Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds
Luyi Xing, Yan Jia, Yuqing Zhang at Black Hat Europe 2019
In this presentation, we report the first systematic study on the protection that leading commercial IoT clouds (e.g., AWS IoT Core, IBM Watson IoT, Azure IoT, Google Cloud IoT, Alibaba IoT, Tuya Smart) put in place for integrating MQTT to device-user communication. We found that in the absence of rigorous security analysis, these platforms' security additions (e.g., authentication, authorization, session management, etc.) to the protocol are all vulnerable, allowing the adversary to gain control of the device, launch a large-scale denial-of-service attack, steal the victim's secret data and fake the victim's device status for deception.
Full Abstract & Presentation Materials: https://www.blackhat.com/eu-19/briefings/schedule/#sneak-into-your-room-security-holes-in-the-integration-and-management-of-messaging-protocols-on-commercial-iot-clouds-17247
Full Abstract & Presentation Materials: https://www.blackhat.com/eu-19/briefings/schedule/#sneak-into-your-room-security-holes-in-the-integration-and-management-of-messaging-protocols-on-commercial-iot-clouds-17247