If This Then What? Controlling Flows in IoT Apps
Paper in proceeding, 2018

IoT apps empower users by connecting a variety of otherwise unconnected services. These apps (or applets) are triggered by external information sources to perform actions on external information sinks. We demonstrate that the popular IoT app platforms, including IFTTT (If This Then That), Zapier, and Microsoft Flow are susceptible to attacks by malicious applet makers, including stealthy privacy attacks to exfiltrate private photos, leak user location, and eavesdrop on user input to voice-controlled assistants. We study a dataset of 279,828 IFTTT applets from more than 400 services, classify the applets according to the sensitivity of their sources, and find that 30% of the applets may violate privacy. We propose two countermeasures for short- and longterm protection: access control and information flow control. For short-term protection, we suggest that access control classifies an applet as either exclusively private or exclusively public, thus breaking flows from private sources to sensitive sinks. For longterm protection, we develop a framework for information flow tracking in IoT apps. The framework models applet reactivity and timing behavior, while at the same time faithfully capturing the subtleties of attacker observations caused by applet output. We show how to implement the approach for an IFTTT-inspired setting leveraging state-of-the-art information flow tracking techniques for JavaScript based on the JSFlow tool and evaluate its effectiveness on a collection of applets.

IoT apps

Information flow

access control

Author

Iulia Bastys

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Musard Balliu

Royal Institute of Technology (KTH)

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Proceedings of the ACM Conference on Computer and Communications Security

15437221 (ISSN)

1102-1119
978-1-4503-5693-0 (ISBN)

ACM SIGSAC Conference on Computer and Communications Security, CCS 2018
Toronto, Canada,

Subject Categories

Computer and Information Science

DOI

10.1145/3243734.3243841

More information

Latest update

3/21/2023