Uncovering Access Token Security Flaws in Multiuser Scenario of Smart Home Platforms

Access tokens have been thoroughly researched in website and mobile application security. However, we believe that the traditional application of access tokens must fulfill new security requirements in smart home environments due to the distinct features of multiuser sharing usage. Smart home platforms allow different types of users to share access to a single IoT device through mobile apps, with varying levels of permissions that are closely tied to access tokens. One security concern is that existing security standards or literature, as well as the development and implementation by vendors, may overlook these features, thereby introducing potential security risks to the application of access tokens. In this work, we propose a novel testing framework and conduct a systematic study to test the extent to which real-world smart home platform implementations neglect these new requirements. The testing results show that seven out of the 11 real-world smart home platforms are plagued by access token management flaws, which collectively violate four security properties. We have found that these security flaws can be exploited to enable unrestricted file upload, DoS attack, remote command execution, and illegal surveillance in real-world scenarios. Finally, we conducted responsible disclosure of these flaws and attacks and obtained seven China national vulnerability database vulnerability IDs and one CVE vulnerability ID. Additionally, we also provide suggestions for mitigating the vulnerabilities.