Charting the atack surface of trigger-action IoT platforms

Abstract

Internet of Things (IoT) deployments are becoming increasingly automated and vastly more complex. Facilitated by programming abstractions such as trigger-action rules, end-users can now easily create new functionalities by interconnecting their devices and other online services. However, when multiple rules are simultaneously enabled, complex system behaviors arise that are diicult to understand or diagnose. While history tells us that such conditions are ripe for exploitation, at present the security states of trigger-action IoT deployments are largely unknown. In this work, we conduct a comprehensive analysis of the interactions between trigger-action rules in order to identify their security risks. Using IFTTT as an exemplar platform, we irst enumerate the space of inter-rule vulnerabilities that exist within trigger-action platforms. To aid users in the identiication of these dangers, we go on to present iRuler, a system that performs Satisiability Modulo Theories (SMT) solving and model checking to discover inter-rule vulnerabilities within IoT deployments. iRuler operates over an abstracted information low model that represents the attack surface of an IoT deployment, but we discover in practice that such models are diicult to obtain given the closed nature of IoT platforms. To address this, we develop methods that assist in inferring trigger-action information lows based on Natural Language Processing. We develop a novel evaluative methodology for approximating plausible real-world IoT deployments based on the installation counts of 315,393 IFTTT applets, determining that 66% of the synthetic deployments in the IFTTT ecosystem exhibit the potential for inter-rule vulnerabilities. Combined, these eforts provide the insight into the real-world dangers of IoT deployment misconigurations.