How does attacking IoT cloud platforms differ from traditional IoT device attacks?

Traditional IoT attacks target internet-exposed devices with vulnerable services, while cloud platform attacks target the vendor infrastructure that devices connect to by default. This requires chaining multiple vulnerabilities—first compromising device authentication to access the cloud broker, then escalating privileges to impersonate the cloud itself. It's a multi-stage operation that can reach devices not directly exposed to the internet, making it more sophisticated but potentially more impactful than scanning for exposed devices on Shodan.

What is the Open Sesame attack and how does it work?

Open Sesame is a proximity-based attack where an attacker physically near a Ruijie device captures Wi-Fi beacons that broadcast the device's serial number. Using this identifier and the discovered vulnerabilities, the attacker can authenticate to the cloud platform, impersonate the device, and gain access to the internal network. This drive-by attack scenario is particularly concerning for offices and buildings where an attacker could walk through with a laptop and compromise networks without triggering the detection that mass-scale attacks might cause.

Attacking IoT Cloud Platforms: Ruijie Networks Research

Name: Attacking IoT Cloud Platforms: Ruijie Networks Research
Uploaded: 2026-05-08T19:18:16-04:00
Duration: 31 min 39 s
Description: Claroty Team82's Noam Moshe and Tomer Goldschmidt join the Nexus Podcast to discuss the research team's latest publication on 10 vulnerabilities discovered in Ruijie Networks' Reyee OS cloud platform. A chain of these vulnerabilities could allow an ...

Claroty

05/08/2026

0 (0%)

Report Like Favorite

TL;DR

Team82 discovered 10 vulnerabilities in Ruijie Networks' cloud platform that allowed remote code execution on any connected device by exploiting weak device authentication based on serial numbers and MAC addresses
The attack chain leveraged MQTT broker misconfigurations to impersonate both devices and the cloud platform, leaking sensitive information about all Ruijie devices globally and enabling full remote control
A proximity attack called Open Sesame allows attackers to capture device identifiers from Wi-Fi beacons and infiltrate internal networks without mass-scale detection
Ruijie responded rapidly with comprehensive fixes addressing both specific vulnerabilities and architectural authentication flaws, patching some issues within hours of disclosure
The research highlights a critical gap in IoT security: while user authentication has matured, device authentication remains weak because vendors assume their own hardware can be trusted

IoT Cloud Attack Surface and Research Strategy

Team82 researchers Noam Moshe and Tomer Goldschmidt explain their focus on IoT cloud platforms as a critical but underexplored attack surface. Unlike traditional IoT vulnerabilities in exposed devices, their research targets the vendor cloud infrastructure that IoT devices connect to by default. This connectivity creates a backdoor into secure networks even when devices aren't directly exposed to the internet. The team emphasizes that while user authentication has matured with strong protocols and multi-factor authentication, device authentication remains a weak point. Vendors often assume their own devices can be trusted, leading to inadequate validation of device credentials and creating opportunities for attackers to impersonate legitimate devices.

Ruijie Networks Vulnerability Chain and Remote Code Execution

The research uncovered 10 vulnerabilities in Ruijie Networks' Reyee OS cloud platform, which manages routers and access points globally. The attack chain begins with generating valid device credentials using non-secret identifiers like serial numbers and MAC addresses—information readily available on device labels and in unboxing videos. By exploiting weak device authentication, researchers connected to Ruijie's MQTT broker and escalated privileges to impersonate the cloud platform itself. This allowed them to send commands to any cloud-connected device, achieving full remote code execution capabilities. The MQTT broker misconfiguration also leaked sensitive information about all connected devices worldwide, including network topology, device status, and user configuration changes.

Open Sesame Proximity Attack and Vendor Response

Team82 developed a second attack vector called Open Sesame, targeting organizations that want to avoid mass-scale detection. By sniffing Wi-Fi beacons broadcast by Ruijie devices, attackers in physical proximity can capture serial numbers and use the same vulnerability chain to infiltrate specific networks. This drive-by attack scenario poses risks to offices, terminals, and households using Ruijie access points. Ruijie responded quickly and comprehensively to the disclosure, working with CISA to patch vulnerabilities within hours to days. The fixes included both specific code corrections and broader architectural changes to device authentication mechanisms. All reported vulnerabilities have been remediated, and the vendor demonstrated strong security awareness throughout the coordinated disclosure process.

Chapters

0:00 - Introduction and Episode Overview
1:52 - IoT Cloud Research Strategy
4:56 - Common Cloud Vulnerabilities
9:52 - Ruijie Networks as Research Target
14:49 - Attack Sophistication and Scope
17:23 - Vulnerability Chain Walkthrough
22:47 - MQTT Protocol Exploitation
25:39 - Vendor Disclosure and Response
27:04 - Open Sesame Proximity Attack
29:53 - Fix Implementation and Conclusion

Key Quotes

2:24 "... one of the biggest black spots in most networks that we can see is the unknown IoT devices, because at the end of the day, you buy an IoT device and you are not aware what is going on behind the scenes, under the hood, and what the device actually does ..."
7:02 "... when we're talking about device authentication and device authorization, this is less known and less explored attack surface. Because for a user, you have two factor, you have email, strong passwords, you have JWT, you have all of this infrastructure in place to make sure everything is valid, correct, and good. However, for device credentials, device authentication, this is not as relevant and not as explored ..."
9:03 "... the base view of Rigi was that a device is not a rogue device, that it can be trusted. Why? Well, because it's their code, their device, they control it. However, this idea of an attacker impersonating a device, doing something fake on its behalf, sending payloads as a device did not occur to them and was less explored ..."
18:52 "Because Ruijin and many other IoT vendors relied on these identifiers, which are not treated as secrets, to validate device credentials, we were able to basically leak and generate valid credentials and connect to Ruijin's MQTT broker that handles all Ruijin cloud platform communication ..."
24:51 "... by just being able to gain access to these messages, this was already a very, very severe security issue. Because through it, you are able to both know and have leak information about basically anything that happens to RAID devices all around the world ..."

Categories:

» Cybersecurity » Network Security
» Data Protection

Tags:

Show more Show less

TL;DR

IoT Cloud Attack Surface and Research Strategy

Ruijie Networks Vulnerability Chain and Remote Code Execution

Open Sesame Proximity Attack and Vendor Response

Chapters

Key Quotes

Action1: Vulnerability Digest--Patch Tuesday & Other Updates

Understanding the True Costs of DIY Data Classification vs. Buying Solutions

Stay Informed on the Latest Keepit Partner Developments – June 23

Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier