Rethinking Access Control and Authentication for the Home Internet of Things (IoT) Weijia He, University of Chicago; Maximilian Golla, Ruhr-University Bochum; Roshni Padhi and Jordan Ofek, University of Chicago; Markus Dürmuth, Ruhr-University Bochum; Earlence Fernandes, University of Washington; Blase Ur, University of Chicago https://www.usenix.org/conference/usenixsecurity18/presentation/he This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Rethinking Access Control and Authentication for the Home Internet of Things (IoT) Weijia He, Maximilian Golla†, Roshni Padhi, Jordan Ofek, Markus Durmuth¨ †, Earlence Fernandes‡, Blase Ur University of Chicago, † Ruhr-University Bochum, ‡ University of Washington Abstract fairs is troubling because the characteristics that make the IoT distinct from prior computing domains neces- Computing is transitioning from single-user devices to sitate a rethinking of access control and authentication. the Internet of Things (IoT), in which multiple users Traditional devices like computers, phones, tablets, and with complex social relationships interact with a single smart watches are generally used by only a single per- device. Currently deployed techniques fail to provide son. Therefore, once a user authenticates to their own usable access-control specification or authentication in device, minimal further access control is needed. These such settings. In this paper, we begin reenvisioning ac- devices have screens and keyboards, so the process of au- cess control and authentication for the home IoT. We pro- thentication often involves passwords, PINs, fingerprint pose that access control focus on IoT capabilities (i. e., biometrics, or similar approaches [6]. certain actions that devices can perform), rather than on Home IoT devices are fundamentally different. First, a per-device granularity. In a 425-participant online user numerous users interact with a single home IoT de- study, we find stark differences in participants’ desired vice, such as a household’s shared voice assistant or access-control policies for different capabilities within a Internet-connected door lock. Widely deployed tech- single device, as well as based on who is trying to use niques for specifying access-control policies and authen- that capability. From these desired policies, we identify ticating users fall short when multiple users share a de- likely candidates for default policies. We also pinpoint vice [50]. Complicating matters, users in a household necessary primitives for specifying more complex, yet often have complex social relationships with each other, desired, access-control policies. These primitives range changing the threat model. For example, mischievous from the time of day to the current location of users. Fi- children [38], parents curious about what their teenagers nally, we discuss the degree to which different authenti- are doing [44], and abusive romantic partners [29] are all cation methods potentially support desired policies. localized threats amplified in home IoT environments. Furthermore, few IoT devices have screens or key- 1 Introduction boards [37], so users cannot just type a password. While users could possibly use their phone as a central authen- Recent years have seen a proliferation of Internet of tication mechanism, this would lose IoT devices’ hands- Things (IoT) devices intended for consumers’ homes, in- free convenience, while na¨ıve solutions like speaking a cluding Samsung SmartThings [35], the Amazon Echo password to a voice assistant are often insecure. voice assistant [2], the Nest Thermostat [48], Belkin’s Real-world examples of the shortcomings of current Wemo devices [5], and Philips Hue lights [32]. To date, access-control-policy specification and authentication IoT security and privacy research has focused on such de- for home IoT devices have begun to appear. A Burger vices’ insecure software-engineering practices [3,13,15], King TV commercial triggered Google Home voice as- improper information flows [15,40,45], and the inherent sistants to read Wikipedia pages about the Whopper [47], difficulties of patching networked devices [49, 51]. while the cartoon South Park mischievously triggered Surprisingly little attention has been paid to access- Amazon Echo voice assistants to fill viewers’ Amazon control-policy specification (expressing which particular shopping carts with risque´ items [34]. While these ex- users, in which contexts, are permitted to access a re- amples were relatively harmless, one could imagine a source) or authentication (verifying that users are who rogue child remotely controlling the devices in a sibling’s they claim to be) in the home IoT. This state of af- room to annoy them, a curious babysitter with temporary USENIX Association 27th USENIX Security Symposium 255 access to a home perusing a device’s history of interac- than the babysitter setting a persistent rule to unlock the tions, or an enterprising burglar asking a voice assistant front door whenever anyone rings the doorbell. through a cracked window to unlock the front door [42]. RQ3: On what contextual factors (e. g., location) In this paper, we take a first step toward rethinking do access-control policies depend? (Section 6.5). the specification of access-control policies and authenti- In addition to a user’s location, we found that partici- cation for the home IoT. We structure our investigation pants wanted to specify access-control policies based on around four research questions, which we examine in a user’s age, the location of a device, and other factors. a 425-participant user study. These research questions Almost none of these contextual factors are supported are motivated by our observation that many home IoT by current devices. Finally, to identify promising di- devices combine varied functionality in a single device. rections for designing authentication mechanisms in the For example, a home hub or a voice assistant can perform home IoT, we asked: tasks ranging from turning on the lights to controlling the RQ4: What types of authentication methods bal- door locks. Current access control and authentication is ance convenience and security, holding the potential often based on a device-centric model where access is to successfully balance the consequences of falsely granted or denied per device. We move to a capability- allowing and denying access? (Section 6.6). centric model, where we define a capability as a partic- Analyzing consequences participants noted for falsely al- ular action (e. g., ordering an item online) that can be lowing or denying access to capabilities, we identify a performed on a particular device (e. g., a voice assistant). spectrum of methods that seem promising for authenti- Intuition suggests that different capabilities have differ- cating users (Section7), thereby enabling enforcement of ent sensitivities, leading to our first research question: users’ desired access-control policies for the home IoT. RQ1: Do desired access-control policies differ among capabilities of single home IoT devices? Contributions We begin to reenvision access control (Section 6.2 and 6.3). and authentication for the home IoT through a 425- We investigated this question by having each study par- participant user study. Our contributions include: ticipant specify their desired access-control policy for (i) Proposing access-control specification for the one of 22 home IoT capabilities we identified. For house- multi-user home IoT based on capabilities that bet- hold members of six different relationships (e. g., spouse, ter fits users’ expectations than current approaches. child, babysitter), the participant specified when that per- (ii) Showing the frequent context-dependence of son should be allowed to use that capability. Our findings access-control policies, identifying numerous con- validated our intuition that policies about capabilities, textual factors that future interfaces should support. rather than devices, better capture users’ preferences. (iii) Setting an agenda for authentication in the home Different capabilities for voice assistants and doors par- IoT based on methods that minimize the conse- ticularly elicited strikingly different policies. quences of falsely allowing or denying access. While the ability to specify granularly who should be able to use which capabilities is necessary to capture users’ policies, it incurs a steep usability cost. To mini- 2 Background mize this burden through default policies, we asked: RQ2: For which pairs of relationships (e. g., child) In this section, we scope our notion of home IoT de- and capabilities (e. g., turn on lights) are desired vices, identify our threat model, and review current de- access-control policies consistent across partici- vices’ support for access control and authentication. We pants? These can be default settings (Section 6.4). define home IoT devices to be small appliances that In our study, nearly all participants always wanted their are Internet-connected and used primarily in the home. spouses to be able to use capabilities other than log dele- Internet-connected lights and thermostats are two exam- tion at all times. Participants also wanted others to be ples. Many such devices are managed through a hub able to control the lights and thermostat while at home. that facilitates communication between devices, enforces As intimated
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages19 Page
-
File Size-