Securing IoT Apps in Node-RED

Abstract

Node-RED, an Internet of Things (IoT) platform, provides the opportunity for users to connect devices and services in novel and useful ways. This platform gives users a graphical web interface for easily linking pre-defined pieces of code (nodes) encoding devices and services. By being built in Node.js, third-party developers are given the opportunity of easily extending the functionality of the platform through publishing nodes and configurations of these nodes, otherwise known as flows. In this paper, we analyze Node-RED from a language-based security perspective, modeling the application developer as an attacker, and demonstrating attacks misusing sensitive APIs within nodes. API access control provides a security guarantee around the execution of these nodes. We collect and survey published nodes and flows to establish the presence of these security challenges within the Node-RED ecosystem.