The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force.
While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with. This research was undertaken to start those conversations and encourage further interest.
ThingsBoard is an open source IoT platform designed with the intention of supporting as many different types of IoT devices as possible. Founded in 2016, this Ukraine-based organization quickly rose in popularity amongst both IoT enthusiasts and industry professionals. With thousands of active deployments ranging from small IoT developments to city infrastructure monitoring and management, ThingsBoard is one of the more popular open-source IoT platform solutions.
As a result of this project, a vulnerability involving insecure secret key management was discovered. This vulnerability, CVE-2023-26462, can be leveraged to escalate privileges within the system, using the secret key to manipulate the JSON Web Tokens underpinning the authentication system for the platform.
JSON Web Tokens
Before diving into the details of what the research found, a brief overview of JSON Web Tokens (JWTs) is in order. JWTs have become increasingly popular as a means of providing secure, stateless authentication for web and mobile applications. They are a compact, URL-safe means of representing claims to be transferred between two parties. There are three sections that make up the JWT: header, payload, and signature.
The JWT header contains metadata about the token, such as the encoding method. ..
Support the originator by clicking the read the rest link below.
