Security Analysis of Emerging Smart Home Applications

Summary and FAQ

We performed the first in-depth empirical security analysis of a popular emerging smart home programming platform---Samsung SmartThings. We evaluated the platform's security design, and coupled that with an analysis of 499 SmartThings apps (also called SmartApps) and 132 device handlers using static code analysis tools that we built.
  • What are your key findings?
    • Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes.
  • Why SmartThings?
    • Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. We analyzed Samsung-owned SmartThings because it has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks.
  • Can you explain overprivilege, and what you found specifically for SmartThings?
    • Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality. For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege. We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.
  • How can attackers exploit these design flaws?
    • We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. Details on how these attacks work are in our research paper linked below.

  • Code & Tools

    We have made three programming resources available on GitHub:

    • Static analysis tool that computes overprivilege in SmartApps.
    • Python script that automatically creates skeleton device handlers inside the SmartThings IDE.
    • Capability documentation that we used in our analysis.
    Tools on GitHub

    Research Paper -- Distinguished Practical Paper Award at IEEE S&P 2016 ("Oakland")

    Download PDF

    When referring to our work, please cite it as:

    Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
    Security Analysis of Emerging Smart Home Applications
    In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016

    or, use BibTeX for citation:

                     @InProceedings{smartthings16,
                        author = {Earlence Fernandes and Jaeyeon Jung and Atul Prakash},
                        title = {{S}ecurity {A}nalysis of {E}merging {S}mart {H}ome {A}pplications},
                        booktitle = {Proceedings of the 37th {IEEE} Symposium on Security and Privacy},
                        month = May,
                        year = 2016
                     }
                    

    Attack Demos

    Pincode Snooping


    Backdoor Pincode Injection


    Disabling Vacation Mode


    Fake Fire Alarm



    Team

    Earlence Fernandes, Ph.D. Candidate, University of Michigan

    Jaeyeon Jung, Principal Security Architect, Microsoft Research (now Vice President, Samsung)

    Atul Prakash, Professor, University of Michigan


    Acknowledgements




    FlowFence: Practical Data Protection for Emerging IoT Application Frameworks

    Summary

    Emerging IoT programming frameworks enable building apps that compute on sensitive data produced by smart homes and wearables. However, these frameworks only support permission-based access control on sensitive data, which is ineffective at controlling how apps use data once they gain access. To address this limitation, we present FlowFence, a system that requires consumers of sensitive data to declare their intended dataflow patterns, which it enforces with low overhead, while blocking all other undeclared flows. FlowFence achieves this by explicitly embedding data flows and the related control flows within app structure. Developers use FlowFence support to split their apps into two components: (1) A set of Quarantined Modules that operate on sensitive data in sandboxes, and (2) Code that does not operate on sensitive data but orchestrates execution by chaining Quarantined Modules together via taint-tracked opaque handles—references to data that can only be dereferenced inside sandboxes. We studied three existing IoT frameworks to derive key functionality goals for FlowFence, and we then ported three existing IoT apps. Securing these apps using FlowFence resulted in an average increase in size from 232 lines to 332 lines of source code. Performance results on ported apps indicate that FlowFence is practical: A face-recognition based doorcontroller app incurred a 4.9% latency overhead to recognize a face and unlock a door.

    Code

    Code on GitHub We accept pull requests!

    Research Paper

    Download PDF

    When referring to our work, please cite it as:

    Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash
    FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
    In Proceedings of the 25th USENIX Security Symposium, August 2016

    or, use BibTeX for citation:

                     @InProceedings{flowfence16,
                        author = {Earlence Fernandes and Justin Paupore and Amir Rahmati and Daniel Simionato and Mauro Conti and Atul Prakash},
                        title = {{F}low{F}ence: {P}ractical {D}ata {P}rotection for {E}merging {I}o{T} {A}pplication {F}rameworks},
                        booktitle = {Proceedings of the 25th {USENIX} Security Symposium},
                        month = August,
                        year = 2016
                     }
                    

    Team

    Earlence Fernandes, Ph.D. Candidate, University of Michigan

    Justin Paupore, Software Engineer, Google

    Amir Rahmati, Ph.D. Candidate, University of Michigan

    Daniel Simionato

    Mauro Conti, Associate Professor, University of Padova

    Atul Prakash, Professor, University of Michigan


    Acknowledgements




    ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms

    Summary

    The Internet-of-Things (IoT) has quickly evolved to a new appified era where third-party developers can write apps for IoT platforms using programming frameworks. Like other appified platforms, e.g., the smartphone platform, the permission system plays an important role in platform security. However, design flaws in current IoT platform permission models have been reported recently, exposing users to significant harm such as break-ins and theft. To solve these problems, a new access control model is needed for both current and future IoT platforms. In this paper, we propose ContexIoT, a context-based permission system for appified IoT platforms that provides contextual integrity by supporting fine-grained context identification for sensitive actions, and runtime prompts with rich context information to help users perform effective access control. Context definition in ContexIoT is at the inter-procedure control and data flow levels, that we show to be more comprehensive than previous context-based permission systems for the smartphone platform. ContexIoT is designed to be backward compatible and thus can be directly adopted by current IoT platforms. We prototype ContexIoT on the Samsung SmartThings platform, with an automatic app patching mechanism developed to support unmodified commodity SmartThings apps. To evaluate the system’s effectiveness, we perform the first extensive study of possible attacks on appified IoT platforms by reproducing reported IoT attacks and constructing new IoT attacks based on smartphone malware classes. We categorize these attacks based on lifecycle and adversary techniques, and build the first taxonomized IoT attack app dataset. Evaluating ContexIoT on this dataset, we find that it can effectively distinguish the attack context for all the tested apps. The performance evaluation on 283 commodity IoT apps shows that the app patching adds nearly negligible delay to the event triggering latency, and the permission request frequency is far below the threshold that is considered to risk user habituation or annoyance.

    Code for Attacks

    Available here


    Research Paper

    Download PDF

    When referring to our work, please cite it as:

    Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash
    ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms
    21st Network and Distributed Security Symposium (NDSS 2017), Feb 2017

    or, use BibTeX for citation:

                     @InProceedings{contexiot17,
                        author = {Yunhan Jack Jia and Qi Alfred Chen and Shiqi Wang and Amir Rahmati and Earlence Fernandes and Z. Morley Mao and Atul Prakash},
                        title = {{ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms}},
                        booktitle = {21st Network and Distributed Security Symposium},
                        month = February,
                        year = 2017
                     }
                    

    Team

    Yunhan Jack Jia, Ph.D. Candidate, University of Michigan

    Qi Alfred Chen, Ph.D. Candidate, University of Michigan

    Shiqi Wang

    Amir Rahmati, Ph.D. Candidate, University of Michigan

    Earlence Fernandes, Ph.D. Candidate, University of Michigan

    Z. Morley Mao, Professor, University of Michigan

    Atul Prakash, Professor, University of Michigan


    Acknowledgements


    Heimdall: A Privacy-Respecting Implicit Preference Collection Framework

    Summary

    Many of the everyday decisions a user makes rely on the suggestions of online recommendation systems. These systems amass implicit (e.g., location, purchase history, browsing history) and explicit (e.g., reviews, ratings) feedback from multiple users, produce a general consensus, and provide suggestions based on that consensus. However, due to privacy concerns, users are uncomfortable with implicit data collection, thus requiring recommendation systems to be overly dependent on explicit feedback. Unfortunately, users do not frequently provide explicit feedback. This hampers the ability of recommendation systems to provide high-quality suggestions. We introduce Heimdall, the first privacy-respecting implicit preference collection framework that enables recommendation systems to extract user preferences from their activities in a privacy-respecting manner. The key insight is to enable recommendation systems to run a collector on a user’s device and precisely control the information a collector transmits to the recommendation system back-end. Heimdall introduces immutable blobs as a mechanism to guarantee this property. We implemented Heimdall for the smartphone and smart home environments and wrote three example collectors to enhance existing recommendation systems with implicit feedback. Our performance results suggest that the overhead of immutable blobs is minimal, and a user study of 166 participants indicates that privacy concerns are significantly less when collectors record only specific information—a property that Heimdall enables.

    Code on GitHub

    Coming Soon!


    Research Paper

    Download PDF

    When referring to our work, please cite it as:

    Amir Rahmati, Earlence Fernandes, Kevin Eykholt, Xinheng Chen, and Atul Prakash
    Heimdall: A Privacy-Respecting Implicit Preference Collection Framework
    15th ACM International Conference on Mobile Systems, Applications, and Services (ACM MobiSys 2017), June 2017

    or, use BibTeX for citation:

                     @InProceedings{heimdall17,
                        author = {Amir Rahmati and Earlence Fernandes and Kevin Eykholt and Xinheng Chen and Atul Prakash},
                        title = {{Heimdall: A Privacy-Respecting Implicit Preference Collection Framework}},
                        booktitle = {15th ACM International Conference on Mobile Systems, Applications, and Services},
                        month = June,
                        year = 2017
                     }
                    

    Team

    Amir Rahmati, Ph.D. Candidate, University of Michigan

    Earlence Fernandes, Ph.D. Candidate, University of Michigan

    Kevin Eykholt, Ph.D. Candidate, University of Michigan

    Xinheng Chen, Student, University of Michigan

    Atul Prakash, Professor, University of Michigan


    Acknowledgements