IoT provisioning is a critical phase in IoT communication, where a number of security parameters are exchanged that are used both in this phase and later. Due to the headless nature of IoT devices, the exchange of these parameters faces challenges of balancing security and convenience. Some proprietary (e.g., “SmartConfig” by Texas Instruments) and open de-facto standards (e.g., AP mode and EZ mode by Tuya Inc.) are proposed to address these challenges, leaving scopes for certain vendor-specific settings. The analysis of vulnerability and threats thereby is a challenging task due to the lack of a common model of IoT provisioning in commercial IoT devices over Wi-Fi AP mode and EZ mode. In this paper, we propose a model using a sequence diagram for such provisioning and fuse seven research questions (RQs) to discover vendor-agnostic vulnerabilities. We develop a system, called iTieProbe to resolve the RQs. We discover six non-trivial potential vulnerabilities, identified as $\mathcal {V}1$ to $\mathcal {V}6$ . We evaluate the efficacy of testing these six vulnerabilities using iTieProbe by applying it to nine commercial IoT devices that include seven types, like a smart plug, IoT doorbell, spy bulb, smart speaker, spy clock, smart camera, and air quality monitor. We show that using iTieProbe, among others, an attacker can find $\mathcal {V}1$ - leads to access neighbor’s Wi-Fi AP - in five devices, $\mathcal {V}3$ and $\mathcal {V}4$ in three devices, and $\mathcal {V}5$ and $\mathcal {V}6$ - both lead to successful provisioning using either an expired authentication token or a valid token belonging to an attacker - in three devices. We have reported all these vulnerabilities to respective vendors via email and received acknowledgment from some of them with three registered vulnerability (CVE-2024-7408, CVE-2024-46040, CVE-2024-46041). The average runtime of iTieProbe to test a vulnerability of any individual IoT provisioning is about 48.95 seconds, which is much less than the provisioning itself (typically in the range of a few minutes). We believe that our revelation can help the vendors or the developers of these IoT devices to fix the security vulnerabilities in their implementations of the provisioning.

中文翻译：

---

iTieProbe：通过 Wi-Fi AP 模式或 EZ 模式进行物联网配置有多脆弱？


IoT 预置是 IoT 通信中的一个关键阶段，其中会交换许多安全参数，这些参数在此阶段和以后阶段都使用。由于 IoT 设备的无头性质，这些参数的交换面临着平衡安全性和便利性的挑战。为了应对这些挑战，提出了一些专有标准（例如，Texas Instruments 的“SmartConfig”）和开放的事实标准（例如，Tuya Inc. 的 AP 模式和 EZ 模式），为某些供应商特定的设置留下了范围。因此，由于商业 IoT 设备中缺乏通过 Wi-Fi AP 模式和 EZ 模式的通用 IoT 配置模型，因此对漏洞和威胁的分析是一项具有挑战性的任务。在本文中，我们提出了一个使用序列图进行此类配置的模型，并融合了七个研究问题 （RQ） 来发现与供应商无关的漏洞。我们开发了一个名为 iTieProbe 的系统来解析 RQ。我们发现了六个重要的潜在漏洞，标识为 $\mathcal {V}1$ 到 $\mathcal {V}6$ 。我们使用 iTieProbe 评估测试这 6 个漏洞的效果，将其应用于 9 个商用 IoT 设备，包括 7 种类型，如智能插头、IoT 门铃、间谍灯泡、智能扬声器、间谍时钟、智能摄像头和空气质量监测器。我们表明，使用 iTieProbe 等，攻击者可以在五台设备中找到 $\mathcal {V}1$ - 导致访问邻居的 Wi-Fi AP，在三台设备中找到 $\mathcal {V}3$ 和 $\mathcal {V}4$，以及 $\mathcal {V}5$ 和 $\mathcal {V}6$ - 都会导致在三台设备中使用过期的身份验证令牌或属于攻击者的有效令牌成功配置。 我们已通过电子邮件向相应的供应商报告了所有这些漏洞，并收到了其中一些供应商的确认，其中有三个已注册的漏洞（CVE-2024-7408、CVE-2024-46040、CVE-2024-46041）。iTieProbe 测试任何单个 IoT 预置的漏洞的平均运行时间约为 48.95 秒，这比预置本身要短得多（通常在几分钟的范围内）。我们相信，我们的启示可以帮助这些 IoT 设备的供应商或开发人员修复其配置实施中的安全漏洞。