Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices

  title={Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices},
  author={Blake Janes and Heather Crawford and T. J. OConnor},
  journal={2020 IEEE Security and Privacy Workshops (SPW)},
Internet-of-Things (IoT) devices implement weak authentication and access control schemes. The on-demand nature of IoT devices requires a responsive communications channel, which is often at odds with thorough authentication and access control. This paper seeks to better understand IoT device security by examining the design of authentication and access control schemes. In this work, we explore the challenge of propagating credential revocation and access control list modifications in a shared… 

Figures and Tables from this paper

Through the Spyglass: Towards IoT Companion App Man-in-the-Middle Attacks
This paper seeks to better understand IoT security and privacy by studying the design flaws of this distributed communications channel for smart home devices, and assesses the vulnerability of 20 popular smart home vendors to this attack.
Through the Spyglass: Towards IoT Companion App
This paper seeks to better understand IoT security and privacy by studying the design of this distributed communications channel for smart home devices and assesses the vulnerability of 20 popular smart home vendors to this attack.
MPInspector: A Systematic and Automatic Approach for Evaluating the Security of IoT Messaging Protocols
This work presents MPInspector, the first automatic and systematic solution for vetting the security of MP implementations, and demonstrates that it is lightweight, effective with a precision of 100% in identifying property violations.
Towards Labeling On-Demand IoT Traffic
The results indicate that vendor APIs, trigger-action frameworks, and companion notifications can be used to generate scientifically valuable labeled datasets of IoT traffic, and an open-source dataset consisting of 16,686 labeled events over 468,933 network flows is published.
‘I feel like we’re really behind the game’: perspectives of the United Kingdom’s intimate partner violence support sector on the rise of technology-facilitated abuse
The present analysis summarises insights derived from semi-structured interviews with 34 UK voluntary and statutory sector representatives that were conducted over the course of two years, identifying four overarching themes that point out support services’ practices, concerns and challenges in relation to tech abuse and specifically the Internet of Things.
Are Smart Home Devices Abandoning IPV Victims?
  • A. Alshehri, M. B. Salem, Lei Ding
  • Engineering
    2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)
  • 2020
It is shown that domestic abuse and Intimate Partner Violence in smart homes is more effective and less risky for abusers and victims find it more harmful and more challenging to protect themselves from.


Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things
This paper seeks to better understand smart home device security by studying the vendor design decisions surrounding IoT telemetry messaging protocols, specifically, the behaviors taken when an IoT device loses connectivity, and finds that 22 of 24 studied devices suffer from critical design flaws.
IoT security vulnerability: A case study of a Web camera
The threats when there is a compromise of an IoT device's security and a case study of an IP camera are discussed and essential security practices for mitigating device exploitation are provided.
A Study of Vulnerability Analysis of Popular Smart Devices Through Their Companion Apps
Findings from a security analysis of 96 top-selling WiFi IoT devices on found security problems to be widespread: 50% of the apps corresponding to 38%" of the devices did not use proper encryption techniques; some even used well-known weak ciphers such as Caesar cipher.
“A Stalker's Paradise”: How Intimate Partner Abusers Exploit Technology
It is shown how the sociotechnical and relational factors that characterize IPV make such attacks both extremely damaging to victims and challenging to counteract, in part because they undermine the predominant threat models under which systems have been designed.
"I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab
To understand the genesis of common password patterns and uncover average users' misconceptions about password strength, a qualitative interview study is conducted that identifies aspects of password creation ripe for improved guidance or automated intervention.
Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
It is suggested that users manage the challenge of having many passwords by choosing a complex password on a website where they have to enter it frequently in order to memorize that password, and then re-using that strong password across other websites.
Statistics on Password Re-use and Adaptive Strength for Financial Accounts
A dataset is extracted from a large dump of malware records which contains multiple accounts (and passwords) per user and thus allows us to study both password re-use and the correlation between the value of an account and the strength of the passwords for those accounts.
Stories from Survivors: Privacy & Security Practices when Coping with Intimate Partner Abuse
Overall, the results suggest that the usability of and control over privacy and security functions should be or continue to be high priorities for technology creators seeking ways to better support survivors of IPA.
The Spyware Used in Intimate Partner Violence
This work designs, implements, and evaluates a measurement pipeline that combines web and app store crawling with machine learning to find and label apps that are potentially dangerous in IPS contexts, and identifies several hundred IPS-relevant apps.