IoT Devices Open to Silent Takeover Via Cloud Firewalls TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadApplication SecurityMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScamMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScambyElizabeth Montalbano, Contributing WriterNov 18, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsICS/OT SecurityIoTСloud SecurityNewsCloud Break: IoT Devices Open to Silent Takeover Via FirewallsIoT devices can be compromised, thanks to gaps in cloud management interfaces for firewalls and routers, even if they're protected by security software or not online.Nate Nelson, Contributing WriterNovember 18, 20254 Min ReadSource: Andy Sutton via Alamy Stock PhotoResearchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability.Typically, hackers breach IoT devices by obtaining their IP addresses and exploiting firmware vulnerabilities. This works well against organizations that, due to ignorance, disregard, delay, or genuine inability, can't apply patches in time to protect themselves. Businesses that don't expose their devices to the Web and patch diligently can rest easy knowing that hackers don't have a way in.Or maybe not. In an upcoming presentation at Black Hat Europe in London, Nanjing University master's candidate Jincheng Wang and independent security researcher Nik Xe will propose an entirely new model for taking over IoT devices. In their proof of concept (PoC), an attacker can breach devices en masse without any vulnerabilities present, or even any IP addresses — and it works just as well against intranet devices.The key is cloud management — leveraging the trust between devices and the cloud vendors that oversee them.How IoT Devices Authenticate to the CloudHow can you prove that you are you on the Internet? If you're on a government or finance website, it might require a slew of personal information and officially issued identifying documents. A dating app might require a biometric face scan. On a social media forum, you can just take a selfie with today's newspaper.Related:Can a Global, Decentralized System Save CVE Data?Now imagine an IoT device deployed at an organization — a router, if you wish — managed through a cloud platform. How can that device prove that it is itself to the cloud server that oversees it? Devices designed for specific, narrow functions have no sophisticated ways of authenticating, so IoT cloud servers can work only with the static data that distinguishes them from other devices: namely, their serial number (SN) or MAC address.This was the starting point for Wang and Xe's PoC. If cloud servers authenticate IoT devices using their SNs or MAC addresses, an attacker would need just two pieces of information — the number or address, and how the server derives an authentication credential from it — in order to impersonate a device to the server.Getting an SN or MAC address isn't always challenging. Some manufacturers expose them through network interfaces, Wang reports, because "many manufacturers still do not treat serial numbers or MAC addresses as sensitive information," and sometimes they're exposed by Wi-Fi access points, as "when an app binds a device within a local network, it typically retrieves the SN or MAC address through specific local service ports. Since most manufacturers do not restrict these interfaces, the same endpoints can often be accessed from the public Internet, allowing anyone to obtain the device's unique identifiers remotely."Related:Bug Bounty Programs Rise as Key Strategic Security SolutionsThese identifiers can also be brute-forced. SNs usually follow a standard pattern derived from the device type, model, etc., and then only the last handful of characters might be unique to any particular device. And half of a MAC address is simply an IEEE-assigned manufacturer's code — only the latter few bytes are unique to any device.To round out the impersonation, an attacker can extract and analyze the cloud communication logic stored in a targeted device type's firmware, and reverse engineer the operations that the vendor performs to transform the identifier into a credential.The Risk to OrganizationsWith its unique identifier, and the operations used to authenticate it to its cloud server, an attacker can impersonate any targeted device to a cloud platform.At this point, Wang explains, "this impersonation will compete with the victim's legitimate cloud management channel, thereby bypassing the binding authentication enforced by the app or the cloud platform. Then, by disconnecting the impersonated channel, the attacker stops competing with the legitimate connection and allows the victim's original channel to recover." As a result, the attacker can establish a session that allows them to communicate administrative commands through the cloud service, which then relays their commands to the actual device being impersonated. That holds even if the real device being impersonated runs behind a firewall, or even if it's totally disconnected from the wider Web within an intranet.Related:Kenya Kicks Off 'Code Nation' With a Nod to CybersecurityThe only way to prevent this kind of attack, the researchers say, is to fundamentally change how IoT devices authenticate to cloud management services. For example, cloud management platforms can implement checks for when device IP addresses change, and require additional authentication in such cases. Or, better, device credentials can be generated using more than just an SN or MAC address: "They can create a random number as a UUID, and this number is binded with the [cloud management] app instead of a serial number or MAC address that is easy to brute force. This number would be random, and unknown to attackers," Wang says.Though his attack model is new, Wang adds, "commands sent by attackers through the cloud are hard to distinguish from the normal traffic. With this attack model, tracing the attackers is difficult, and any incident can create a big reputation or legal risk for manufacturers, so they tend to quietly fix issues rather than disclose them. So the lack of public, large-scale cases does not necessarily mean [similar attacks] are not happening."He thinks that "these cloud channels are still widely overlooked. They affect many devices, are hard to patch, and any attackers [and] any attacks through them are extremely difficult to trace."Read more about:Black Hat NewsAbout the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026More WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The convergence of IoT devices with cloud management interfaces presents a significant, and previously overlooked, security vulnerability. According to a recent research presented by Nanjing University master’s candidate Jincheng Wang and independent security researcher Nik Xe, attackers can silently take over IoT devices by exploiting weaknesses in how these devices authenticate with cloud platforms. This vulnerability stems from the reliance on device identifiers like serial numbers (SNs) and media access control (MAC) addresses for authentication, which are often easily obtained or brute-forced.

The core of the issue lies in the trust placed between IoT devices and cloud management services. Traditionally, authentication has centered around device-specific identifiers. However, Wang and Xe’s proof-of-concept (PoC) demonstrated that attackers can impersonate devices by leveraging this trust. The attacker essentially competes with the device's legitimate cloud communication channel, effectively bypassing the intended authentication process. This is possible because many manufacturers don't treat SNs or MAC addresses as highly sensitive information, and endpoints are often exposed through local service ports, allowing unauthorized access.

The research highlighted a critical gap: the lack of robust verification mechanisms beyond simple device identifiers. Attackers can extract the cloud communication logic stored within a device's firmware, analyze it, and then reverse engineer the operations performed to transform the identifier into a credential. This allows them to impersonate the device and communicate administrative commands through the cloud, even if the device is behind a firewall or disconnected from the main web.

The implications are broad. The researchers argue that these cloud channels are widely overlooked, affecting numerous devices and presenting significant difficulties in patching vulnerabilities. Furthermore, the lack of public, large-scale cases hinders awareness and action, potentially leaving a substantial number of devices exposed.

To mitigate this risk, the researchers propose a shift towards more secure authentication methods. This could involve utilizing universally unique identifiers (UUIDs) generated randomly, or requiring a stronger verification process. Suggestions include monitoring for changes in device IP addresses and deploying additional authentication checks when such changes occur.

Nate Nelson, writing for Dark Reading, emphasized that this vulnerability is particularly concerning because many manufacturers fail to address this issue adequately, reducing the incentive for publicly disclosing incident details due to potential reputational and legal risks. The report rightly points out that the relative lack of public information about similar attacks suggests that this remains a significant and largely unaddressed security concern. Ultimately, the research underscores the importance of a more cautious and layered approach to securing IoT devices within cloud environments, advocating for a move away from simple device identifiers to stronger authentication measures.