Proceedings ArticleDOI
Security Analysis of Emerging Smart Home Applications
Earlence Fernandes,Jaeyeon Jung,Atul Prakash +2 more
- pp 636-654
TLDR
This paper analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks, and discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps.Abstract:
Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such emerging smart home programming platform. We analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform. Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes. We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes, (2) stole existing door lock codes, (3) disabled vacation mode of the home, and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks.read more
Citations
More filters
Proceedings Article
Understanding the mirai botnet
Manos Antonakakis,Tim April,Michael Bailey,Matthew Bernhard,Elie Bursztein,Jaime Cochran,Zakir Durumeric,J. Alex Halderman,Luca Invernizzi,Michalis Kallitsis,Deepak Kumar,Chaz Lever,Zane Ma,Joshua Mason,D. Menscher,Chad Seaman,Nick Sullivan,Kurt Thomas,Yi Zhou +18 more
TL;DR: It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Journal ArticleDOI
Internet of Things: A survey on the security of IoT frameworks
TL;DR: This paper surveys the security of the main IoT frameworks, and shows that the same standards used for securing communications, whereas different methodologies followed for providing other security properties are shown.
Journal ArticleDOI
Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics
Arunan Sivanathan,Hassan Habibi Gharakheili,Franco Loi,Adam Radford,Chamith Wijenayake,Arun Vishwanath,Vijay Sivaraman +6 more
TL;DR: This study paves the way for operators of smart environments to monitor their IoT assets for presence, functionality, and cyber-security without requiring any specialized devices or protocols.
Journal ArticleDOI
Smart Cities: A Survey on Data Management, Security, and Enabling Technologies
Ammar Gharaibeh,Mohammad A. Salahuddin,Sayed Jahed Hussini,Abdallah Khreishah,Issa Khalil,Mohsen Guizani,Ala Al-Fuqaha +6 more
TL;DR: The fundamental data management techniques employed to ensure consistency, interoperability, granularity, and reusability of the data generated by the underlying IoT for smart cities are described.
Journal ArticleDOI
The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved
Wei Zhou,Yuqing Zhang,Peng Liu +2 more
TL;DR: In this paper, the security and privacy effects of eight IoT new features were discussed, including the threats they cause, existing solutions and challenges yet to be solved, and the developing trend of IoT security research and reveals how IoT features affect existing security research.
References
More filters
Proceedings ArticleDOI
Android permissions demystified
TL;DR: Stowaway, a tool that detects overprivilege in compiled Android applications, is built and finds that about one-third of applications are overprivileged.
Proceedings ArticleDOI
Soot: a Java bytecode optimization framework
TL;DR: Soot, a framework for optimizing Java* bytecode, is implemented in Java and supports three intermediate representations for representing Java bytecode: Baf, a streamlined representation of bytecode which is simple to manipulate; Jimple, a typed 3-address intermediate representation suitable for optimization; and Grimp, an aggregated version of Jimple suitable for decompilation.
Proceedings ArticleDOI
Android permissions: user attention, comprehension, and behavior
TL;DR: It is found that current Android permission warnings do not help most users make correct security decisions, however, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension.
Proceedings ArticleDOI
Analyzing inter-application communication in Android
TL;DR: This work examines Android application interaction and identifies security risks in application components and provides a tool, ComDroid, that detects application communication vulnerabilities and found 34 exploitable vulnerabilities.
Proceedings ArticleDOI
PScout: analyzing the Android permission specification
TL;DR: An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves.