The Internet of Things (IoT) paradigm has widespread applications across many fields in which private and sensitive user or environmental data are sensed and shared. Most present-day IoT applications depend on centralized cloud servers for authentication and access control. Validating the identity of a user and determining the legitimacy of his/her access requests require multiple rounds of data communications over the untrusted Internet, exposing sensitive data to potential attacks. Thus, protecting these data from security and privacy attacks and ensuring legitimate access is imperative. To address this challenge, we adopt an emerging technology called blockchain to propose a decentralized security framework called BloAC. It ensures secure access control in IoT networks without the intervention of the back-end cloud. We have used the Hyperledger Fabric, an open-source, permissioned blockchain platform, for implementing a prototype system using customized attribute-based access control (ABAC) policies. We have performed simulated and real test bed-based experiments to illustrate that BloAC outperforms the cloud server-based access control in latency and scalability. Finally, we conduct a security analysis to formally verify the ABAC policies used in BloAC and establish its robustness against attacks theoretically and using the AVISPA tool.