Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds

With the increasing popularity of the Internet of Things (IoT), many IoT clouds have emerged to help device manufacturers connect their devices to customers and offload the communication management to cloud providers. At the center of such IoT cloud services is the mechanism that mediates the communication (e.g., control commands and messages) between IoT devices and users. Such communication is built on existing general messaging protocols, in particular, MQTT, arguably the most popular one and widely used by mainstream IoT cloud providers such as AWS, Microsoft, IBM, Google, Alibaba, etc. Less clear, however, is whether such protocols, which are not designed to work in the adversarial environment of IoT, introduce new security risks. In this presentation, we report the first systematic study on the protection that leading commercial IoT clouds (e.g., AWS IoT Core, IBM Watson IoT, Azure IoT, Google Cloud IoT, Alibaba IoT, Tuya Smart) put in place for integrating MQTT to device-user communication. We found that in the absence of rigorous security analysis, these platforms' security additions (e.g., authentication, authorization, session management, etc.) to the protocol are all vulnerable, allowing the adversary to gain control of the device, launch a large-scale denial-of-service attack, steal the victim's secret data and fake the victim's device status for deception. We successfully performed proof-of-concept (PoC), end-to-end attacks on eight leading IoT clouds using real commercial IoT devices. We further conducted a measurement study, which demonstrates that the security impacts of our attacks are real, severe and broad. We reported our findings to all affected cloud providers and device manufacturers, which all acknowledged the problems (evidenced by Microsoft's Security Researcher Acknowledgments, CVE-2018-12546, and vendor responses in our supporting site). We also reported our findings to the MQTT Technical Committee (OASIS Open Issues MQTT-536), and the possible mitigations are under open discussion now. In conclusion, our research reveals that in the absence of standard guidance and security practices for integrating and managing the general messaging protocol on IoT clouds, secure user-device interactions cannot be guaranteed in practice, due to the underestimated security gap between the protocol and real-world IoT environments.