Login | Register

Security Weaknesses in IoT Management Platforms


Security Weaknesses in IoT Management Platforms

Tejaswi, Bhaskar (2023) Security Weaknesses in IoT Management Platforms. Masters thesis, Concordia University.

[thumbnail of Tejaswi_MASc_S2023.pdf]
Text (application/pdf)
Tejaswi_MASc_S2023.pdf - Accepted Version
Available under License Spectrum Terms of Access.


A diverse set of Internet of Things (IoT) devices are becoming an integrated part of daily lives, and playing an increasingly vital role in various industry, enterprise and agricultural settings. The current IoT ecosystem relies on several IoT management platforms to manage and operate a large number of IoT devices, their data, and their connectivity. Considering their key role, these platforms must be properly secured against cyber attacks. In this work, we first explore the core operations/features of leading platforms to design a framework to perform a systematic security evaluation of these platforms. Subsequently, we use our framework to analyze a representative set of 52 IoT management platforms, including 42 web-hosted and 10 locally-deployable platforms. We discover a number of high-severity unauthorized access vulnerabilities in 9/52 evaluated IoT management platforms, which could be abused to perform attacks such as remote IoT SIM deactivation, IoT SIM overcharging, and IoT device data forgery. More seriously, we also uncover instances of broken authentication in 13/52 platforms, including complete account takeover on 8/52 platforms along with remote code execution on 2/52 platforms. In effect, 17/52 platforms were affected by vulnerabilities that could lead to platform-wide attacks. 28 platforms responded to our responsible disclosure. We were also assigned 11 CVEs and awarded bounty for our findings.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Tejaswi, Bhaskar
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:January 2023
Thesis Supervisor(s):Mannan, Mohammad and Youssef, Amr
ID Code:991767
Deposited By: Bhaskar Tejaswi
Deposited On:21 Jun 2023 14:40
Last Modified:31 Aug 2023 00:00
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top