security & privacy flaws in end-user iot programming · flickr – upload a new public photo...
TRANSCRIPT
Mellon University
Security & Privacy Flaws in End-User IoT Programming
Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, Limin Jia
Three plead guilty in development of Mirai cyber weapon
.. IC:.CMlkn
Your Wi.Fi-conncctcd thcrn1ostat can take do,,rn the ,vhole lnternet. \Ve need new regulations.
'GOl/!, WHAJH'' -
New IoT botnet offers DDoSes of onceunimaginable sizes for $20
Smart Devices → new security concerns
Attackers
Three plead guilty in development of Mirai cyber weapon
.. IC:.CMlkn
Your Wi.Fi-conncctcd thcrn1ostat can take do,,rn the ,vhole lnternet. \Ve need new regulations.
'GOl/!, WHAJH'' -
New IoT botnet offers DDoSes of onceunimaginable sizes for $20
Smart Devices → new security concerns
Attackers Accidents
Image: Strava
IFTTT – more devices, more problems?
IFTTT allows users to connect the behavior of their IoT devices and online services
IFTTT – more devices, more problems?
IFTTT allows users to connect the behavior of their IoT devices and online services
if Turn on my
then
Post a tweet I’m close to home Fitbit logs 10,000 Nest steps thermostat
if then
IFTTT – more devices, more problems?
IFTTT allows users to connect the behavior of their IoT devices and online services
Fitbit logs 10,000
if then
Post a tweet I’m close to home
if then
Turn on my Nest
steps thermostat
Can IFTTT applets have harmful side effects?
IFTTT terminology
An Applet:
Trigger Action
if then
IFTTT terminology
An Applet:
Trigger Action
if then
Gmail – I receive a new email Fitbit – My daily step goal reached Facebook – I’m tagged in a photo …
Facebook – create new status Nest Thermostat – set the temperature Flickr – Upload a new public photo …
Things can go wrong! Intended:
if then
Upload public Take a photo with photo to my iPhone Unintended: Flickr
Things can go wrong! Intended:
if then
Upload public Take a photo with photo to my iPhone Unintended: Flickr
Secrecy Problem Applets can leak private information
CTA Images • illust rationsOl.com/45 438
Things can go wrong!
Intended:
if then
I’m tagged in a New Facebook photo status Unintended:
CTA Images • illust rationsOl.com/45 438
Things can go wrong!
Intended:
if then
I’m tagged in a New Facebook photo status Unintended:
Integrity Problem Applets can be triggered by untrusted sources
Our goals and approach
Systematically analyze IFTTT applets for potentially harmful side effects 1. categorize secrecy and integrity levels of each trigger and action
2. define unsafe combinations of levels 3. analyze applets at scale
I.,..____ _____Jr
• ••• ••••• ••• • fit bit
Defining secrecy levels New weight logged
Private
I.,..____ _____Jr
• ••• ••••• ••• • fit bit
Defining secrecy levels New weight logged
Viewing temperature
Private
Restricted Physical
I - _____Jr
• ••• ••••• ••• • fit bit
Defining secrecy levels
Update status
New weight logged
Private Viewing temperature
Restricted Physical
Restricted Online
jr--ra=======::::::::::::::: _----JI' • ••• ••••• ••• •
fit bit
Defining secrecy levels New weight logged
Update status
Private Viewing temperature
A new article
Restricted Physical
Restricted Online
Public
I r
Secrecy lattice
Private
Restricted Physical
Restricted Online
Bad Good flow flow
Public
_J _r J - _r
Examples of secrecy violations
if then
Upload public photo to
Flickr
Public Private
Take a photo with my iPhone
_J _r J - _r
Examples of secrecy violations
Take a photo with my iPhone
if Upload public
photo to Flickr
New Strava Activity
if then
Post tweet with image
Private
Private Restricted Online
then Public
I
Defining integrity levels
Restricted Physical
Ask Alexa
New top post
Trusted
Untrusted
Restricted Online
I r J
Integrity lattice Untrusted
Restricted Physical
Bad Good Restricted Online flow flow
Trusted
,_ 11
'"'----I _____,Jr ,:
Examples of integrity violations
I’m tagged in a photo
if then
New Facebook status
Restricted Online
Trusted
,_ 11
'"'----I _____,Jr ,:
Examples of integrity violations
I’m tagged in a photo
if New Facebook
status
New attachment in inbox
if then
Upload file to OneDrive
Untrusted Trusted
Restricted Online
Trusted then
Dataset and analysis Used the label lattice to detect potentially harmful applets at scale 19,323 unique applets, 200,000+ total 876 triggers over 251 channels, 470 actions over 218 channels
Dataset and analysis Used the label lattice to detect potentially harmful applets at scale 19,323 unique applets, 200,000+ total 876 triggers over 251 channels, 470 actions over 218 channels We labeled all these triggers & actions and ran queries to detect violations of the rules
50% safe
50% violating
17% secrecy
10% both 23%
integrity
Analysis of 19,323 applets
C: 0 ·-~ co -0 ·-
Private - Restricted Online
Private - Restricted Physical
Private - Public
> Restricted Physical - Restricted Online ~
~ Restricted Online - Restricted Physical -(.) Q,)
en Restricted Online - Public
Restricted Physical - Public I '-,----~---~---~---~ 0% 10% 20% 30% 40%
Percentage of violating flows
Breakdown of secrecy violations
if then
Upload to Daily step goal Facebook reached
C: 0 ·-... ca -0 ·-> ~
Untrusted Trusted
Trusted Other Trusted
Restricted Physical Trusted
Restricted Online Trusted
Untrusted Group - Trusted
Untrusted - Restricted Online
·.:::: Untrusted - Restricted Physical C)
.!? Restricted Physical - Restricted Online C:
Untrusted Group - Restricted Online I Restricted Online - Restricted Physical I Untrusted Group - Restricted Physical I
0% 10% 20% 30% Percentage of violating flows
Breakdown of integrity violations
if then
New Photo on Update phone sub-reddit wallpaper
Mellon University
Summary & take-away • 49.9% of IFTTT applets potentially unsafe • Can cause personal, physical, or cyber-related harms • Security lattices are an interesting way to systematically reason about applets • Need tools to help with awareness, decision-making
Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes
Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, Limin Jia