IoT-APIScanner: Detecting API Unauthorized Access Vulnerabilities of IoT Platform

The Internet of Things enables interaction between IoT devices and users through the cloud. The cloud provides services such as account monitoring, device management, and device control. As the center of the IoT platform, the cloud provides services to IoT devices and IoT applications through APIs. Therefore, the permission verification of the API is essential. However, we found that some APIs are unverified, which allows unauthorized users to access cloud resources or control devices; it could threaten the security of devices and cloud. To check for unauthorized access to the API, we developed IoT-APIScanner, a framework to check the permission verification of the cloud API. Through observation, we found there is a large amount of interactive information between IoT application and cloud, which include the APIs and related parameters, so we can extract them by analyzing the code of the IoT application, and use this for mutating API test cases. Through these test cases, we can effectively check the permissions of the API. In our research, we extracted a total of 5 platform APIs. Among them, the proportion of APIs without permission verification reached 13.3%. Our research shows that attackers could use the API without permission verification to obtain user privacy or control of devices.

[1]  Srinivasa Shenoy,et al.  An Adaptive Framework for Web Services Testing Automation Using JMeter , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[2]  Qian Zhang,et al.  Proximity based IoT device authentication , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[3]  Johannes Obermaier,et al.  Analyzing the Security and Privacy of Cloud-based Video Surveillance Systems , 2016, IoTPTS@AsiaCCS.

[4]  Mohammad Ghafari,et al.  Web APIs in Android through the Lens of Security , 2020, 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[5]  Atul Prakash,et al.  Decentralized Action Integrity for Trigger-Action IoT Platforms , 2018, NDSS.

[6]  Dick Hardt,et al.  The OAuth 2.0 Protocol , 2010 .

[7]  Xinming Li,et al.  A Rule Verification and Resolution Framework in Smart Building System , 2013, 2013 International Conference on Parallel and Distributed Systems.

[8]  Lujo Bauer,et al.  Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes , 2017, WWW.

[9]  Guofei Gu,et al.  Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  W. Marsden I and J , 2012 .

[11]  Ondrej Lhoták,et al.  Who You Gonna Call? Analyzing Web Requests in Android Applications , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[12]  Yajin Zhou,et al.  Harvesting developer credentials in Android apps , 2015, WISEC.

[13]  Zhiqiang Lin,et al.  SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution , 2017, WWW.