POSTER: iTieProbe: Is IoT Device Provisioning secure against MAC Layer authentication-token based replay attacks?

IoT device provisioning is the process of setting up headless IoT devices with their companion mobile apps. IoT vendors and manufacturers have the flexibility of different provisioning methods, one of them being the Access Point (AP) pairing mode over Wi-Fi, and hence, they can derive existing Wi-Fi threats and add new ones. AP pairing mode provisioning shares critical information about the Wi-Fi router or sends an authentication token associated with the user's cloud account, which may lead to vulnerabilities. In this paper, we have designed and developed a vulnerability testing tool called "iTieProbe". iTieProbe captures the Wi-Fi traffic to check the provisioning of commercial IoT devices and has the capability to extract critical security parameters. Further, iTieprobe selectively crafts the captured Wi-Fi packets and replays them to test three different vulnerabilities (V1- V3): i) In V1- iTieprobe replays the Wi-Fi packets outside the lifetime of the authentication token without any manipulation, ii) In V2 - iTieprobe replays within the lifetime of the authentication token without any manipulation in the Wi-Fi packets, iii) In V3- iTieprobe meticulously crafts the selected UDP packets and then replays it within the lifetime of the authentication token. The effect of these vulnerabilities ranges from a simple denial of service by a legitimate user not being able to provision the IoT device to a more severe one, where an adversary can set up the IoT devices. We have evaluated the efficacy of iTieprobe against two commercial IoT devices, IoT Haat Smart Plug and Wipro Smart Plug, that are using Tuya-based implementations for their provisioning. We believe this work will help the vendors to improve their provisioning methods.