KingFisher: Unveiling Insecurely Used Credentials in IoT-to-Mobile Communications

1. Introduction
2. Code Overview
3. Tutorials
4. Evaluation Result Confirmation

1. Introduction

KingFisher is an insecure shared credential (SC) detection framework against real-world IoT products, designed to automate the tasks of SC extraction and SC security inspection.
It employed a value-based data flow analysis to track SCs in IoT (Android) companion apps, and the understand how the SCs are used and inspect their security status by dynamic interaction testing.

KingFisher is currently built with a set of python scripts, combined with Frida dynamic code instrumentation framework, composed of four main components: Function Interface Identification, Message Collection, Value-based SC Extraction and Security Violation Detection.

We use KingFisher to evaluate eight IoT products, including BroadLink, Haier, Horn, Qihoo, Tuya, Xiaomi, Xiaoyi and ZTE, and discover their vulnerable SC usage and implementations.

So far, we have received five CNVDs (i.e., CNVD-2021-73144, CNVD-2021-90790, CNVD-2021-90791, CNVD-2021-39530, CNVD-2021-73145, CNVD-2021-73140, CNVD-2021-90647, CNVD-2021-73142) and one is waited for confirmation.

Huawei replied that they have internally isolated the device registration process (SC generation and distribution) of new devices that support another more secure protocol and old devices that can not be updated to new protocols.
And we will help them and horn company to deploy the patch to deal with the issues.

2. Code Overview

We have implemented KingFisher with Python and JavaScript scripts, combining and integrating some other tools: Frida dynamic code instrumentation framework, tcpdump packet capture binary and Burp Suite toolkit for web security testing.

The code files of KingFisher and their introduction are listed as below.
KingFisher Code Structure
Files Details Identifying SC-related functions in Java code and generate corresponding instrumentation scripts. Identifying SC-related functions in Native code and generate corresponding instrumentation scripts. Collecting Message. Implementing value-based analysis to extract possible SCs from collected messages.
violation_detection Detecting if the products violate security property and including nine independent tests.

The SC extraction source code of KingFisher is available now: code. And the violation detection scripts are will be available soon.

2.1 Function Interface Identification

KingFisher adopts keyword-based search for function recognition. We observed that most SC related functions are sensitive functions, e.g., cryptographic functions, data construction functions, and network related functions. In particular, cryptographic functions take as input the CSC as an encryption key to encrypt the transmission data. The encrypted data and some other information are format as a transmission message by data construction functions and further transmitted over the communication channel by network related functions.

We manually construct a reference set from source code of Github and StackOverflow, which contains a list of keywords that are commonly used to name SC-related functions.

The reference set is listed as following. And by the reference set, we identify the potentially SC-related functions, and output a SC function candidates list.

Note the asterisk indicates zero or more occurrences of any characters.

An example of the Function Interface Identification result is listed as following:

                "class": "com.tuya.sdk.hardwareprotocol.control.LocalControl3_2",
                "method": "encryptRequestWithLocalKey",
                "params": [
                "params_len": 3,
                "return": "com.tuya.sdk.hardwareprotocol.bean.HRequest"

2.2 Message Collection

2.3 Value-based Analysis

Taken Function Value Collection and Traffic Clustering results as input, KingFisher executes a value-based analysis in two steps to distinguish the used SCs. We illustrate the detailed Tuya example in the figure below to explain how the value-based analysis works and why common program analysis methods (e.g., control flow construction) could not be applied in our approach.

  1. Coarse Candidate Selection
    The corase candidate selection in KingFisher takes the message collection results as input. Specifically, it performs value-based comparison iteratively.
  2. Fine-grained SC Recognition
    In this step, KingFisher utilizes the two common SC formats to recognize the SCs from the candidates obtained in corase candidate selection. Specifically, it follows two rules to recognize the SCs and if the value in candidates satisfy one of the rules, it would be considered as the used SC.

2.4 Security Violation Detection

KingFisher next assesses the security of the SCs based on the security properties listed in Section 3. Specially, the SC used in this procedure is the correct one after verification. And the security violation detection tests for nine properties are independent, so than each test could be done separately.
The source code of the security violation detection will be available soon.

  1. Detecting Insecurely Generated SCs.
  2. Detecting Insecurely Distributed SCs.
  3. Detecting Insecurely Validated SCs.
  4. Detecting Insecurely Protected SCs.
  5. Detecting Insecurely Revoked SCs.

3. Tutorials

Take Tuya as an example, the step by step tutorials of how KingFisher analyze a IoT product (i.e., an IoT device and its companion app) are provided as below.

3.1 Preparation

  1. Download and install the Tuya app ( on a smartphone, then register or login the user account and bind with the Tuya Smart Plug following its instructions.
  2. Install frida client on the laptop (Windows, macOS, or GNU/Linux): pip install frida and pip install frida-tools Check frida client version: frida --version Download corresponding version and architecture (decided by the Android smartphone) frida server and push it to smartphone.
  3. Download tcpdump binary and push it to smartphone.

3.2 SC Extraction

  1. Run frida server on the smartphone: ./frida-server
  2. Function Interface Identification:
  3. Message Collection:
  4. Value-based Analysis:
  5. Security Violation Detection:

4. Evaluation Results

The evaluation dataset of our experiment is available: dataset. It includes the experimental objects (i.e., eight IoT companion apps downloaded from Google Play and Tencent Myapp) and the our SC extraction results (i.e., SC Function Candidate Listlocated interfaces, Function Information List, Key_Fun and Related_Func).
Our experiment covers eight IoT vendors:

4.1 Benchmark [Waiting for upload]

Benchmark Dataset
IoT Vendor SC-related Functions SCs
Java Native ASC CSC
BroadLink 2d07905f0fcc2919f290c3526ab4cd49
Haier 7y5INpxqLQKHmdo0wUd7V8R2k9gp2xR1SZdISl6t:
Horn 9205B304FD64482D
Qihoo 54f4281b3738d2ea56c68c873a7ecc40655986f8e21260a1c0289a54cdb7d167 54f4281b3738d2ea56c68c873a7ecc40655986f8e21260a1c0289a54cdb7d167
Tuya 65cda52393a0079b
Xiaomi d8e7b8fa1a569d8ede2e890aa850c02e
Xiaoyi UrFvIGY7DfoIIan UrFvIGY7DfoIIan
ZTE CiV6vk1WE4MsvsPT
The detailed dataset information and vendor confirmation results for our findings are listed below.
Evaluation Dataset and Confirmation Results
IoT Vendor Device Companion App Confirmed
Type Model
BroadLink Smart Plug SP 4L Yes (CNVD-2021-73144)
Haier Smart Camera HCC-22B20-W com.haier.uhome.uplus Yes (CNVD-2021-90790, CNVD-2021-90791)
Horn Smart Gateway T2 com.huawei.smarthome Yes (CNVD-2021-39530)
Qihoo Smart Camera AP5CA1 Waiting
Tuya Smart Plug YKYC-W1Y0-16 Yes (CNVD-2021-73145)
Xiaomi Smart Gateway DGNWG02LM com.xiaomi.smarthome Yes (CNVD-2021-73140)
Xiaoyi Smart Camera YHS-113 com.ants360.yicamera Yes (CNVD-2021-90647)
ZTE Smart Camera C320 com.ztesoft.homecare Yes (CNVD-2021-73142)

"Waiting" means we have reported to the IoT vendor and waited for confirmation.