Which combination of actions should the company take to prevent this threat?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company allows users to download its mobile app onto their phones.The app is MQTT based and connects to AWS IoT Core to subscribe to specific client-related topics.Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones.The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client’s privilege scope.

Which combination of actions should the company take to prevent this threat?

(Choose two.)

In the application, use an IoT thing name as the client ID to connect the device to AWS IoT Core.

In the application, add a client ID check. Disconnect from the server if any special character is detected.

Apply an AWS IoT Core policy that allows “AWSIoTWirelessDataAccess” with the principal set to “client/${iot:Connection.Thing.ThingName}”.

Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:ClientId}”.

Apply an AWS IoT Core policy to the device to allow “iot:Connect” with the resource set to “client/${iot:Connection.Thing.ThingName}”.

Explanations:

Using an IoT thing name as the client ID helps ensure that each device is uniquely identified and authorized, reducing the risk of unauthorized access through client ID manipulation. It also makes it harder for attackers to impersonate legitimate clients.

While adding a client ID check to disconnect the server if special characters are detected might seem useful, it could lead to false positives and disconnections for legitimate clients who may have valid reasons for including special characters. This approach is not robust against sophisticated attacks.

The AWS IoT Core policy allowing “AWSIoTWirelessDataAccess” with the principal set to “client/${iot.Thing.ThingName}” is not a recommended approach for securing MQTT topics as it grants broader access than necessary and does not adequately restrict clients based on their identities or privileges.

Allowing “iot” with the resource set to “client/${iot}” does not adequately restrict access, as the client ID can still be manipulated by attackers. This could lead to unauthorized access to topics beyond the client’s privilege scope.

Applying an AWS IoT Core policy to allow “iot” with the resource set to “client/${iot.Thing.ThingName}” ensures that only the authorized device can connect to its corresponding client ID, effectively preventing attackers from impersonating other clients and accessing unauthorized topics.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 − three =