The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force.

While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with. This research was undertaken to start those conversations and encourage further interest.

ThingsBoard is an open source IoT platform designed with the intention of supporting as many different types of IoT devices as possible. Founded in 2016, this Ukraine-based organization quickly rose in popularity amongst both IoT enthusiasts and industry professionals. With thousands of active deployments ranging from small IoT developments to city infrastructure monitoring and management, ThingsBoard is one of the more popular open-source IoT platform solutions.

As a result of this project, a vulnerability involving insecure secret key management was discovered. This vulnerability, CVE-2023-26462, can be leveraged to escalate privileges within the system, using the secret key to manipulate the JSON Web Tokens underpinning the authentication system for the platform.

JSON Web Tokens

Before diving into the details of what the research found, a brief overview of JSON Web Tokens (JWTs) is in order. JWTs have become increasingly popular as a means of providing secure, stateless authentication for web and mobile applications. They are a compact, URL-safe means of representing claims to be transferred between two parties. There are three sections that make up the JWT: header, payload, and signature.

The JWT header contains metadata about the token, such as the encoding method. The payload contains the claims that are being transmitted, such as the User ID, role, and token lifetime. Lastly, the signature is a cryptographic signature used to verify that the contents of the payload are valid and have not been tampered with. This signature is generated using the algorithm specified in the header of the JWT and a secret key that resides on the server.

Protection of this key is critical. Unauthorized access to the key allows for arbitrary modification of claims stored within the payload, which in turn opens the door for unintended use. We will see an example of this in the IoT platform that was the subject of the research, ThingsBoard.


Like many web applications, ThingsBoard makes use of JSON Web Tokens for user authentication and authorization. These tokens identify the user account and define what tenants that user can access. It is intended that these claims about the user are set by the server which assigns the token and are then protected from tempering through the inclusion of the digital signature. If the signature is valid, any claims included in the payload will be assumed valid and therefore trusted by the server. In cases where a strong secret key is used, this system is generally secure.

However, during a review of the ThingsBoard source code, a static default secret key was discovered.

Using this key, it is possible to re-sign JWTs that have been modified, before sending them back to the server for validation. The signature will appear to be valid, as it was generated using the correct key, and thus the server will trust the claims made in the payload. One such claim made in the ThingsBoard platform is the role of the logged-in user account.

By editing this role value and generating a new, valid signature for the payload, a user can escalate privileges within the platform to the highest level. This grants access throughout the entirety of the platform, including other tenants, users, and devices not affiliated with the original account.

Because ThingsBoard allowed the default key to be used without requiring administrators to change it, and because that default key was also exposed publicly in the configuration files, the door was opened for attackers to gain unauthorized access in excess of what is intended.


IBM X-Force has brought this issue to the attention of the developers, and as of ThingsBoard version 3.4.2 a new system has been implemented. Rather than using a hardcoded default key, ThingsBoard will now generate a random secret key for new deployments and upgrades. There is no patch for earlier versions, so an update to version 3.4.2+ is recommended.

On existing deployments where updating may be a lengthy process, administrators are encouraged to check the secret key and ensure that it has not been left as the default string. This can be done either directly through the configuration file or through the System Administrator dashboard.

ThingsBoard is just one among many IoT Platforms which, much like the devices that connect to them, all deserve further research and scrutiny. Adoption of IoT devices in all industries will only continue to grow, and with it the need to ensure security in the platforms managing devices and collecting data. The conversation has been started, what will you do to be a part of it?

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Detecting the Undetected: The Risk to Your Info

5 min read - IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…

5 min read