Security Analysis Of IoT Platform Authentication And Authorization Protocol Implementation

With the rise of Internet of Things(Io T)technology,Io T devices have brought great convenience to people's lives.In order to adapt users and hardware vendors to quickly deploy their own solutions,the new application of the Io T platform has also been rapidly developed.The Io T platform uses a variety of communication protocols to realize the interaction between Io T devices and users.Therefore,the security vulnerabilities of protocols in the Io T platform have a wider scope of impact,and the results are more serious.Most of the existing researches on the security of Io T protocols focus on analyzing the security of the protocol itself.On the other hand,due to the differences in the architecture of the Io T platform,the differences in the types of Io T devices,and the variety and complexity of Io T protocols,it is a challenge to analyze the security issues in the implementation of the Io T platform protocols.The main innovations and contributions of this paper include the following three parts:(1)This paper presents a security analysis framework based on the life cycle of Io T terminal,which comprehensively and systematically analyses the security issues in the implementation of Io T protocols.Firstly,by defining users and devices as terminals,three phases of the life cycle of the Io T terminal are proposed: terminal access,terminal interaction,and terminal deactivation.Then,combined with reverse analysis and other methods,the life cycle of the real Io T terminal is restored mainly through traffic analysis.Finally,it analyzes the security risks of each stage in the life cycle from three aspects: identity authentication,access control and communication security,and proves the feasibility of security vulnerability by constructing verification attack experiments.(2)This paper designs and implements Io TCap,which is a traffic analysis tool for Io T scenarios,to capture and decrypt IP layer data received and sent by Android mobile smart applications.The core method of Io TCap tool is to use Android Vpn Service service to open a VPN interface and create local clients and servers to forward and decrypt data flow in the smart application.Io TCap is suitable for a variety of Io T protocols based on TCP/IP stack,and can decrypt non-443 port SSL traffic.At the same time,Io TCap is deployed on the Android mobile phone,which can solve the special scenario of Internet of Things,such as device hotspot,and the mobile phone does not need Root.(3)This paper tests seven mainstream Io T platforms and devices,which proves that the Io T terminal life cycle is versatile for multiple platforms and devices.The test results not only find that the weak password,plaintext transmission and sensitive information leakage are common security risks in the implementation of the Io T protocols,but also focus on the security risks of the authority revocation and identity revocation of the terminal deactivation phase.In this paper,through constructing verification attack experiments,three security vulnerabilities are discovered.There are client Id vulnerability based on MQTT protocol,last will vulnerability based on MQTT protocol and dynamic permission vulnerability based on MQTT protocol,which can cause large-scale denial of service,remote control devices,and device false information reporting attacks.Based on the above security risks and security vulnerabilities,this paper also gives corresponding defense recommendations.