How Risky Are Real Users' IFTTT Applets?
Total Page:16
File Type:pdf, Size:1020Kb
How Risky Are Real Users’ IFTTT Applets? Camille Cobb Milijana Surbatovich Anna Kawakami Mahmood Sharif Carnegie Mellon University Carnegie Mellon University Wellesley College NortonLifeLock Lujo Bauer Anupam Das Limin Jia Carnegie Mellon University North Carolina State University Carnegie Mellon University Abstract 1 Introduction Smart home technology has made its way into public con- sciousness and widespread use [3]. On their own, smart-home Smart-home devices are becoming increasingly ubiquitous devices typically allow users to control them via dedicated and interconnected with other devices and services, such as apps, possibly creating schedules, routines, or triggering noti- phones, fitness trackers, cars, and social media accounts. Built- fications from the apps on users’ phones. Additionally, many in connections between these services are still emerging, smart-home devices enhance their capacity for home automa- but end-user-programming tools such as If-This-Then-That tion by interfacing with end-user programming tools such as (IFTTT) have existed for almost a decade, allowing users to If-This-Then-That (IFTTT), Stringify, and WebHooks. Such create rules (called applets in IFTTT) that dictate interactions tools allow users to create trigger-action “rules” that react to between devices and services. Previous work found poten- and/or control their IoT devices and services like social me- tial secrecy or integrity violations in many applets, but did dia, cloud storage, or news. This enables users to accomplish so without examining how individual users interact with the home automation tasks that would not be possible otherwise. service. In this work, we study the risks of real-world use of For example, a user could create a rule to automatically turn IFTTT by collecting and analyzing 732 applets installed by on all their smart lights when they arrive home, even if those 28 participants and participants’ responses to several survey lights were made by a variety of manufacturers. While these questions. We found that significantly fewer applets than pre- tools can enable creative, beneficial uses of smart-home tech- viously thought pose realistic secrecy or integrity risks to the nologies, they may also introduce security and privacy risks. users who install them. Consistent with this finding, partic- ipants were generally not concerned about potential harms, Prior work found that as many as 50% of applets shared even when these were explained to them. However, examin- on the IFTTT webpage could lead to secrecy or integrity ing participants’ applets led us to identify several new types violations (i.e., leak private information or allow unautho- of privacy risks, which challenge some assumptions inherent rized access to a user’s devices and services) [35]. That study, in previous analyses that focus on secrecy and integrity risks. and others (e.g., [8, 10, 11, 28, 38]), sought to understand and For example, we found that many applets involve monitor- measure the prevalence and magnitude of security and pri- ing incidental users: family, friends, and neighbors who may vacy risks of end-user programming with trigger-action rules, interact with someone else’s smart-home devices, possibly and they have proposed automated ways of identifying risky without realizing it. We discuss what our findings imply for rules—rules that have the potential to cause harm—with an automatically identifying potentially harmful applets. end-goal of mitigating risks. However, these studies have re- lied on publicly available data (e.g., applets shared on the IFTTT webpage) and have not evaluated risks in the context of individual users’ sets of rules, the contexts in which those rules are applied, or the individuals’ privacy preferences. In this paper, we seek to better contextualize our under- standing of the ways that users employ end-user programming Copyright is held by the author/owner. Permission to make digital or hard in order to answer open questions about the secrecy, integrity, copies of all or part of this work for personal or classroom use is granted and other security and privacy risks their rules may create. To without fee. USENIX Symposium on Usable Privacy and Security (SOUPS) 2020. do so, we focus specifically on IFTTT, which is the most pop- August 9–11, 2020, Virtual Conference. ular end-user-programming tool [25]. We recruited 28 IFTTT users via popular home-automation message boards. Partic- programming platforms such as Samsung’s SmartThings [4] ipants allowed us to collect data about their IFTTT applets are over-privileged due to design flaws in their permission and responded to a short survey. Survey questions addressed models [15,17]. User-centric and context-aware permission the context in which the applets are used (e.g., who cloud systems have been developed for appified IoT platforms to storage documents are shared with), participants’ understand- address their coarse-grained permission flaws [16,23,37]. Sys- ing and perception of secrecy and integrity risks (e.g., if they tems utilizing static analysis [10, 28], model-checking [11], had considered certain risks when setting up rules, if they had and data provenance graphs [38] have been proposed to help experienced any harms, and if they believed certain risks were identify incorrect or inconsistent application behavior. Many possible for a particular rule), and how they would react to research groups have proposed network-traffic-analysis-based specific violations identified in prior work. security mechanisms [9,12, 13,29,33,34, 40]; many of these Using automated information-flow-based analysis, we were introduced in light of the infamous Mirai attack, which found that about 59% of participants’ IFTTT rules had poten- took advantage of insecure IoT devices to launch a distributed tial secrecy or integrity violations (see Section 4.3), which is denial of service (DDoS) attack [20, 30]. consistent with the findings of prior work analyzing applets Differently from these studies, our work focuses on risks shared on the IFTTT website. In Section 4.4, we examine introduced by end-user programming. That is, we find that po- participants’ rules in more detail, considering context such as tential harms persist even under the assumption that technical their titles. This more detailed analysis revealed that although vulnerabilities do not exist or are sufficiently unlikely. many applets might technically have secrecy or integrity vi- olations, they are rarely harmful because of these violations. 2.2 Privacy Concerns in Smart Homes Only about 10% of the secrecy-violating rules (just over 3% of all rules) could lead to secrecy harms, and just 14% of In spite of their widespread adoption, users continue to surface integrity-violating rules (6.7% of all rules) present serious privacy concerns about smart-home devices. To understand integrity-related risks. Consistent with our manual evaluation, what concerns users have about smart-home technology, sev- participants did not believe that their rules were likely to lead eral interview- and survey-based studies investigated users’ to secrecy- or integrity-related harms, though they did care experiences and preferences [6,7, 14, 36]. When IoT devices about the security and privacy of their rules. are installed in multi-person households, new security, pri- Our contextualized analysis of trigger-action rules and their vacy, and usability challenges emerge. Recent research has security and privacy risks is a key contribution of this work sought to identify user requirements in these multi-user set- and also led to unexpected findings. Although secrecy and tings and proposed potential solutions [19, 39, 41] such as integrity violations rarely pose risks to IFTTT users, IFTTT making it easier for everyone in a household to control the rules pose other types of security and privacy risks that have devices and how they are configured [41]. Others have stud- not been identified through automated analysis. For exam- ied desirable access controls for smart-home devices [21, 32]. ple, IFTTT rules can create surveillance risks to incidental Our study also attempts to understand privacy concerns in a users—people besides the IFTTT user who created the rule. smart-home setting (including multi-user setting), but more In Section5, we discuss these other types of risks, as well so in the context of using automation services like IFTTT as other limitations of the information-flow analysis. From which can inadvertently cause harms. our findings we draw guidelines for how automated analysis tools could better distinguish between practically risky and merely theoretically violating trigger-action rules. We also 2.3 End-User Programming for IoT Devices propose future research to better understand incidental users’ Several end-user programming tools—including IFTTT (“If preferences regarding their interactions with smart-home de- This, Then That”) [1], Microsoft Flow [2] and Zapier [5]— vices. Identifying contextual factors needed for more accurate enable users to connect multiple services by constructing automated analyses and previously unexplored categories of simple trigger-action programs [24]; IFTTT is by far the most risks are also key contributions of this study. popular of these [25]. 2 Background 2.3.1 IFTTT 2.1 Security of Smart-Home Technology An IFTTT rule or “applet” (previously called “recipe”) con- sists of a “trigger” and an “action.” The trigger is the “this” In recent years, researchers have investigated the security and the action is the “that” in “if this then that.” Shortly before and privacy risks imposed by home IoT ecosystems. Most of our study’s data collection, IFTTT added a feature to allows these efforts consider the IoT ecosystem either at the applica- a single applet to have more than one action. Each trigger tion level or at the network level. At the application level, re- and action belongs to a “channel,” which specifies the service searchers have found that many applications built on emerging provider who created the trigger or action (e.g., IoT device manufacturer, social media company).