In recent years IoT platforms and smart-home systems have rapidly grown. Meanwhile, mobile apps have been widely accepted as user interfaces in these consumer IoTs, allowing users to retrieve processed data and issue specific commands. We notice that these companion apps are also used as gateways, providing Internet connectivity for resource-constrained devices, and its mobility advantage over static gateways further promotes applications of this kind. In this paper, we extracted this pattern into a new architecture called app-in-the-middle IoT. We provided a holistic view of what app-in-the-middle IoT is and introduced its attack surface by comparing it with two well-studied IoT architectures, which we refer to as cloud-in-the-middle IoT and trigger-action platform IoT. We detailed the similarities and differences between the three architectures, derived security goals of app-in-the-middle IoT, and drew the key to analyzing it from authentication, access control, and availability aspects. We adopted a method of building an abstract model and extracting the concept of token from the working process. To achieve security goals, the token needs to own these properties: mutual authentication, unforgeability, and resistance to replay attacks. We argue that the role the app plays is critical to the working process, which affects how the properties of the token are satisfied. During analysis, we find that the application scenarios significantly influence the role of the app. Therefore, we discussed the security of different situations separately. For each scenario, we indicated how the token should be generated and distributed to meet the security goals, and summarized several security rules. We analyzed several practical cases, which demonstrate that violating these rules can lead to severe consequences, such as unauthorized access, information leakage, irrevocable authorization, and device hijack.
Read full abstract