Next Article in Journal
Efficient Support Vector Regression for Wideband DOA Estimation Using a Genetic Algorithm
Previous Article in Journal
Decoding Poultry Welfare from Sound—A Machine Learning Framework for Non-Invasive Acoustic Monitoring
Previous Article in Special Issue
Malicious Traffic Detection Method for Power Monitoring Systems Based on Multi-Model Fusion Stacking Ensemble Learning
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
This is an early access version, the complete PDF, HTML, and XML versions will be available soon.
Article

Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices

College of Computer Science and Technology, National University of Defense Technology, No.137 Yanwachi Street, Changsha 410073, China
*
Author to whom correspondence should be addressed.
Both authors contributed equally to this work.
Sensors 2025, 25(9), 2913; https://doi.org/10.3390/s25092913
Submission received: 31 March 2025 / Revised: 29 April 2025 / Accepted: 2 May 2025 / Published: 5 May 2025
(This article belongs to the Special Issue IoT Network Security (Second Edition))

Abstract

Broken access control vulnerabilities pose significant security risks to the protected web interfaces of IoT devices, enabling adversaries to gain unauthorized access to sensitive configurations and even use them as stepping stones for attacking the intranet. Despite its ranking as the first in the latest OWASP Top 10, there remains a lack of effective methodologies to detect these vulnerabilities systematically. We present ACBreaker, a novel methodology powered by a large language model (LLM), to effectively identify broken access control vulnerabilities in the protected web interfaces of IoT devices. Our methodology consists of three stages. The initial stage transforms firmware code that exceeds the LLM context window into semantically intact code snippets. The second stage involves using an LLM to extract device-specific information from firmware code. The final stage integrates this information into the mutation-based fuzzer to improve fuzzing effectiveness and employ differential analysis to identify vulnerabilities. We evaluated ACBreaker across 11 IoT devices, analyzing 1,274,646 lines of code and discovering 39 previously unknown vulnerabilities. We further analyzed these vulnerabilities, categorizing them into three types that contribute to protected interface evasion, and provided mitigation suggestions. These vulnerabilities were responsibly disclosed to vendors, with CVE IDs assigned to those in six IoT devices.
Keywords: protected web interfaces; broken access control; large language model; mutation-based fuzzing; internet of things protected web interfaces; broken access control; large language model; mutation-based fuzzing; internet of things

Share and Cite

MDPI and ACS Style

Wang, E.; Xie, W.; Li, S.; Liu, R.; Zhou, Y.; Wang, Z.; Ma, S.; Yang, W.; Wang, B. Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices. Sensors 2025, 25, 2913. https://doi.org/10.3390/s25092913

AMA Style

Wang E, Xie W, Li S, Liu R, Zhou Y, Wang Z, Ma S, Yang W, Wang B. Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices. Sensors. 2025; 25(9):2913. https://doi.org/10.3390/s25092913

Chicago/Turabian Style

Wang, Enze, Wei Xie, Shuhuan Li, Runhao Liu, Yuan Zhou, Zhenhua Wang, Shuoyoucheng Ma, Wantong Yang, and Baosheng Wang. 2025. "Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices" Sensors 25, no. 9: 2913. https://doi.org/10.3390/s25092913

APA Style

Wang, E., Xie, W., Li, S., Liu, R., Zhou, Y., Wang, Z., Ma, S., Yang, W., & Wang, B. (2025). Large Language Model-Powered Protected Interface Evasion: Automated Discovery of Broken Access Control Vulnerabilities in Internet of Things Devices. Sensors, 25(9), 2913. https://doi.org/10.3390/s25092913

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop