Visible to the public IoT-APIScanner: Detecting API Unauthorized Access Vulnerabilities of IoT Platform

TitleIoT-APIScanner: Detecting API Unauthorized Access Vulnerabilities of IoT Platform
Publication TypeConference Paper
Year of Publication2020
AuthorsLi, Y., Yang, Y., Yu, X., Yang, T., Dong, L., Wang, W.
Conference Name2020 29th International Conference on Computer Communications and Networks (ICCCN)
Date PublishedAug. 2020
ISBN Number978-1-7281-6607-0
KeywordsAPI, API test cases, API unauthorized access vulnerability detection, APIs, application program interfaces, application programming interface, authorisation, cloud API, cloud computing, cloud services, compositionality, data privacy, formal verification, Internet of Things, IoT devices, IoT security, IoT-APIScanner, permission verification, program testing, pubcrawl, resilience, Resiliency, security, Smart homes, Task Analysis, Timing, Tools, unauthorized access, user privacy, Web API

The Internet of Things enables interaction between IoT devices and users through the cloud. The cloud provides services such as account monitoring, device management, and device control. As the center of the IoT platform, the cloud provides services to IoT devices and IoT applications through APIs. Therefore, the permission verification of the API is essential. However, we found that some APIs are unverified, which allows unauthorized users to access cloud resources or control devices; it could threaten the security of devices and cloud. To check for unauthorized access to the API, we developed IoT-APIScanner, a framework to check the permission verification of the cloud API. Through observation, we found there is a large amount of interactive information between IoT application and cloud, which include the APIs and related parameters, so we can extract them by analyzing the code of the IoT application, and use this for mutating API test cases. Through these test cases, we can effectively check the permissions of the API. In our research, we extracted a total of 5 platform APIs. Among them, the proportion of APIs without permission verification reached 13.3%. Our research shows that attackers could use the API without permission verification to obtain user privacy or control of devices.

Citation Keyli_iot-apiscanner_2020