Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device
Joint Authors
Niu, Weina
Zhang, Xiaosong
Wang, Dong
Chen, Ting
Ming, Jiang
Wang, Chao
Source
Wireless Communications and Mobile Computing
Issue
Vol. 2018, Issue 2018 (31 Dec. 2018), pp.1-15, 15 p.
Publisher
Hindawi Publishing Corporation
Publication Date
2018-07-04
Country of Publication
Egypt
No. of Pages
15
Main Subjects
Information Technology and Computer Science
Abstract EN
Firmware vulnerability is an important target for IoT attacks, but it is challenging, because firmware may be publicly unavailable or encrypted with an unknown key.
We present in this paper an attack on Short Message Service (SMS for short) authentication code which aims at gaining the control of IoT devices without firmware analysis.
The key idea is based on the observation that IoT device usually has an official application (app for short) used to control itself.
Customer needs to register an account before using this app, phone numbers are usually suggested to be the account name, and most of these apps have a common feature, called Reset Your Password, that uses an SMS authentication code sent to customer phone to authenticate the customer when he forgot his password.
We found that an attacker can perform brute-force attack on this SMS authentication code automatically by overcoming several challenges, then he can steal the account to gain the control of IoT devices.
In our research, we have implemented a prototype tool, called SACIntruder, to enable performing such brute-force attack test on IoT devices automatically.
We evaluated it and successfully found 12 zero-day vulnerabilities including smart lock, sharing car, smart watch, smart router, etc.
We also discussed how to prevent this attack.
American Psychological Association (APA)
Wang, Dong& Zhang, Xiaosong& Ming, Jiang& Chen, Ting& Wang, Chao& Niu, Weina. 2018. Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device. Wireless Communications and Mobile Computing،Vol. 2018, no. 2018, pp.1-15.
https://search.emarefa.net/detail/BIM-1216260
Modern Language Association (MLA)
Wang, Dong…[et al.]. Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device. Wireless Communications and Mobile Computing No. 2018 (2018), pp.1-15.
https://search.emarefa.net/detail/BIM-1216260
American Medical Association (AMA)
Wang, Dong& Zhang, Xiaosong& Ming, Jiang& Chen, Ting& Wang, Chao& Niu, Weina. Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device. Wireless Communications and Mobile Computing. 2018. Vol. 2018, no. 2018, pp.1-15.
https://search.emarefa.net/detail/BIM-1216260
Data Type
Journal Articles
Language
English
Notes
Includes bibliographical references
Record ID
BIM-1216260