Proceedings ArticleDOI
Security Analysis of Emerging Smart Home Applications
Earlence Fernandes,Jaeyeon Jung,Atul Prakash +2 more
- pp 636-654
Reads0
Chats0
TLDR
This paper analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks, and discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps.Abstract:
Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such emerging smart home programming platform. We analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform. Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes. We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes, (2) stole existing door lock codes, (3) disabled vacation mode of the home, and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks.read more
Citations
More filters
Proceedings Article
Understanding the mirai botnet
Manos Antonakakis,Tim April,Michael Bailey,Matthew Bernhard,Elie Bursztein,Jaime Cochran,Zakir Durumeric,J. Alex Halderman,Luca Invernizzi,Michalis Kallitsis,Deepak Kumar,Chaz Lever,Zane Ma,Joshua Mason,D. Menscher,Chad Seaman,Nick Sullivan,Kurt Thomas,Yi Zhou +18 more
TL;DR: It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Journal ArticleDOI
Internet of Things: A survey on the security of IoT frameworks
TL;DR: This paper surveys the security of the main IoT frameworks, and shows that the same standards used for securing communications, whereas different methodologies followed for providing other security properties are shown.
Journal ArticleDOI
Classifying IoT Devices in Smart Environments Using Network Traffic Characteristics
Arunan Sivanathan,Hassan Habibi Gharakheili,Franco Loi,Adam Radford,Chamith Wijenayake,Arun Vishwanath,Vijay Sivaraman +6 more
TL;DR: This study paves the way for operators of smart environments to monitor their IoT assets for presence, functionality, and cyber-security without requiring any specialized devices or protocols.
Journal ArticleDOI
Smart Cities: A Survey on Data Management, Security, and Enabling Technologies
Ammar Gharaibeh,Mohammad A. Salahuddin,Sayed Jahed Hussini,Abdallah Khreishah,Issa Khalil,Mohsen Guizani,Ala Al-Fuqaha +6 more
TL;DR: The fundamental data management techniques employed to ensure consistency, interoperability, granularity, and reusability of the data generated by the underlying IoT for smart cities are described.
Journal ArticleDOI
The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved
Wei Zhou,Yuqing Zhang,Peng Liu +2 more
TL;DR: In this paper, the security and privacy effects of eight IoT new features were discussed, including the threats they cause, existing solutions and challenges yet to be solved, and the developing trend of IoT security research and reveals how IoT features affect existing security research.
References
More filters
Proceedings ArticleDOI
CHEX: statically vetting Android apps for component hijacking vulnerabilities
TL;DR: This paper proposes CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities, and prototyped CHEX based on Dalysis, a generic static analysis framework that was built to support many types of analysis on Android app bytecode.
Proceedings ArticleDOI
Practical trigger-action programming in the smart home
TL;DR: It is found that inexperienced users can quickly learn to create programs containing multiple triggers or actions, and a class of triggers requiring machine learning that has received little attention is identified.
Proceedings ArticleDOI
I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns
TL;DR: This research surveyed 3,115 smartphone users about 99 risks associated with 54 smartphone privileges and asked participants to rate how upset they would be if given risks occurred and used data to rank risks by levels of user concern, which can be used to guide the selection of warnings on smartphone platforms.
Proceedings ArticleDOI
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
TL;DR: This paper takes the approach of user-driven access control, whereby permission granting is built into existing user actions in the context of an application, rather than added as an afterthought via manifests or system prompts.
Journal ArticleDOI
Computer security and the modern home
TL;DR: A framework for evaluating security risks associated with technologies used at home and a guide to selecting suitable technologies for use in the home.