DMCGuard: risky perils and fine-grained control on IoT multiple device management channels

Bin YUAN; Kaimin ZHENG; Yan JIA; Jiajun REN; Kunming WANG; Shengjiu SHI; Deqing ZOU; Hai JIN

doi:10.1007/s11704-024-40143-0

Front. Comput. Sci. ›› 2026, Vol. 20 ›› Issue (5) : 2005104 DOI: 10.1007/s11704-024-40143-0

Architecture

RESEARCH ARTICLE

DMCGuard: risky perils and fine-grained control on IoT multiple device management channels

Bin YUAN ¹^,²^,³^,⁴^,⁵^,⁶^,⁷^,¹¹
, Kaimin ZHENG ¹^,²^,³^,⁴^,⁵
, Yan JIA ⁸^,^†
, Jiajun REN ¹^,²^,³^,⁴^,⁵
, Kunming WANG ¹^,²^,³^,⁴^,⁵
, Shengjiu SHI ¹^,²^,³^,⁴^,⁵^,⁶
, Deqing ZOU ¹^,²^,³^,⁴^,⁵^,⁶
, Hai JIN ¹^,²^,⁹^,¹⁰

Author information +

¹. National Engineering Research Center for Big Data Technology and System, Wuhan 430074, China

². Services Computing Technology and System Lab, Wuhan 430074, China

³. Hubei Engineering Research Center on Big Data Security, Wuhan 430074, China

⁴. Hubei Key Laboratory of Distributed System Security, Wuhan 430074, China

⁵. School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430040, China

⁶. Jinyinhu Laboratory, Wuhan 430040, China

⁷. Songshan Laboratory, Zhengzhou 452470, China

⁸. Key Laboratory of Data and Intelligent System Security Ministry of Education (DISSec), Tianjin Key Laboratory of Network and Data Security Technology (NDST), College of Cryptology and Cyber Science, Nankai University, Tianjin 300350, China

⁹. Cluster and Grid Computing Lab, Wuhan 430074, China

¹⁰. School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China

¹¹. Key Laboratory of Cyberspace Security (Ministry of Education of China), Zhengzhou 450001, China

jiay@nankai.edu.cn

Show less

History +

PDF (2012KB)

Abstract

The rapid expansion of the Internet of Things (IoT) has led various IoT manufacturers to independently incorporate their platform management stack as a Device Management Channel (DMC) into IoT devices, resulting in a heterogeneous and disjointed IoT ecosystem. This decentralization poses significant challenges in access control security for managing IoT devices through standalone DMCs. The introduction of new market demands, such as device sharing and multiple attribute management, exacerbates vulnerabilities in IoT devices, leading to Chaotic Device Management (Codema). Existing access control systems prove insufficient for handling multiple DMC scenarios and lack fine-grained attribute management capabilities. This paper conducts an analysis of the overlooked manufacturer local DMC, identifying new vulnerabilities across DMCs. To tackle the security challenges associated with managing multiple DMCs, we propose MDUCON, a formal fine-grained access control model. Additionally, we introduce DMCGuard, a cross-DMC authorization management framework designed for seamless integration into IoT devices by vendors, enhancing authorized management of multiple DMCs on IoT devices. DMCGuard undergoes deployment on four mainstream DMCs, aligning with the prevailing structure of IoT systems. The evaluation demonstrates the robust security and effectiveness of DMCGuard in real-world IoT scenarios, affirming its potential to address DMC security challenges.

Graphical abstract

Keywords

IoT / IoT security / smart home / access control / DMC

Cite this article

Download citation ▾

Bin YUAN, Kaimin ZHENG, Yan JIA, Jiajun REN, Kunming WANG, Shengjiu SHI, Deqing ZOU, Hai JIN. DMCGuard: risky perils and fine-grained control on IoT multiple device management channels. Front. Comput. Sci., 2026, 20(5): 2005104 DOI:10.1007/s11704-024-40143-0

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Zhu G, Lyu Z, Jiao X, Liu P, Chen M, Xu J, Cui S, Zhang P . Pushing AI to wireless network edge: an overview on integrated sensing, communication, and computation towards 6G. Science China Information Sciences, 2023, 66( 3): 130301

[2]	Wang R, Mou X, Wo T, Zhang M, Liu Y, Wang T, Liu P, Yan J, Liu X . ACbot: an IIoT platform for industrial robots. Frontiers of Computer Science, 2025, 19( 4): 194203

[3]	Meneghello F, Calore M, Zucchetto D, Polese M, Zanella A . IoT: internet of Threats? A survey of practical security vulnerabilities in real IoT devices. IEEE Internet of Things Journal, 2019, 6( 5): 8182–8201

[4]	Alrawi O, Lever C, Antonakakis M, Monrose F. SoK: security evaluation of home-based IoT deployments. In: Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). 2019, 1362−1380

[5]	Jia Y, Yuan B, Xing L, Zhao D, Zhang Y, Wang X, Liu Y, Zheng K, Crnjak P, Zhang Y, Zou D, Jin H. Who’s in control? On security risks of disjointed IoT device management channels. In: Proceedings of 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021, 1289−1305

[6]	Park J, Sandhu R . The UCON_ABC usage control model. ACM Transactions on Information and System Security (TISSEC), 2004, 7( 1): 128–174

[7]	Qiu J, Tian Z, Du C, Zuo Q, Su S, Fang B . A survey on access control in the age of internet of things. IEEE Internet of Things Journal, 2020, 7( 6): 4682–4696

[8]	Zhang X, Parisi-Presicce F, Sandhu R, Park J . Formal model and policy specification of usage control. ACM Transactions on Information and System Security (TISSEC), 2005, 8( 4): 351–387

[9]	Paci F, Squicciarini A, Zannone N . Survey on access control for community-centered collaborative systems. ACM Computing Surveys (CSUR), 2018, 51( 1): 6

[10]	Downs D D, Rub J R, Kung K C, Jordan C S. Issues in discretionary access control. In: Proceedings of 1985 IEEE Symposium on Security and Privacy. 1985, 208

[11]	Mamvong J, Goteng G, Gao Y . Low-cost client-side encryption and secure internet of things (IoT) provisioning. Frontiers of Computer Science, 2022, 16( 6): 166824

[12]	La Marra A, Martinelli F, Mori P, Rizos A, Saracino A. Introducing usage control in MQTT. In: Proceedings of ESORICS 2017 International Workshops on Computer Security. 2017, 35−43

[13]	Zhang G, Gong W . The research of access control based on UCON in the Internet of Things. Journal of Software, 2011, 6( 4): 724–731

[14]	Chen J, Zuo C, Diao W, Dong S, Zhao Q, Sun M, Lin Z, Zhang Y, Zhang K. Your IoTs are (not) mine: on the remote binding between IoT devices and users. In: Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2019, 222−233

[15]	Zhou W, Jia Y, Yao Y, Zhu L, Guan L, Mao Y, Liu P, Zhang Y. Discovering and understanding the security hazards in the interactions between IoT devices, mobile apps, and clouds on smart home platforms. In: Proceedings of the 28th USENIX Conference on Security Symposium. 2019, 1133−1150

[16]	Li P, Lai J, Zhou D, Huang L, Sun M, Wu W, Yang Y . Linkable and traceable anonymous authentication with fine-grained access control. Frontiers of Computer Science, 2025, 19( 2): 192801

[17]	Salim F, Reid J, Dawson E. An administrative model for UCON_ABC. In: Proceedings of the 8th Australasian Conference on Information Security. 2010, 32−38

[18]	Jia Y, Xing L, Mao Y, Zhao D, Wang X, Zhao S, Zhang Y. Burglars’ IoT paradise: understanding and mitigating security risks of general messaging protocols on IoT clouds. In: Proceedings of 2020 IEEE Symposium on Security and Privacy (SP). 2020, 465−481

[19]	Li H, Jia Z, Xue X. Application and analysis of ZigBee security services Specification. In: Proceedings of 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing. 2010, 494−497

[20]	Olawumi O, Haataja K, Asikainen M, Vidgren N, Toivanen P. Three practical attacks against ZigBee security: attack scenario definitions, practical experiments, countermeasures, and lessons learned. In: Proceedings of the 14th International Conference on Hybrid Intelligent Systems. 2014, 199−206

[21]	Dini G, Tiloca M. Considerations on security in ZigBee networks. In: Proceedings of 2010 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing. 2010, 58−65

[22]	Unwala I, Taqvi Z, Lu J. IoT security: ZWave and thread. In: Proceedings of 2018 IEEE Green Technologies Conference (GreenTech). 2018, 176−182

[23]	Badenhop C W, Graham S R, Ramsey B W, Mullins B E, Mailloux L O . The Z-Wave routing protocol and its security implications. Computers & Security, 2017, 68: 112–129

[24]	Fuller J D, Ramsey B W. Rogue Z-Wave controllers: a persistent attack channel. In: Proceedings of the 40th IEEE Local Computer Networks Conference Workshops (LCN Workshops). 2015, 734−741

[25]	Sandhu R S, Samarati P . Access control: principle and practice. IEEE Communications Magazine, 1994, 32( 9): 40–48

[26]	He W, Zhao V, Morkved O, Siddiqui S, Fernandes E, Hester J, Ur B. SoK: context sensing for access control in the adversarial home IoT. In: Proceedings of 2021 IEEE European Symposium on Security and Privacy (EuroS&P). 2021, 37−53

[27]	Seamons K E, Winslett M, Yu T, Smith B, Child E, Jacobson J, Mills H, Yu L. Requirements for policy languages for trust negotiation. In: Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks. 2002, 68−79

[28]	Joshi J B D, Bertino E, Latif U, Ghafoor A . A generalized temporal role-based access control model. IEEE Transactions on Knowledge and Data Engineering, 2005, 17( 1): 4–23

[29]	Li P, Lai J, Wu Y . Accountable attribute-based authentication with fine-grained access control and its application to crowdsourcing. Frontiers of Computer Science, 2023, 17( 1): 171802

[30]	Wu W, Hu S, Lin D, Wu G . Reliable resource allocation with RF fingerprinting authentication in secure IoT networks. Science China Information Sciences, 2022, 65( 7): 170304

[31]	Fernandes E, Paupore J, Rahmati A, Simionato D, Conti M, Prakash A. FlowFence: practical data protection for emerging IoT application frameworks. In: Proceedings of the 25th USENIX Security Symposium. 2016, 531−548

[32]	Ghosh N, Chandra S, Sachidananda V, Elovici Y . SoftAuthZ: a context-aware, behavior-based authorization framework for home IoT. IEEE Internet of Things Journal, 2019, 6( 6): 10773–10785

[33]	Tian Y, Zhang N, Lin Y H, Wang X, Ur B, Guo X, Tague P. SmartAuth: user-centered authorization for the internet of things. In: Proceedings of the 26th USENIX Security Symposium (USENIX Security 17). 2017, 361−378

[34]	Guan Z, Yang W, Zhu L, Wu L, Wang R . Achieving adaptively secure data access control with privacy protection for lightweight IoT devices. Science China Information Sciences, 2021, 64( 6): 162301

[35]	Jin Z, Xing L, Fang Y, Jia Y, Yuan B, Liu Q. P-Verifier: understanding and mitigating security risks in cloud-based IoT access policies. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022, 1647−1661

[36]	Zhou X, Guan J, Xing L, Qian Z. Perils and mitigation of security risks of cooperation in mobile-as-a-gateway IoT. In: Proceedings of 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022, 3285−3299

[37]	Andersen M P, Kumar S, AbdelBaky M, Fierro G, Kolb J, Kim H S, Culler D E, Popa R A. Wave: a decentralized authorization framework with transitive delegation. In: Proceedings of the 28th USENIX Security Symposium (USENIX Security 19). 2019, 1375−1392

[38]	Jia Y J, Chen Q A, Wang S, Rahmati A, Fernandes E, Mao Z M, Prakash A. ContexIoT: towards providing contextual integrity to Appified IoT platforms. In: Proceedings of 2017 Network and Distributed System Security Symposium. 2017