Making the Internet of Things smarter than its attackers

A web-based service called IFTTT (an initialism of If This Then That) is hosting user-generated applets available to download that connect Internet of Things (IoT) devices to streamline various processes. If this happens (e.g. you “Like” a photo on Facebook), then do that (e.g. save that photo to your Google Drive). There are thousands of others free for download.

But security experts are concerned that some of these applets may introduce vulnerabilities to users and their IoT devices. What if a particular applet, which automatically saves new email attachments to all of your back-up storage devices, performs this task with a malicious email attachment? The malicious material just spread itself to several of your other devices without you even lifting a finger.

A team of CyLab researchers set out to understand how many of these applets contain these types of vulnerabilities. In a study presented at the 2017 World Wide Web conference in Perth, Australia, the team analyzed nearly 20,000 IFTTT applets and found that half of them were potentially unsafe.

“There are a lot of threats, and we’re just beginning to understand them,” says Milijana Surbatovich, an Electrical and Computer Engineering (ECE) Ph.D. student and the lead author on the study. “This matters if you’re using these smart devices, but it is also good to keep the IoT ecosystem as a whole secure.”

The team defined an IFTTT applet as potentially insecure if they contained either an integrity violation or a secrecy violation. An integrity violation occurred when a less trusted source was allowed to directly control something that should be more trusted.

“If you had an applet that automatically copied new email attachments to you Google Drive – what if it was a malicious attachment?” says Surbatovich. “You handed over your control to your devices, which are now spreading malicious attachments.”

A secrecy violation was cited if information automatically passed from a private audience (you or a small number of people) to a larger or more public audience. One common type of secrecy violation the researchers identified involved advertising personal activity over social media.

“Let’s say you have an applet that says: If your FitBit records you walking 10,000 steps, generate a post on Twitter that says that,” Surbatovich says. “This seems fine, but what if you told your boss that you were sick, or you were dodging a social event?”

Even if you’re not concerned about your own personal security, you may be unwittingly acting as the middle-man during an attack.

Milijana Surbatovich, Ph.D. student, Electrical and Computer Engineering, Carnegie Mellon University

The authors of the study suggest that users need to be informed about the security and integrity violations that their applets can potentially create, as well as their consequences, so users can make more informed decisions about how to manage their IoT devices. The study, Surbatovich says, is about specific IoT applets, but it’s also about the IoT security landscape as a whole.

“Although you may not think your smart toaster will be used to harm you or your home, it could contribute to some greater harm like a distributed denial-of-service (DDoS) attack,” Surbatovich says. “Even if you’re not concerned about your own personal security, you may be unwittingly acting as the middle-man during an attack.”

Other authors on the study included ECE Ph.D. student Jassim Aljuraidan, ECE and Institute for Software Research (ISR) professor Lujo Bauer, ISR post-doctoral researcher Anupam Das and ECE professor Limin Jia.