Authorisation inconsistency in IoT third-party integration

Today's IoT platforms provide rich functionalities by integrating with popular third-party services. Due to the complexity, it is critical to understand whether the IoT platforms have properly managed the authorisation in the cross-cloud IoT environments. In this study, the authors report the first systematic study on authorisation management of IoT third-party integration by: (1) presenting two attacks that leak control permissions of the IoT device in the integration of third-party services; (2) conducting a measurement study over 19 real-world IoT platforms and three major third-party services. Results show that eight of the platforms are vulnerable to the threat. To educate IoT developers, the authors provide in-depth discussion about existing design principles and propose secure design principles for IoT cross-cloud control frameworks.