Demystifying the Security Implications in IoT Device Rental Services

Nowadays, unattended device rental services with cellular IoT controllers, such as e-scooters and EV chargers, are widely deployed in public areas around the world, offering convenient access to users via mobile apps.While differing from traditional smart homes in functionality and implementation, the security of these devices remains largely unexplored.In this work, we conduct a systematic study to uncover security implications in IoT device rental services.By investigating 17 physical devices and 92 IoT apps, we identify multiple design and implementation flaws across a wide range of products, which can lead to severe security consequences, such as forcing all devices offline, remotely controlling all devices, or hijacking all users' accounts of the vendors. The root cause is that rentable IoT devices adopt weak resource identifiers (IDs), and attackers can infer these IDs at scale and exploit access control flaws to manipulate these resources.For instance, rentable IoT products allow authenticated users to find and use any device from the rentable IoT apps via a device serial number, which can be easily inferred by attackers and combined with other vulnerabilities to exploit remote devices on a large scale.To identify these risks, we propose a tool, called IDScope, to automatically detect the weak IDs in apps and assess if these IDs can be abused to scale the exploitation scope of existing access control vulnerabilities.Finally, we identify 57 vulnerabilities in 28 products which can lead to various large-scale exploitation in 24 products and affect millions of users and devices by exploiting three types of weak IDs. The vendors have confirmed our findings and most issues have been mitigated with our assistance.