JWT Back to the Future on the (Ab)use of JWTs in IoT Transactions
摘要
The use of JSON Web Token (JWT)s has become ubiquitous in the Internet of Things (IoT) for the secure exchange of messages between the things and the Cloud. However, the standard that describes the JWT is fragmented, and interpretations may pave the way for abuses. In this work we show a supply chain attack that exploits a weakness in the JWT standard. In particular an attacker that takes control of one device during production, may be able to create a series of valid JWTs, that may be used further after the deployment, to impersonate the device when accessing the Cloud infrastructure. Among the advantages of the attack is that the network is completely unaware about the JWTs created in the supply chain by the attacker. We show that the use of JWTs in the context of the Google Cloud IoT Core [15] infrastructure paves the way for a subtle attack, and that quite unexpectedly, the presence of an Secure Element (SE) on the connecting device does not allow to thwart the problem, but instead seems to make a solution harder to reach. We showcase our attack on the - now retired - Google Cloud IoT Core, in order to avoid malicious use of our findings, but our discovery can be applied to other services that provide token-based authentication. For example we further show that the same weaknesses applies to other tokens like the Concise Binary Object Representation Web Token (CWT) and the Entity Attestation Token (EAT) [23, 26], and to platforms like HiveMQ and EMQX [13, 17] providing a much wider attacker scope then merely a single token type or Cloud provider. Furthermore, our attack also applies to the Open Charge Metering Format (OCMF) standard, used for recording meter readings from charging station for Electric Vehicles (EV) [33]. In order to thwart the presented attack we provide a few countermeasures that can be applied, depending on the IoT infrastructure at hand.