Charting the Attack Surface of Trigger-Action IoT Platforms

Qi Wang, Pubali Datta, Wei Yang, Si Liu, Carl Gunter, and Adam Bates.
26th ACM Conference on Computer and Communications Security (CCS'19).
London, UK. November 11, 2019.
(acceptance rate=10.0%)
Available Media


Internet of Things (IoT) deployments are becoming increasingly automated and vastly more complex. Facilitated by programming abstractions such as trigger-action rules, end-users can now easily create new functionalities by interconnecting their devices and other online services. However, when multiple rules are simultaneously enabled, complex system behaviors arise that are difficult to understand or diagnose. While history tells us that such conditions are ripe for exploitation, at present the security states of trigger-action IoT deployments are largely unknown. In this work, we conduct a comprehensive analysis of the interactions between trigger-action rules in order to identify their security risks. Using IFTTT as an exemplar platform, we first enumerate the space of inter-rule vulnerabilities that exist within trigger-action platforms. To aid users in the identification of these dangers, we go on to present iRuler, a system that performs Satisfiability Modulo Theories (SMT) solving and model checking to discover inter-rule vulnerabilities within IoT deployments. iRuler operates over an abstracted information flow model that represents the attack surface of an IoT deployment, but we discover in practice that such models are difficult to obtain given the closed nature of IoT platforms. To address this, we develop methods for fine-grained identification of trigger-action information flows based on Natural Language Processing (NLP) techniques. Finally, we develop a novel evaluative methodology for approximating real-world IoT deployments based on the installation counts of 315,393 IFTTT applets, determining that 66% of the simulated deployments in the IFTTT ecosystem exhibit the potential for inter-rule vulnerabilities. Combined, these efforts provide the first insight into the real-world dangers of IoT deployment misconfigurations.