Nowadays, IoT clouds are increasingly deployed to facilitate users to manage and control their IoT devices. Unlike the traditional cloud services with communication between a client and a server, IoT cloud architectures involve three parties: the IoT device, the user, and the cloud. Before a user can remotely access her IoT device, remote communication between them is bootstrapped through the cloud. However, the security implications of such a unique process in IoT are less understood today. In this paper, we report the first step towards systematic analyses of IoT remote binding. To better understand the problem, we describe the life cycle of remote binding with a state-machine model which helps us demystify the complexity in various designs and systematically explore the attack surfaces. With the evaluation of 10 real-world remote binding solutions, our study brings to light questionable practices in the designs of authentication and authorization, including inappropriate use of device IDs, weak device authentication, and weak cloud-side access control, as well as the impact of the discovered problems, which could cause sensitive user data leak, persistent denial-ofservice, connection disruption, and even stealthy device control.