ABSTRACT
Internet of Things (IoT) has become prevalent in various fields, especially in the context of home automation (HA). To better control HA-IoT devices, especially to integrate several devices for rich smart functionalities, trigger-action programming, such as the If This Then That (IFTTT), has become a popular paradigm. Leveraging it, novice users can easily specify their intent in applets regarding how to control a device/service through another once a specific condition is met. Nevertheless, the users may design IFTTT-style integrations inappropriately, due to lack of security experience or unawareness of the security impact of cyber-attacks against individual devices. This has caused financial loss, privacy leakage, unauthorized access and other security issues. To address these problems, this work proposes a systematic framework named MEDIC to model smart home integrations and check their security. It automatically generates models incorporating the service/device behaviors and action rules of the applets, while taking into consideration the external attacks and in-device vulnerabilities. Our approach takes around one second to complete the modeling and checking of one integration. We carried out experiments based on 200 integrations created from a user study and a dataset crawled from ifttt.com. To our great surprise, nearly 83% of these integrations have security issues.
- 2013. Google Weave. https://openweave.io/ Google Scholar
- 2017. IFTTT Applets Data Set. https://www-users.cs.umn.edu/ fengqian/ifttt_measurement/ Google Scholar
- 2019. Managing Devices with AWS IoT. https://docs.aws.amazon.com/iot/latest/developerguide/iot-thing-management.html Google Scholar
- 2019. SmartThings Classic Documentation. https://docs.smartthings.com/en/latest/capabilities-reference.html Google Scholar
- 2019. SmartThings Community. https://github.com/SmartThingsCommunity Google Scholar
- Sachin Babar, Parikshit Mahalle, Antonietta Stango, Neeli R. Prasad, and Ramjee Prasad. 2010. Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT). Communications in Computer and Information Science, Vol. 89. Springer, 420–429. https://doi.org/10.1007/978-3-642-14478-3_42 Google ScholarCross Ref
- Lei Bu, You Li, Linzhang Wang, and Xuandong Li. 2008. BACH: Bounded Reachability Checker for Linear Hybrid Automata. In Formal Methods in Computer-Aided Design, FMCAD 2008, Portland, Oregon, USA, 17-20 November 2008. IEEE, 1–4. https://doi.org/10.1109/FMCAD.2008.ECP.13 Google ScholarCross Ref
- Lei Bu, Wen Xiong, Chieh-Jan Mike Liang, Shi Han, Dongmei Zhang, Shan Lin, and Xuandong Li. 2018. Systematically Ensuring the Confidence of Real-Time Home Automation IoT Systems. ACM Trans. Cyber Phys. Syst., 2, 3 (2018), 22:1–22:23. https://doi.org/10.1145/3185501 Google ScholarDigital Library
- Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick D. McDaniel, and A. Selcuk Uluagac. 2018. Sensitive Information Tracking in Commodity IoT. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018. USENIX Association, 1687–1704. Google Scholar
- Z. Berkay Celik, Patrick D. McDaniel, and Gang Tan. 2018. Soteria: Automated IoT Safety and Security Analysis. In 2018 USENIX Annual Technical Conference, USENIX ATC 2018, Boston, MA, USA, July 11-13, 2018. USENIX Association, 147–158. Google Scholar
- Z. Berkay Celik, Gang Tan, and Patrick D. McDaniel. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. Google Scholar
- Alessandro Cimatti, Edmund M. Clarke, Fausto Giunchiglia, and Marco Roveri. 2000. NUSMV: A New Symbolic Model Checker. Int. J. Softw. Tools Technol. Transf., 2, 4 (2000), 410–425. https://doi.org/10.1007/s100090050046 Google ScholarCross Ref
- Edmund M. Clarke and E. Allen Emerson. 1981. Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic. In Logics of Programs, Workshop, Yorktown Heights, New York, USA, May 1981 (Lecture Notes in Computer Science, Vol. 131). Springer, 52–71. https://doi.org/10.1007/BFb0025774 Google ScholarCross Ref
- Douglas Crockford. 2006. The application/json Media Type for JavaScript Object Notation (JSON). RFC, 4627 (2006), 1–10. https://doi.org/10.17487/RFC4627 Google ScholarDigital Library
- Jason Croft, Ratul Mahajan, Matthew Caesar, and Madan Musuvathi. 2015. Systematically Exploring the Behavior of Control Programs. In USENIX ATC. 165–176. Google Scholar
- Tamara Denning, Tadayoshi Kohno, and Henry M. Levy. 2013. Computer security and the modern home. Commun. ACM, 56, 1 (2013), 94–103. https://doi.org/10.1145/2398356.2398377 Google ScholarDigital Library
- Wenbo Ding and Hongxin Hu. 2018. On the Safety of IoT Device Physical Interaction Control. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018. ACM, 832–846. Google ScholarDigital Library
- Wenbo Ding, Hongxin Hu, and Long Cheng. 2021. IoTSafe: Enforcing Safety and Security Policy with Real IoT Physical Interaction Discovery. In 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, February 21-25, 2021. The Internet Society. Google Scholar
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. IEEE Computer Society, 636–654. https://doi.org/10.1109/SP.2016.44 Google ScholarCross Ref
- Gerard J. Holzmann. 1997. The Model Checker SPIN. IEEE Trans. Software Eng., 23, 5 (1997), 279–295. https://doi.org/10.1109/32.588521 Google ScholarDigital Library
- Md. Mahmud Hossain, Maziar Fotouhi, and Ragib Hasan. 2015. Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things. In 2015 IEEE World Congress on Services, SERVICES 2015, New York City, NY, USA, June 27 - July 2, 2015. IEEE Computer Society, 21–28. https://doi.org/10.1109/SERVICES.2015.12 Google ScholarDigital Library
- Kai-Hsiang Hsu, Yu-Hsi Chiang, and Hsu-Chun Hsiao. 2019. SafeChain: Securing Trigger-Action Programming From Attack Chains. IEEE Trans. Inf. Forensics Secur., 14, 10 (2019), 2607–2622. https://doi.org/10.1109/TIFS.2019.2899758 Google ScholarCross Ref
- Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Zhuoqing Morley Mao, and Atul Prakash. 2017. ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society. Google ScholarCross Ref
- Qi Jing, Athanasios V. Vasilakos, Jiafu Wan, Jingwei Lu, and Dechao Qiu. 2014. Security of the Internet of Things: perspectives and challenges. Wireless Networks, 20, 8 (2014), 2481–2501. https://doi.org/10.1007/s11276-014-0761-7 Google ScholarDigital Library
- Arun K. Kanuparthi, Ramesh Karri, and Sateesh Addepalli. 2013. Hardware and embedded security in the context of internet of things. In CyCAR’13, Proceedings of the 2013 ACM Workshop on Security, Privacy and Dependability for CyberVehicles, Co-located with CCS 2013, November 4, 2013, Berlin, Germany. ACM, 61–64. https://doi.org/10.1145/2517968.2517976 Google ScholarDigital Library
- Chieh-Jan Mike Liang, Börje F. Karlsson, Nicholas D. Lane, Feng Zhao, Junbei Zhang, Zheyi Pan, Zhao Li, and Yong Yu. 2015. SIFT: building an internet of safe things. In Proceedings of the 14th International Conference on Information Processing in Sensor Networks, IPSN 2015, Seattle, WA, USA, April 14-16, 2015. ACM, 298–309. https://doi.org/10.1145/2737095.2737115 Google ScholarDigital Library
- Chieh-Jan Mike Liang, Lei Bu, Zhao Li, Junbei Zhang, Shi Han, Börje F. Karlsson, Dongmei Zhang, and Feng Zhao. 2016. Systematically Debugging IoT Control System Correctness for Building Automation. In Proceedings of the 3rd ACM International Conference on Systems for Energy-Efficient Built Environments, BuildSys@SenSys 2016, Palo Alto, CA, USA, November 16-17, 2016. ACM, 133–142. https://doi.org/10.1145/2993422.2993426 Google ScholarDigital Library
- Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Yan Liu, Jin Song Dong, and Zhenkai Liang. 2021. Scrutinizing Implementations of Smart Home Integrations. IEEE Trans. Software Eng., 47, 12 (2021), 2667–2683. https://doi.org/10.1109/TSE.2019.2960690 Google ScholarCross Ref
- Kulani Mahadewa, Yanjun Zhang, Guangdong Bai, Lei Bu, Zhiqiang Zuo, Dileepa Fernando, Zhenkai Liang, and Jin Song Dong. 2021. Identifying Privacy Weaknesses from Multi-Party Trigger-Action Integration Platforms. In ISSTA ’21: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Denmark, July 11-17, 2021. ACM, 2–15. https://doi.org/10.1145/3460319.3464838 Google ScholarDigital Library
- Kulani Mahadewa, Yanjun Zhang, Guangdong Bai, Lei Bu, Zhiqiang Zuo, Dileepa Fernando, Zhenkai Liang, and Jin Song Dong. 2021. Identifying privacy weaknesses from multi-party trigger-action integration platforms. In ISSTA ’21: 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual Event, Denmark, July 11-17, 2021, Cristian Cadar and Xiangyu Zhang (Eds.). ACM, 2–15. https://doi.org/10.1145/3460319.3464838 Google ScholarDigital Library
- Kulani Tharaka Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong, and Zhenkai Liang. 2018. HOMESCAN: Scrutinizing Implementations of Smart Home Integrations. In 23rd International Conference on Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Australia, December 12-14, 2018. IEEE Computer Society, 21–30. https://doi.org/10.1109/ICECCS2018.2018.00011 Google ScholarCross Ref
- Kulani Tharaka Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong, and Zhenkai Liang. 2018. HOMESCAN: Scrutinizing Implementations of Smart Home Integrations. In 23rd International Conference on Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Australia, December 12-14, 2018. IEEE Computer Society, 21–30. https://doi.org/10.1109/ICECCS2018.2018.00011 Google ScholarCross Ref
- Xianghang Mi, Feng Qian, Ying Zhang, and XiaoFeng Wang. 2017. An empirical characterization of IFTTT: ecosystem, usage, and performance. In Proceedings of the 2017 Internet Measurement Conference, IMC 2017, London, United Kingdom, November 1-3, 2017. ACM, 398–404. https://doi.org/10.1145/3131365.3131369 Google ScholarDigital Library
- Markus Miettinen, Samuel Marchal, Ibbad Hafeez, N. Asokan, Ahmad-Reza Sadeghi, and Sasu Tarkoma. 2017. IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT. In 37th IEEE International Conference on Distributed Computing Systems, ICDCS 2017, Atlanta, GA, USA, June 5-8, 2017. IEEE Computer Society, 2177–2184. https://doi.org/10.1109/ICDCS.2017.283 Google ScholarCross Ref
- Byungho Min and Vijay Varadharajan. 2015. Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT). In 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015, Gold Coast, Australia, December 9-12, 2015. IEEE Computer Society, 80–89. https://doi.org/10.1109/ICECCS.2015.19 Google ScholarDigital Library
- Mujahid Mohsin, Zahid Anwar, Ghaith Husari, Ehab Al-Shaer, and Mohammad Ashiqur Rahman. 2016. IoTSAT: A formal framework for security analysis of the internet of things (IoT). In 2016 IEEE Conference on Communications and Network Security, CNS 2016, Philadelphia, PA, USA, October 17-19, 2016. IEEE, 180–188. https://doi.org/10.1109/CNS.2016.7860484 Google ScholarCross Ref
- Mujahid Mohsin, Muhammad Usama Sardar, Osman Hasan, and Zahid Anwar. 2017. IoTRiskAnalyzer: A Probabilistic Model Checking Based Framework for Formal Risk Analytics of the Internet of Things. IEEE Access, 5 (2017), 5494–5505. https://doi.org/10.1109/ACCESS.2017.2696031 Google ScholarCross Ref
- Sirajum Munir and John A. Stankovic. 2014. DepSys: Dependency Aware integration of Cyber-Physical Systems for Smart Homes. In ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS, Berlin, Germany, April 14-17, 2014. IEEE Computer Society, 127–138. https://doi.org/10.1109/ICCPS.2014.6843717 Google ScholarDigital Library
- Dang Tu Nguyen, Chengyu Song, Zhiyun Qian, Srikanth V. Krishnamurthy, Edward J. M. Colbert, and Patrick D. McDaniel. 2018. IotSan: fortifying the safety of IoT systems. In Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies, CoNEXT 2018, Heraklion, Greece, December 04-07, 2018, Xenofontas A. Dimitropoulos, Alberto Dainotti, Laurent Vanbever, and Theophilus Benson (Eds.). ACM, 191–203. https://doi.org/10.1145/3281411.3281440 Google ScholarDigital Library
- Muslum Ozgur Ozmen, Xuansong Li, Andrew Chu, Z. Berkay Celik, Bardh Hoxha, and Xiangyu Zhang. 2022. Discovering IoT Physical Channel Vulnerabilities. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS, Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi (Eds.). ACM, 2415–2428. https://doi.org/10.1145/3548606.3560644 Google ScholarDigital Library
- Amir Pnueli. 1977. The Temporal Logic of Programs. In 18th Annual Symposium on Foundations of Computer Science, Providence, Rhode Island, USA, 31 October - 1 November 1977. IEEE Computer Society, 46–57. https://doi.org/10.1109/SFCS.1977.32 Google ScholarDigital Library
- Sabrina Sicari, Alessandra Rizzardi, Luigi Alfredo Grieco, and Alberto Coen-Porisini. 2015. Security, privacy and trust in Internet of Things: The road ahead. Computer Networks, 76 (2015), 146–164. https://doi.org/10.1016/j.comnet.2014.11.008 Google ScholarDigital Library
- Hui Suo, Jiafu Wan, Caifeng Zou, and Jianqi Liu. 2012. Security in the Internet of Things: A Review. In Proc. ICCSEE. 648–651. Google ScholarDigital Library
- Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. 2017. Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes. In Proceedings of the 26th International Conference on World Wide Web, WWW 2017, Perth, Australia, April 3-7, 2017. ACM, 1501–1510. https://doi.org/10.1145/3038912.3052709 Google ScholarDigital Library
- Qi Wang, Pubali Datta, Wei Yang, Si Liu, Adam Bates, and Carl A. Gunter. 2019. Charting the Attack Surface of Trigger-Action IoT Platforms. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019. ACM, 1439–1453. https://doi.org/10.1145/3319535.3345662 Google ScholarDigital Library
- Qi Wang, Wajih Ul Hassan, Adam Bates, and Carl A. Gunter. 2018. Fear and Logging in the Internet of Things. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society. Google Scholar
- Rolf H. Weber. 2010. Internet of Things – New security and privacy challenges. Comput. Law Secur. Rev., 26, 1 (2010), 23–30. https://doi.org/10.1016/j.clsr.2009.11.008 Google ScholarCross Ref
- Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA, November 16 - 17, 2015. ACM, 5:1–5:7. https://doi.org/10.1145/2834050.2834095 Google ScholarDigital Library
- Lefan Zhang, Weijia He, Jesse Martinez, Noah Brackenbury, Shan Lu, and Blase Ur. 2019. AutoTap: synthesizing and repairing trigger-action programs using LTL properties. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019. IEEE / ACM, 281–291. https://doi.org/10.1109/ICSE.2019.00043 Google ScholarDigital Library
- Shiyu Zhang, Juan Zhai, Lei Bu, Mingsong Chen, Linzhang Wang, and Xuandong Li. 2020. Automated Generation of LTL Specifications For Smart Home IoT Using Natural Language. In 2020 Design, Automation & Test in Europe Conference & Exhibition, DATE 2020, Grenoble, France, March 9-13, 2020. IEEE, 622–625. https://doi.org/10.23919/DATE48585.2020.9116374 Google ScholarCross Ref
- Zhi-Kai Zhang, Michael Cheng Yi Cho, Chia-Wei Wang, Chia-Wei Hsu, Chong Kuan Chen, and Shiuhpyng Shieh. 2014. IoT Security: Ongoing Challenges and Research Opportunities. In 7th IEEE International Conference on Service-Oriented Computing and Applications, SOCA 2014, Matsue, Japan, November 17-19, 2014. IEEE Computer Society, 230–234. https://doi.org/10.1109/SOCA.2014.58 Google ScholarDigital Library
Index Terms
- Security Checking of Trigger-Action-Programming Smart Home Integrations
Recommendations
A two-factor authentication scheme against FDM attack in IFTTT based Smart Home System
AbstractSmart Home is an emerging key-element of the advantages of Internet of Things (IoT), which facilitates an individual to have control over the smart devices of his house through the Internet. However, its control should be confined to ...
Security in smart home environment: issues, challenges, and countermeasures - a survey
The accelerated spread of the IoT and rapid development of modern communication networks and technologies have connected the physical world with computational elements in the smart home environment. The smart home is based on IoT technology which ...
Design-Level and Code-Level Security Analysis of IoT Devices
Special Issue on Cryptographic Engineering for IoT: Security Foundations, Lightweight Solutions, and Attacks and Regular PapersThe Internet of Things (IoT) is playing an important role in different aspects of our lives. Smart grids, smart cars, and medical devices all incorporate IoT devices as key components. The ubiquity and criticality of these devices make them an ...
Comments