Security Analysis of Emerging Smart Home Applications

Summary and FAQ

We performed the first in-depth empirical security analysis of a popular emerging smart home programming platform---Samsung SmartThings. We evaluated the platform's security design, and coupled that with an analysis of 499 SmartThings apps (also called SmartApps) and 132 device handlers using static code analysis tools that we built.
  • What are your key findings?
    • Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes.
  • Why SmartThings?
    • Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. We analyzed Samsung-owned SmartThings because it has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks.
  • Can you explain overprivilege, and what you found specifically for SmartThings?
    • Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality. For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege. We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.
  • How can attackers exploit these design flaws?
    • We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. Details on how these attacks work are in our research paper linked below.

  • Code & Tools

    We have made three programming resources available on GitHub:

    • Static analysis tool that computes overprivilege in SmartApps.
    • Python script that automatically creates skeleton device handlers inside the SmartThings IDE.
    • Capability documentation that we used in our analysis.
    Tools on GitHub

    Research Paper -- Distinguished Practical Paper Award at IEEE S&P 2016 ("Oakland")

    Download PDF

    When referring to our work, please cite it as:

    Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
    Security Analysis of Emerging Smart Home Applications
    In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016

    or, use BibTeX for citation:

                     @InProceedings{smartthings16,
                        author = {Earlence Fernandes and Jaeyeon Jung and Atul Prakash},
                        title = {{S}ecurity {A}nalysis of {E}merging {S}mart {H}ome {A}pplications},
                        booktitle = {Proceedings of the 37th {IEEE} Symposium on Security and Privacy},
                        month = May,
                        year = 2016
                     }
                    

    Attack Demos

    Pincode Snooping


    Backdoor Pincode Injection


    Disabling Vacation Mode


    Fake Fire Alarm



    Team

    Earlence Fernandes, Ph.D. Candidate, University of Michigan

    Jaeyeon Jung, Principal Security Architect, Microsoft Research

    Atul Prakash, Professor, University of Michigan


    Acknowledgements




    FlowFence: Practical Data Protection for Emerging IoT Application Frameworks

    Summary

    Emerging IoT programming frameworks enable building apps that compute on sensitive data produced by smart homes and wearables. However, these frameworks only support permission-based access control on sensitive data, which is ineffective at controlling how apps use data once they gain access. To address this limitation, we present FlowFence, a system that requires consumers of sensitive data to declare their intended dataflow patterns, which it enforces with low overhead, while blocking all other undeclared flows. FlowFence achieves this by explicitly embedding data flows and the related control flows within app structure. Developers use FlowFence support to split their apps into two components: (1) A set of Quarantined Modules that operate on sensitive data in sandboxes, and (2) Code that does not operate on sensitive data but orchestrates execution by chaining Quarantined Modules together via taint-tracked opaque handles—references to data that can only be dereferenced inside sandboxes. We studied three existing IoT frameworks to derive key functionality goals for FlowFence, and we then ported three existing IoT apps. Securing these apps using FlowFence resulted in an average increase in size from 232 lines to 332 lines of source code. Performance results on ported apps indicate that FlowFence is practical: A face-recognition based doorcontroller app incurred a 4.9% latency overhead to recognize a face and unlock a door.

    Code

    Coming soon on GitHub!


    Research Paper

    Download PDF

    When referring to our work, please cite it as:

    Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash
    FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
    In Proceedings of the 25th USENIX Security Symposium, August 2016

    or, use BibTeX for citation:

                     @InProceedings{flowfence16,
                        author = {Earlence Fernandes and Justin Paupore and Amir Rahmati and Daniel Simionato and Mauro Conti and Atul Prakash},
                        title = {{F}low{F}ence: {P}ractical {D}ata {P}rotection for {E}merging {I}o{T} {A}pplication {F}rameworks},
                        booktitle = {Proceedings of the 25th {USENIX} Security Symposium},
                        month = August,
                        year = 2016
                     }
                    

    Team

    Earlence Fernandes, Ph.D. Candidate, University of Michigan

    Justin Paupore, Software Engineer, Google

    Amir Rahmati, Ph.D. Candidate, University of Michigan

    Daniel Simionato

    Mauro Conti, Associate Professor, University of Padova

    Atul Prakash, Professor, University of Michigan


    Acknowledgements