Missing Access Control on Device Registration

[LSUDOKO]

Missing Access Control on Device Registration

Description

The registerDevice function in DeviceRegistry.sol is publicly accessible (external) and does not include any access control modifiers (such as onlyOwner).

Because of this, any Ethereum address can call the function and register itself as a valid device.

---

Impact

An attacker can register a malicious device and bypass the intended hardware authenticity mechanism.

Once registered, the attacker-controlled device can:

• Appear as a legitimate LensMint Camera
• Call mintOriginal on the LensMintERC1155 contract
• Mint authentic-looking NFTs for arbitrary images

This completely bypasses the physical camera hardware requirement, undermining the trust model of the system.

---

Reproduction Steps (Smart Contract Level)

1. Deploy DeviceRegistry.sol to a local Hardhat or Foundry node.

2. An attacker (Account B) connects to the deployed contract.

3. The attacker calls registerDevice with their own parameters:

registerDevice(
    attackerAddress,
    "fakePublicKey",
    "fakeDeviceId",
    "fakeCameraId",
    "Hacked Model",
    "1.0"
);

4. The transaction succeeds because there are no ownership checks.

5. Calling:

``` isDeviceActive(attackerAddress)

returns

true

This confirms that the attacker’s address has been successfully registered as a valid device.

Code Reference

File: DeviceRegistry.sol
Lines: 42–74

function registerDevice(
    // ... parameters ...
) external {
    // ... requires ...

    // 🚨 MISSING ACCESS CONTROL
    // require(msg.sender == owner, "Only owner can register devices");

    DeviceInfo memory newDevice = DeviceInfo({
        deviceAddress: _deviceAddress,
        // ...
        registeredBy: msg.sender // Attacker sets themselves as the registrar
    });

    // ... state updates ...
}