Leakage of Authorization-Data in IoT Device Sharing: New Attacks and Countermeasure

Abstract

Device sharing among users is a common functionality in today's IoT clouds. Supporting device sharing are the delegation methods proposed by different IoT clouds, which we find are heterogeneous and ad-hoc-IoT clouds use various data (e.g., device ID, product ID, and access token) as authorization certificates. In this paper, we report the first systematic study on how the authorization-data are managed in IoT device sharing. Our study brought to light the security risks in today's IoT authorization-data management, identifying 6 authorization-data leakage flaws. To mitigate such flaws, we propose an approach to hide the authorization-data from the delegatee (a.k.a., the user authorized to access the devices) without disrupting the device sharing services. We propose SecHARE, an automated tool to patch the vulnerable IoT clouds. We applied SecHARE to 3 popular open-source IoT clouds. Results have shown the compatibility, effectiveness, and efficiency of SecHARE. We have made SecHARE publicly available.