the stalkers - detecting and deterring stalking behaviours using technology: A review , 2017, Comput. Secur..

[8]  William Enck,et al.  Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things , 2019, WiSec.

[9]  Nicola Dell,et al.  The Spyware Used in Intimate Partner Violence , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  R. Reid,et al.  Intimate partner violence and women's physical, mental, and social functioning. , 2006, American journal of preventive medicine.

[11]  Gisela Susanne Bahr,et al.  How and why pop-ups don't work: Pop-up prompted eye movements, user affect and decision making , 2011, Comput. Hum. Behav..

[12]  Christof Paar,et al.  Statistics on Password Re-use and Adaptive Strength for Financial Accounts , 2014, SCN.

[13]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.