{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T01:29:06Z","timestamp":1743125346564,"version":"3.40.3"},"publisher-location":"Cham","reference-count":36,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031649479"},{"type":"electronic","value":"9783031649486"}],"license":[{"start":{"date-parts":[[2024,10,13]],"date-time":"2024-10-13T00:00:00Z","timestamp":1728777600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,10,13]],"date-time":"2024-10-13T00:00:00Z","timestamp":1728777600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-64948-6_11","type":"book-chapter","created":{"date-parts":[[2024,10,12]],"date-time":"2024-10-12T09:02:09Z","timestamp":1728723729000},"page":"205-224","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Discovering and Understanding the\u00a0Security Flaws of Authentication and Authorization in IoT Cloud APIs for Smart Home"],"prefix":"10.1007","author":[{"given":"Minglei","family":"Guo","sequence":"first","affiliation":[]},{"given":"Zhenghang","family":"Xiao","sequence":"additional","affiliation":[]},{"given":"Xin","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Jianwei","family":"Zhuge","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,10,13]]},"reference":[{"key":"11_CR1","unstructured":"Zhou, W., et al.: Discovering and understanding the security hazards in the interactions between IoT devices, mobile apps, and clouds on smart home platforms. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1133\u20131150 (2019)"},{"key":"11_CR2","doi-asserted-by":"crossref","unstructured":"Jia, Y., et\u00a0al.: Who\u2019s in control? On security risks of disjointed IoT device management channels. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 1289\u20131305 (2021)","DOI":"10.1145\/3460120.3484592"},{"key":"11_CR3","doi-asserted-by":"crossref","unstructured":"Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: IEEE Symposium on Security and Privacy (SP), pp. 636\u2013654. IEEE 2016 (2016)","DOI":"10.1109\/SP.2016.44"},{"key":"11_CR4","doi-asserted-by":"crossref","unstructured":"Liu, H., Li, C., Jin, X., Li, J., Zhang, Y., Gu, D.: Smart solution, poor protection: An empirical study of security and privacy issues in developing and deploying smart home devices. In: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy, pp. 13\u201318 (2017)","DOI":"10.1145\/3139937.3139948"},{"key":"11_CR5","doi-asserted-by":"crossref","unstructured":"Chen, J., et al.: Your IoTs are (not) mine: on the remote binding between IoT devices and users. In: 2019 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, pp. 222\u2013233 (2019)","DOI":"10.1109\/DSN.2019.00034"},{"key":"11_CR6","doi-asserted-by":"crossref","unstructured":"Jia, Y., et al.: Burglars\u2019 IoT paradise: understanding and mitigating security risks of general messaging protocols on IoT clouds. In: IEEE Symposium on Security and Privacy (SP). IEEE 2020, pp. 465\u2013481 (2020)","DOI":"10.1109\/SP40000.2020.00051"},{"key":"11_CR7","doi-asserted-by":"crossref","unstructured":"Harsha, M., Bhavani, B., Kundhavai, K.: Analysis of vulnerabilities in MQTT security using Shodan API and implementation of its countermeasures via authentication and ACLs. In: 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 2244\u20132250. IEEE (2018)","DOI":"10.1109\/ICACCI.2018.8554472"},{"key":"11_CR8","unstructured":"Wang, Q., et\u00a0al.: Mpinspector: a systematic and automatic approach for evaluating the security of IoT messaging protocols. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 4205\u20134222 (2021)"},{"key":"11_CR9","unstructured":"Authz. https:\/\/github.com\/PortSwigger\/authz. Accessed April 2023"},{"key":"11_CR10","unstructured":"Auth Analyzer. https:\/\/github.com\/PortSwigger\/auth-analyzer. Accessed April 2023"},{"key":"11_CR11","unstructured":"\u201cAWS IoT Authentication - AWS IoT Core\u201d. https:\/\/docs.aws.amazon.com\/iot\/latest\/developerguide\/client-authentication.html. Accessed April 2023"},{"key":"11_CR12","unstructured":"\u201cGoogle Cloud IoT Authentication\u201d. https:\/\/cloud.google.com\/iot\/docs\/concepts\/device-security. Accessed April 2023"},{"key":"11_CR13","unstructured":"\u201cDeep Distance\u201d. https:\/\/zepworks.com\/deepdiff\/current\/deep_distance.html. Accessed April 2023"},{"key":"11_CR14","unstructured":"Yuan, B., Jia, Y., Xing, L., Zhao, D., Wang, X., Zhang, Y.: Shattered chain of trust: understanding security risks in cross-cloud IoT access delegation. In: 29th USENIX Security Symposium (USENIX Security 20), pp. 1183\u20131200 (2020)"},{"key":"11_CR15","doi-asserted-by":"crossref","unstructured":"Jin, Z., Xing, L., Fang, Y., Jia, Y., Yuan, B., Liu, Q.: P-verifier: understanding and mitigating security risks in cloud-based IoT access policies. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pp. 1647\u20131661 (2022)","DOI":"10.1145\/3548606.3560680"},{"key":"11_CR16","doi-asserted-by":"crossref","unstructured":"Zhang, Y., Ma, S., Li, J., Gu, D., Bertino, E.: Kingfisher: unveiling insecurely used credentials in IoT-to-mobile communications. In: 2022 52nd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 488\u2013500. IEEE (2022)","DOI":"10.1109\/DSN53405.2022.00055"},{"key":"11_CR17","doi-asserted-by":"crossref","unstructured":"Yu, S., Zhang, X., Huang, P., Guo, L., Cheng, L., Wang, K.: Authctc: defending against waveform emulation attack in heterogeneous IoT environments. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 20\u201332 (2020)","DOI":"10.1145\/3320269.3384726"},{"key":"11_CR18","doi-asserted-by":"crossref","unstructured":"Oh, S.-R., Kim, Y.-G.: Security requirements analysis for the IoT. In: 2017 International Conference on Platform Technology and Service (PlatCon), pp. 1\u20136. IEEE (2017)","DOI":"10.1109\/PlatCon.2017.7883727"},{"key":"11_CR19","doi-asserted-by":"crossref","unstructured":"Li, Y., Yang, Y., Yu, X., Yang, T., Dong, L., Wang, W.: IoT-apiscanner: detecting API unauthorized access vulnerabilities of IoT platform. In: 2020 29th International Conference on Computer Communications and Networks (ICCCN), pp. 1\u20135. IEEE (2020)","DOI":"10.1109\/ICCCN49398.2020.9209626"},{"key":"11_CR20","doi-asserted-by":"crossref","unstructured":"Zuo, C., Zhao, Q., Lin, Z.: Authscope: towards automatic discovery of vulnerable authorizations in online services. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 799\u2013813 (2017)","DOI":"10.1145\/3133956.3134089"},{"key":"11_CR21","unstructured":"Tian, Y., et al.: Smartauth: user-centered authorization for the internet of things. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 361\u2013378 (2017)"},{"key":"11_CR22","doi-asserted-by":"crossref","unstructured":"Jia, Y.J., et al.: Contexlot: towards providing contextual integrity to appified IoT platforms. In: NDSS, vol.\u00a02, no.\u00a02. San Diego, p. 2 (2017). S. Unviersity","DOI":"10.14722\/ndss.2017.23051"},{"key":"11_CR23","unstructured":"Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., Prakash, A.: FlowFence: practical data protection for emerging IoT application frameworks. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 531\u2013548 (2016)"},{"key":"11_CR24","unstructured":"He, W., et al.: Rethinking access control and authentication for the home internet of things (IoT). In: 27th USENIX Security Symposium (USENIX Security 18), pp. 255\u2013272 (2018)"},{"key":"11_CR25","unstructured":"Chi, H., Zeng, Q., Du, X., Luo, L.: Pfirewall: semantics-aware customizable data flow control for home automation systems, arXiv preprint arXiv:1910.07987, 2019"},{"key":"11_CR26","doi-asserted-by":"crossref","unstructured":"Schuster, R., Shmatikov, V., Tromer, E.: Situational access control in the internet of things. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1056\u20131073 (2018)","DOI":"10.1145\/3243734.3243817"},{"key":"11_CR27","doi-asserted-by":"crossref","unstructured":"Ongun, T., Oprea, A., Nita-Rotaru, C., Christodorescu, M., Salajegheh, N.: The house that knows you: user authentication based on IoT data. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2255\u20132257 (2018)","DOI":"10.1145\/3243734.3278523"},{"key":"11_CR28","doi-asserted-by":"crossref","unstructured":"Rashid, M.A., Pajooh, H.H.: A security framework for IoT authentication and authorization based on blockchain technology. In: 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications\/13th IEEE International Conference On Big Data Science And Engineering (TrustCom\/BigDataSE). IEEE 2019, pp. 264\u2013271 (2019)","DOI":"10.1109\/TrustCom\/BigDataSE.2019.00043"},{"issue":"3","key":"11_CR29","doi-asserted-by":"publisher","first-page":"24","DOI":"10.1109\/MNET.011.1900276","volume":"34","author":"H Fang","year":"2020","unstructured":"Fang, H., Qi, A., Wang, X.: Fast authentication and progressive authorization in large-scale IoT: how to leverage AI for security enhancement. IEEE Netw. 34(3), 24\u201329 (2020)","journal-title":"IEEE Netw."},{"key":"11_CR30","doi-asserted-by":"crossref","unstructured":"Fernandes, E., Rahmati, A., Jung, J., Prakash, A.: Decentralized action integrity for trigger-action IoT platforms. In: Proceedings 2018 Network and Distributed System Security Symposium (2018)","DOI":"10.14722\/ndss.2018.23119"},{"key":"11_CR31","doi-asserted-by":"crossref","unstructured":"Sikder, A.K., Babun, L., Aksu, H., Uluagac, A.S.: Aegis: a context-aware security framework for smart home systems. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 28\u201341 (2019)","DOI":"10.1145\/3359789.3359840"},{"key":"11_CR32","doi-asserted-by":"crossref","unstructured":"Yu, J.-Y., Kim, Y.-G.: Analysis of IoT platform security: a survey. In: 2019 International Conference on Platform Technology and Service (PlatCon), pp. 1\u20135. IEEE (2019)","DOI":"10.1109\/PlatCon.2019.8669423"},{"key":"11_CR33","doi-asserted-by":"crossref","unstructured":"Ding, W., Hu, H., Cheng, L.: IoTSafe: enforcing safety and security policy with real IoT physical interaction discovery. In: The 28th Network and Distributed System Security Symposium (NDSS 2021) (2021)","DOI":"10.14722\/ndss.2021.24368"},{"key":"11_CR34","doi-asserted-by":"crossref","unstructured":"Kim, J.Y., Holz, R., Hu, W., Jha, S.: Automated analysis of secure internet of things protocols. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 238\u2013249 (2017)","DOI":"10.1145\/3134600.3134624"},{"key":"11_CR35","doi-asserted-by":"crossref","unstructured":"Chen, F., Huo, Y., Zhu, J., Fan, D.: A review on the study on MQTT security challenge. In: 2020 IEEE International Conference on Smart Cloud (SmartCloud), pp. 128\u2013133. IEEE (2020)","DOI":"10.1109\/SmartCloud49737.2020.00032"},{"key":"11_CR36","doi-asserted-by":"crossref","unstructured":"Bhawiyuga, A., Data, M., Warda, A.: Architectural design of token based authentication of MQTT protocol in constrained IoT device. In: 2017 11th International Conference on Telecommunication Systems Services and Applications (TSSA), pp. 1\u20134. IEEE (2017)","DOI":"10.1109\/TSSA.2017.8272933"}],"container-title":["Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","Security and Privacy in Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-64948-6_11","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,12]],"date-time":"2024-10-12T09:06:14Z","timestamp":1728723974000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-64948-6_11"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,13]]},"ISBN":["9783031649479","9783031649486"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-64948-6_11","relation":{},"ISSN":["1867-8211","1867-822X"],"issn-type":[{"type":"print","value":"1867-8211"},{"type":"electronic","value":"1867-822X"}],"subject":[],"published":{"date-parts":[[2024,10,13]]},"assertion":[{"value":"13 October 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SecureComm","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Security and Privacy in Communication Systems","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Hong Kong","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 October 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 October 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"securecomm2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/securecomm.eai-conferences.org\/2023\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Confy +","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"180","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"50","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"28% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}