Cross-App Threats in Smart Homes: Categorization, Detection and Handling
share
A number of Internet of Things (IoTs) platforms have emerged to enable various IoT apps developed by third-party developers to automate smart homes. Prior research mostly concerns the overprivilege problem in the permission model. Our work, however, reveals that even IoT apps that follow the principle of least privilege, when they interplay, can cause a unique type of threats, named Cross-App Interference (CAI) threats. We describe and categorize the new threats, showing that unexpected automation and security and privacy issues may be caused by such threats, which cannot be handled by existing IoT security mechanisms. To address the problem, we present HOMEGUARD, a system for appified IoT platforms to detect and cope with CAI threats. A symbolic executor module is built to precisely extract the automation semantics from IoT apps. The semantics of different IoT apps are then considered collectively to evaluate their interplay and discover CAI threats systematically. A user interface is presented to users during IoT app installation, interpreting the discovered threats to help them make decisions. We evaluate HOMEGUARD via a proof-of-concept implementation on Samsung's SmartThings, and discover many threat instances among apps in the SmartThings public repository. The evaluation shows that it is precise, effective and efficient.
READ FULL TEXT