Towards Practical Integrity in the Smart Home with HomeEndorser - arXiv
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Towards Practical Integrity in the Smart Home with HomeEndorser Kaushal Kafle Kirti Jagtap Mansoor Ahmed-Rengers kkafle@cs.wm.edu ktj35@psu.edu mansoor.ahmed@cl.cam.ac.uk William & Mary Penn State University University of Cambridge Williamsburg, Virginia, USA Pennsylvania, USA Cambridge, UK Trent Jaeger Adwait Nadkarni trj1@psu.edu apnadkarni@wm.edu arXiv:2109.05139v1 [cs.CR] 10 Sep 2021 Penn State University William & Mary Pennsylvania, USA Williamsburg, Virginia, USA ABSTRACT their privacy [37]. Such automation is often expressed using trigger- Home automation in modern smart home platforms is often facili- action programs known as routines, that automatically perform a tated using trigger-action routines. While such routines enable flexi- device action (turning OFF the camera) in response to a trigger (e.g., ble automation, they also lead to an instance of the integrity problem a change from “away” to “home”). in these systems: untrusted third-parties may use platform APIs Routines are often enabled via third-party integrations/services, to modify the abstract home objects (AHOs) that privileged, high- which automate device-actions by leveraging platform APIs. Par- integrity devices such as security cameras rely on (i.e., as triggers), ticularly, third-parties use the APIs to modify two distinct types thereby transitively attacking them. As most accesses to AHOs are of objects, device states (e.g., the ON/OFF state of a light bulb), legitimate, removing the permissions or applying naive information and abstract home objects (AHOs) that are not device-specific (e.g., flow controls would not only fail to prevent these problems, but also home/away, hereby referred to as the home AHO). These AHOs break useful functionality. Therefore, this paper proposes the alter- are in fact computed in several ways, often through third-party ser- nate approach of home abstraction endorsement, which endorses a vices (e.g., set by the user [33], inferred by querying a combination proposed change to an AHO by correlating it with certain specific, of device states [25], using some other proprietary approach [57], preceding, environmental changes. We present the HomeEndorser or inferred from other factors such as geolocation [62]). One par- framework, which provides a policy model for specifying endorse- ticularly dangerous attack vector that emerges from this setting is ment policies for AHOs as changes in device states, relative to their where adversaries gain privileged access to devices indirectly, by location, and a platform-based reference monitor for mediating all falsifying an AHO that a high-integrity device depends on (via a API requests to change AHOs against those device states. We eval- routine). For instance, consider a situation wherein an adversary may uate HomeEndorser on the HomeAssistant platform, finding that want to disable the security camera to perform a burglary unnoticed, we can derive over 1000 policy rules for HomeEndorser to endorse but may not have direct API access to it. As demonstrated by prior changes to 6 key AHOs, preventing malice and accidents for less work [31], such a camera (e.g., the NEST security camera) can be than 10% overhead for endorsement check microbenchmarks, and remotely disabled by compromising a relatively low-integrity inte- with no false alarms under realistic usage scenarios. In doing so, gration (e.g., a TP Link Kasa app) and using its privilege to change HomeEndorser lays the first steps towards providing a practical the home AHO (i.e., from “away” to “home”), thus triggering the foundation for ensuring that API-induced changes to abstract home routine described previously and turning the camera OFF. Given the objects correlate with the physical realities of the user’s environment. widespread vulnerabilities in third-party integrations [31] and the extensive privileges that enable them to modify AHOs [16, 65], this ACM Reference format: type of lateral privilege escalation is of serious concern. Kaushal Kafle, Kirti Jagtap, Mansoor Ahmed-Rengers, Trent Jaeger, and Ad- This problem of lateral escalation is, at its core, an integrity prob- wait Nadkarni. 2021. Towards Practical Integrity in the Smart Home with lem analogous to those seen in operating systems: a high-integrity HomeEndorser. In Proceedings of ACM Conference, Washington, DC, USA, process (here, the security camera) relies on the value of an object July 2017 (Conference’17), 16 pages. (i.e., the home AHO), which can be modified by untrusted parties. https://doi.org/10.1145/nnnnnnn.nnnnnnn Thus, smart home platforms must directly address the the lack of strong integrity guarantees for AHOs used in automation. This fram- ing deviates from existing literature where proposed mitigations 1 INTRODUCTION include restricting over-privilege [35, 48, 65] or restricting permis- 189.4 million households worldwide have at least one smart home sion usage based on the runtime context of an API access [29]. We device [60]. This popularity can be explained in part due to the believe such mitigations may imposes infeasible usability penalties, convenience of home automation, wherein smart home devices auto- whilst not addressing the underlying lack of integrity (see Section 2). matically react to changes in the user’s physical environment. For Information flow control (IFC) has often been proposed as a example, the user may configure a security camera to begin record- method to ensure the integrity of information consumed by sensitive ing when they leave home, but turn OFF when they return to preserve processes [3, 15, 17, 34, 38, 71], through labeling of subjects and
objects, and dominance checks that regulate flows based on labels [3]. home via multiple physical entry points), (2) a platform-based ref- For example, the IoT platform may mark the home AHO with a erence monitor to enable HomeEndorser to mediate all sensitive high-integrity label and mark third-party services chosen by the user state changes using these policies, and finally, (3) a systematic, semi- as low-integrity. However, the enforcement of such a policy may automated policy specification methodology for experts, that only block a service chosen by the user to update home, result in a false considers device-states/attributes that can be trusted for endorsement denial from the user’s perspective (e.g., 19/33 NEST integrations (e.g., read-only, or designated as highly trusted by platforms). from a prior dataset [31] would be blocked under such a model). 3. Implementation and Evaluation: We implement HomeEndorser IFC systems rely on endorsement [5, 34, 70, 71] to overcome this on HomeAssistant, a popular open-source smart home platform, limitation, allowing trusted programs to change labels of objects and evaluate it using experimental and empirical analyses. We first to permit flows that would normally violate the labeling. However, demonstrate that the idea of home abstraction endorsement is feasi- determining the conditions where an endorsement would be allow- ble, even when using a limited set of trusted device attributes, by gen- able is a challenge; indeed, prior work has often avoided directly erating 1023 policies for endorsing the home AHO. We demonstrate addressing this problem, and generally facilitates endorsement by the generality of our policy model by identifying several attributes assigning the authority to certain trusted high-integrity processes, that my be used to endorse 5 additional AHOs. We then demonstrate thereby delegating the task of determining how to endorse correctly the security guarantee enabled by HomeEndorser using a case-study to the programmer or administrator [8, 34, 54, 71]. However, in our approach. Moreover, we perform 10 realistic home usage scenar- case, smart home users may lack information about dependencies ios [30] in a smart home (apartment) testbed to demonstrate that among devices and AHOs to do this correctly. So, we ask instead: HomeEndorser is generally not susceptible to false denials, and in Is there something else we can rely on to provide endorsement for fact, may prevent accidental unsafe situations created through in- practical integrity guarantees? tentional user actions. We demonstrate HomeEndorser’s practical Yes – the cyber-physical nature of the smart home provides us performance overhead with micro/macro benchmarks (9.7-12.2% on with a unique opportunity for practical endorsement, in the form of average). Finally, we demonstrate that the effort required to specify ground truth observations from devices (i.e., device state changes) policies, configure HomeEndorser in end-user homes, and integrate that can be used to validate proposed changes to AHOs. For instance, HomeEndorser in popular smart home platforms, would be modest, we can endorse the change to the home AHO (from “away” to and acceptable given the benefit of strong integrity enforcement. “home”) if the door lock was legitimately unlocked (i.e., with the correct keycode) recently, since the lock being unlocked represents the home owner’s intent and attempt to enter the home. Thus, we state the following claim that forms the foundation of this work: 2 MOTIVATION Abstract home objects (AHOs) shared among third-party services Programmable smart home platforms are popular among users for and devices for the purpose of home automation are inherently tied two primary reasons: integration and automation. That is, plat- to a home’s physical state. Thus, any state change or modification to forms such as SmartThings [59] and NEST [39] provide permission- an AHO via an API call can be endorsed using the local context of protected APIs that enable seamless integration of a diverse array the home which consists of a combination of device states. of third-party services, ranging from software support (e.g., cloud and mobile apps) for a variety of smart home devices (e.g., TP Link Contributions: We introduce the paradigm of home abstraction Kasa [22], Wemo [23]), to third-party automation platforms that endorsement to validate changes to AHOs initiated by untrusted hook into the smart home and enable user/developer-provisioned API calls, and propose the HomeEndorser framework to enable it. automation routines (e.g., IFTTT [26] and Yonomi [69]). HomeEndorser does not continuously monitor AHOs, but focuses Platform-provided API access allows the caller (i.e., the third- on API-induced changes to specific AHOs, and performs a sanity party service) to read/write to two broad categories of “states” in check using policies that rely on the recent physical state changes in the home: (1) device states, i.e., values associated with individual smart home devices. If the check fails, the state change is denied and devices such as the security camera (e.g., the ON/OFF state, battery the user is informed. HomeEndorser’s preemptive action prevents status), and (2) abstract home objects (AHOs) that are not associated future automation based on maliciously changed AHOs. We make with any specific device, and instead may be computed in several the following contributions in exploring this novel design space: ways, often by taking into account the user’s choice. For example, an 1. Home Abstraction Endorsement: We introduce the paradigm of object that stores whether the user is home or away is an AHO (i.e., home abstraction endorsement, which leverages the states of local the home AHO), and a third-party service designated by the user devices to endorse proposed changes to AHOs. Our approach makes may compute it in several ways, i.e., based on the location of the IFC endorsement practical by exploiting the cyber-physical nature user’s phone [62], based on the certain device states in the home [25], of the smart home, and significantly deviates from prior IFC systems using a proprietary/undisclosed method/device [57], or through a that enforce integrity guarantees purely based on opaque labels. direct command from the user [33]. The use of AHOs by third-party services, and in routines that control security-sensitive devices in the 2. The HomeEndorser Framework: We design the HomeEndorser home, may lead to severe consequences for security and safety, and framework to provide secure and practical endorsement, consisting particularly, the integrity of the home, as we discuss in the following of (1) a policy model that allows a unified expression of location- motivating example inspired from prior attacks [31, 32]. specific device instances within a single policy (e.g., endorsing
3rd-party Platform Abstract Home Routines Devices 3rd party Reference Abstract Home Home
services REST API Objects (AHOs) service API Monitor Objects (AHOs) Devices
set to R1: If home then OFF
Service 1 home/away modify modify
“home” camera OFF Serv1 Permission state1 device1
state1 state1
security_state R2: If motion Check
Service 2 then light ON Serv2 state2 device2
fire
… … Integrity
…
…
…
Service n … Rn Check
Servn statem devicek
endorse allow/
Figure 1: An attack on the security camera through the manipulation (state1) deny
of two shared state objects by adversary-controlled integrations. policystate ({device-attribute set}) trusted
1 device-states
2.1 Motivating Example Figure 2: A conceptual overview of physical home endorsement.
Alice is a smart home user who has installed a security camera to de-
ter burglars. For automated monitoring when she is away, Alice has may genuinely need to modify AHOs to perform their functionality.
configured two routines for the camera (similar to routines enabled Thus, disallowing the user’s choice of third-party integration from
by SimpliSafe [56] and NEST [40]): (1) the camera should turn ON writing to AHOs is bound to break numerous useful services that the
when Alice leaves (i.e., goes away), and (2) the camera should turn user relies on (e.g., IFTTT, Yonomi, Kasa), which is a prohibitive
OFF when Alice returns (i.e., returns home). Additionally, Alice cost in terms of user experience that platforms may find undesirable.
has also integrated several third-party services such as the TP Link For example, in 2019, Google announced an end to its “Works with
Kasa app (which allows her to control her Kasa switch). NEST” developer program in favor of a more restricted “Works with
We now introduce our adversary Bob, who seeks to burglarize the Google Assistant” program that would only be open to vetted part-
house when Alice is away, without being monitored by the camera. ners [20], but immediately backtracked [9, 21, 63] given significant
Bob knows what third-party services are connected to Alice’s home, opposition from both users and third-party integrations/develop-
and any vulnerabilities they may have (e.g., SSL misuse in the TP ers [11, 12, 27, 64, 66], eventually offering a more flexible program
Link Kasa app). Thus, we assume that Bob either exploits one or that would allow a broader set of partners access to internal home
more vulnerabilities in a connected third-party service to control it, states (including AHOs) [21]. It is important to note that even when
or steals an authorization token belonging to a service, which allows such partners may be vetted, prior work has demonstrated that such
Bob to access the APIs with the permissions assigned to the service. vetting is often ineffective, as even vetted integrations may flout
Using these abilities, Bob can disable the camera without API ac- security/privacy-design policies [31, 32, 36]. This is particularly true
cess to it in the manner shown in Figure 1: Bob uses the access he has in the case of smart home platforms, as integrations are often hosted
obtained from the compromised service (e.g., a stolen authorization outside of the purview of the platform, i.e., on third-party clouds, and
token from Kasa [31]) to set the home AHO to the value “home”, any security assessment by the platform given this limited visibility
falsely suggesting that Alice is home. This false change triggers the is bound to be only partially effective.
routine described previously, and turns the security camera OFF. Therefore, there is a need for a solution that is (1) backwards
This problem is not just limited to the home AHO. Consider compatible or practical, i.e., does not break functionality by pre-
another AHO, the security_state, which is often used in rou- venting third-parties from accessing AHOs, and (2) effective, i.e.,
tines [1, 49] to control security-related devices such as cameras and which enables integrity guarantees for devices that rely on AHOs.
glass break detectors. That is, the security devices are armed when To this end, this paper proposes the moderate route of proactive
the security_state is set to “deter”, and disarmed/ignored integrity checking, i.e., runtime validation of proposed changes to
when the security_state is set to “ok” (similar to routines AHOs, which will enable reasonable integrity guarantees while being
from Ring [49] and TotalConnect [1]). If Bob can obtain control compatible with platform design and integration choices.
over an integration that has access to the security_state, Bob
can set it to “ok” and disable the camera just as well. That is, the 3 OVERVIEW
adversary may falsify one of many AHOs to transitively manipulate This paper introduces the novel paradigm of home abstraction en-
a highly sensitive device. dorsement that provides a strong integrity guarantee for AHOs,
2.2 The Need for Proactive Integrity Checks defined as follows: In the event that an untrusted service uses the plat-
As shown in Figure 1, Bob transitively attacks a high-integrity device, form API to modify a critical AHO, e.g., home or security_state,
i.e., by modifying AHOs to trigger routines that manipulate a high- the modification will be allowed iff it is consistent with the local state
security device such as a camera, which Bob cannot compromise or of the home, composed of the physical device states. Our approach
modify (via API) directly. In other words, this problem is a smart builds upon the concept of trusted “guards” in the Biba integrity
home-specific instance of the classical OS integrity problem (e.g., model [3]. That is, in a system operating under Biba integrity, a high
Biba integrity [3]), wherein a high-integrity process (i.e., the camera) integrity subject cannot receive input from a low integrity subject
relies on an object (i.e., the home AHO) which can also be modified unless it is endorsed by a trusted guard. Similarly, in the smart home,
by low-integrity process (e.g., the Kasa integration). we envision that endorsement policies that apply trusted device states
As high-integrity devices rely on such AHOs, traditional wisdom will serve as the trusted guards, ensuring the validity of API requests
dictates that low-integrity (or third-party) integrations must be disal- to change the AHOs that high-integrity devices rely on.
lowed from writing to these objects. However, recall that in existing Figure 2 provides an overview of our approach. When a third
platforms (e.g., SmartThings and NEST), AHOs are often computed party service attempts to modify an AHO, the platform first en-
by third-party services chosen by the user, and such integrations forces a permission check. We envision an additional integrity checkfor endorsing the proposed change, performed using an endorse- and the platform app; explicitly, the adversary cannot censor notifi- ment policy corresponding to each AHO-change that we plan to cations sent from the platform to the user. Devices may be offline; endorse. This policy leverages the recent changes in specific device- however, we do not account for byzantine fault tolerance, but point attributes/states for arriving at an endorsement decision. For example, to complementary prior work [4] that verifies reported device states. for endorsing a proposed change in the home AHO from “away” to “home”, one possible policy would be as follows: if the door-lock 4 THE HOMEENDORSER FRAMEWORK has been unlocked recently (i.e., using the correct keycode), then We propose HomeEndorser, a framework that enables home abstrac- ALLOW the change, else DENY. To build a system that enables our tion endorsement by developing the methods and systems necessary vision of home abstraction endorsement, we first define a set of key to achieve the design goals G1→G5. We first define a policy model design goals, followed by the threat model. that can express deployment-considerations such as device locality and availability (G1). HomeEndorser automatically instantiates the 3.1 Design Goals policies defined within this model in the context of the end-user’s The following goals guide our design of an effective, backwards home, i.e., considering the devices available as well as install loca- compatible, framework for home abstraction endorsement: tions, thereby reducing deployment-time configuration effort (G5). G1 Expressive and Grounded Endorsement Policies. The endorse- HomeEndorser’s reference monitor is integrated into the user’s ment policy structure must be designed in a way that allows smart home platform in the form of an endorsement check in the it to express common deployment factors in smart homes that platform subsystem responsible for executing all API calls, thereby may affect the endorsement, such as device availability and lo- ensuring complete mediation (G2). When a third-party makes an cality. Moreover, when policies are specified using this design, API call to modify an AHO-change that HomeEndorser endorses, the specification methodology must be grounded in real smart HomeEndorser invokes the corresponding policy, and uses a state home devices and their characteristics for practical relevance. machine to retrieve the most recent change in each relevant device G2 Complete Mediation. Third party services are generally de- state/attribute included in the policy (G4). We consider the most ployed in cloud environments outside the platform’s control, as recent change, rather than the current state of the device attribute, as simple cloud end-points that can make REST API calls (e.g., the the two may be different (since most sensors reset after a change), “Works with Google Assistant” platform [19], or SmartThings and because the most recent device state changes provide the context v3 [59]). Hence, the reference monitor should be app-agnostic, for endorsing the proposed AHO change. This design decision is in- i.e., should not depend on the analysis/instrumentation of app- strumental in eliminating unnecessary false denials (see Section 6.4). s/services, but should provide complete mediation for all API We formulate a policy specification methodology that allows ex- calls that modify AHOs, irrespective of app logic. perts to specify endorsement policies in a systematic, ground-up G3 Tamperproofness. While our endorsement approach relies on de- manner (G1). Our approach derives a mapping of smart home de- vice states, several device states may be modifiable by untrusted vices and their attributes (i.e., fields that indicate specific device services using the platform API. We need to build a reference states), which are further filtered to a set of endorsement attributes: monitor that only relies on trusted reports from devices. device-attributes that can be trusted for endorsement, due to being G4 Freshness. The task of endorsing an AHO change may require either read-only or treated as highly restricted by platforms (G3). the reference monitor to examine recent changes in the states Once the trusted attributes are identified, we use systematic open of physical devices, rather than simply reading the current state coding to identify inferences drawn from them that can endorse spe- (e.g., as sensor states may reset after apprising the platform cific AHOs. These inferences, when expressed in our policy model, of an event). Hence, the reference monitor must have trusted form deployment-independent endorsement policy templates that access to historical states and timestamps. are automatically instantiated in the user’s deployment-context. G5 Minimal Performance and Management Overhead. Implement- The rest of this section describes the three design components, ing physical state endorsement is likely to introduce several starting with the policy model (Section 4.1), followed by the runtime additional performance costs to API accesses. The framework enforcement (Section 4.2), and the data-driven policy specification should minimize any performance delay perceivable by the user, and instantiation methodology (Section 4.3). We use the endorse- as well as the effort required to deploy and manage policies. ment scenario in Section 2.1 as the running example. 3.2 Threat Model 4.1 Policy Model We consider a network-based adversary with the ability to compro- A key challenge for HomeEndorser is designing a policy model that mise any third-party integration/service connected to the target’s can alleviate two practical constraints. First, unlike our motivating home (e.g., as demonstrated by prior work [16, 31]). The attacker’s example where a single device-attribute (i.e., the UNLOCKED state objective is to indirectly modify or disable high integrity devices of the door lock) was used for endorsing home, in practice, endorse- (e.g., security camera) using compromised or malicious third-party ment policies may consist of more than one device-attribute that services. The adversary may issue API commands to the target’s must be checked simultaneously. Second, the device location is an home that may affect device states; however, the adversary does not important factor in deciding what they can endorse. For example, have the ability to compromise devices in the home by other means while a door lock on the front door as well as a door lock on the back (i.e., which is a standard assumption in work that deals with API door can both indicate that the user is home, the two endorsements misuse [7, 13, 14]). The adversary cannot compromise the platform are naturally mutually exclusive. We account for these constraints
with a policy design that can be expressed as a Disjunctive Normal Devices 3rd party service Form (DNF) boolean formula, as follows: write (state) Platform API Definition 1 (Endorsement Policy). The policy for endorsing a check (state) allow/ deny change in AHO to value , ( ), is a DNF formula composed of Endorsement most recent Platform State Check change Machine one or more location-specific predicates ( ), i.e., ( ) = 1 ∨ 2 ∨ ... ∨ , where a location-specific predicate is defined as follows: Instance- Platform config specific policies (devices, locations) Definition 2 (Location-specific Predicate). A location-specific pol- Expert-defined Deployment-aware Config. Change icy predicate for location (e.g., entryway), i.e., = ∧ ∧... , Policy Templates Policy Instantiation Tracker is a conjunction of one or more device-attribute checks , defined Figure 3: Design components of HomeEndorser’s enforcement as follows: before they are executed (G2). This decision is influenced by how Definition 3 (Device-attribute Check). A device-attribute check third-party services are currently integrated, i.e., as cloud endpoints is a condition == , where is a physical state that the particular that use RESTful APIs to interact with the platform, but execute device-attribute must have exhibited in the recent past, for the device- on their own proprietary servers, without a way for the platform attribute check to return true. to inspect them (e.g., NEST and SmartThings v3). Therefore, our To illustrate, let us express the policy from the motivating example decision ensures that the endorsement check will occur regardless for endorsing the home AHO’s change to the value “home”. We of how the integration is implemented, or where it is deployed. We express the policy using a door lock and a motion sensor at the entry now describe our platform-level enforcement in terms of its three way, as well as the same devices at the rear entrance, as follows: design components, as shown in Figure 3. home (home) = (door-lock_lock == UNLOCKED ∧ 1. Deployment-aware Policy Instantiation: HomeEndorser enforces motion_sensor == ACTIVE) − policies specified as per the policy model described previously (we ∨ describe the specification process in Section 4.3). However, it cannot (door-lock_lock == UNLOCKED ∧ directly enforce the general policies without first contextualizing motion_sensor == ACTIVE) − them to a user’s home, for three key reasons: (1) A typical user’s The above policy considers both the door lock being unlocked, and setup is unlikely to have all the devices specified in the policy, i.e., motion being sensed, to prevent false negatives. That is, for both the the most restrictive policy consisting of the most number of devices conditions above to be true, a user would have to unlock the door would always deny the state change. (2) The policies need to be and then enter, i.e., proving that they are home beyond doubt. On the configured as per the different locations in which devices are placed contrary, if the user unlocks but leaves without entering, this policy in the home, and (3) The enforced policies need to adapt as the user’s condition would correctly result in a denial (as shown in Section 6.4). smart home evolves (e.g., through device addition/removal), to pro- Similarly, the disjunction between the location-specific predicates vide the enforcement applicable to the current setup. Thus, we treat enables their independent evaluation, thereby allowing the AHO- the specified policies as templates that HomeEndorser automatically change as long as either one evaluates to a true result. Finally, we instantiates in the deployment-context of a particular home. define two policy actions: ALLOW and DENY, corresponding to the To elaborate, when HomeEndorser is first set up in a home, it true or false values that the DNF formula results in, respectively. leverages the platform’s internal bookkeeping systems to extract For Bob to circumvent HomeEndorser’s defense, Bob could at- all the devices and device-locations. Then, for each state the user tempt to modify home at the very moment when Alice is performing decides to endorse, it uses the policy templates specified previously what are semantically completely opposite actions, but sufficient to instantiate the most restrictive but feasible policy, i.e., the policy for the endorsement of home. For instance, Alice could be leaving, that contains the largest aggregate of device-attributes (with the which would also involve (1) unlocking the door, and (2) triggering assumption that including more device-attributes would make the the door-way motion sensor. A naive implementation of our policy inference stronger), but which is also supported given the devices model would be susceptible to this attack, as it would consider the present in the home and their locality. This most restrictive policy is above device state changes, even if performed in the opposite sense, then marked for enforcement. Finally, HomeEndorser also updates to be evidence that Alice is returning home, because it matches its policy instances upon a configuration change, such as the addition, ℎ (home). However, smart home devices provide unique device removal, or relocation of a new device. attribute values even for similar actions, i.e., the state value for un- 2. The Endorsement Check: HomeEndorser mediates all API re- locking the door using the keypad is different relative to simply quests, but only invokes the endorsement check if one of the AHOs unlocking it from the inside (i.e., “owner” in the former case, and selected by the user for endorsement is about to be modified, in “manual” in the latter). Our policy specification 4.3 and enforce- a manner similar to performance-preserving hook activations as ment (Section 4.2) consider device-attribute values at this precise previously proposed for Android [24] (G5). The check consists of granularity, preventing such an attack. retrieving the policy for the specific AHO-change being endorsed and collecting state information from the device-attributes in the 4.2 Secure and Practical Enforcement policy. As described previously in Section 4.1, if the policy deci- We integrate HomeEndorser’s enforcement into the smart home sion is ALLOW, then the proposed change is allowed to go through; platform, to enable it to mediate all API commands from third-parties else, it is denied, and the user is notified. A key component of this
Smart Home Data Sources are then used to specify policy templates (using the model from Sec- SmartThings OCF Device Handlers Standard tion 4.1). Note that although we develop a methodology to specify NEST SmartThings policies, we assume optimal device placement and sensor configu- Data Store Capability Ref ration to be out of scope, and direct the reader to complementary code specs Expert-defined related work that informs users on optimal deployment [30]. Device-Attribute Policy Templates Map Generation 1. Generating the Device-Attribute Map: We develop a semi- device- Policy automated methodology to create a realistic device-attribute map attributes Specification Endorsement device- endorsement from platform documentation and existing device-abstractions such attribute identification device-attrs as SmartThings “device handlers”. We select the following infor- Figure 4: HomeEndorser’s policy specification methodology. mation sources for building the map, based on platform popular- ity, and the potential of obtaining realistic mappings: (1) a device- check is HomeEndorser’s platform state machine that retrieves the resource map from the Open Connectivity Foundation (OCF) spec- device-attribute values, which we now describe in detail. ification [43], used by the open source platform IoTivity [28], (2) 3. Retrieving the most recent changes using the Platform State the NEST data store [41], (3) the SmartThings capability refer- Machine: A naive approach of executing an endorsement check ence [58], and (4) SmartThings device handlers [52]. As each of would be to query each device for its current state at the time of these sources exhibits a unique representation of devices and at- endorsement. However, such a check would most certainly fail and tributes, we develop customized, automated, methods for extracting lead to a false denial because most sensors detect and report a change, device-attributes from each source. To elaborate, OCF explicitly and then reset to a predefined neutral state. For example, recall the specifies a device types, the attributes associated with each device endorsement policy predicate to endorse home consisting of the door type in a JSON document [44], which we automatically analyze to lock and the motion detector (assuming one location for simplicity): obtain a device-attribute map for OCF. Similarly, the NEST data store provides a mapping of device-attributes in JSON-like format, door-lock_lock == UNLOCKED ∧ motion_sensor == ACTIVE which we similarly query. SmartThings provides a capability refer- Unless the endorsement check happens exactly at the moment ence [58], which lists attributes (i.e., capabilities) that devices may the user enters, the motion detector will reset to its INACTIVE state choose to exhibit, via developer-defined device handlers, which are immediately after detecting motion, resulting in a false denial. There- software proxies for devices that facilitate device-interaction with fore, for correct endorsement, we check the most recent but fresh the platform. To extract a device-attribute map from SmartThings, change in the physical device states (G4), i.e., the last state change we automatically analyze the 334 device handlers from the Smart- before the state automatically reset, within a certain configurable Things repository [52], and capture the device-attribute relationships time threshold to ensure freshness (e.g., one minute). evident in the preamble (seen in Figure 6 in the Appendix). A state machine that keeps track of the state changes in all the 2. Identifying Trusted Endorsement Attributes for Tamperproof devices provides HomeEndorser’s reference monitor with this data, Endorsement: We observe that similar to AHOs, several device- by tracking changes through callbacks placed in the entities that rep- attributes are modifiable by third-parties through the platform APIs, resent devices on the platform (e.g., device handlers in SmartThings, either for legitimate purposes or due to over-privilege. Therefore, or device-integrations in HomeAssistant). Every time the physical for ensuring tamperproof endorsement, HomeEndorser must be able state of a device changes, the state machine callback is invoked to to trust the information received from the participating endorsers store the most recent state change along with the timestamp. The i.e., device-attribute pairs (G3). We achieve this goal by defining timestamp helps HomeEndorser discard states that are older than the a trusted subset of device-attributes to be used for our checks, i.e., preconfigured threshold, thereby preventing old states from causing endorsement attributes. We propose two categories of endorsement false allows (G4). Finally, we note that this state machine abstraction attributes: (1) read-only attributes, i.e., which are only writable by does not have to be developed from scratch, and can be built on top devices, and not via API calls, rendering them read-only from the of the platform’s subsystem that keeps track of device states. third-party API caller’s perspective (e.g., motion sensor reading), and (2) designated attributes, which are writeable in theory, but 4.3 Data-driven Policy Specification are considered high-integrity by platforms and prior security re- Figure 4 provides an overview of our data-driven methodology to search [10, 61] alike (e.g., locking the door lock), and hence, heavily allow experts (e.g., security researchers, platform vendors) to spec- restricted. For example, NEST allows its own platform app to unlock ify endorsement policy templates that are representative of what the locks integrated with it (e.g., the Nest X Yale Lock [18]), but does real device states can enable (G1), which HomeEndorser automat- not allow third-party apps to do the same. Therefore, both read-only ically instantiates in the context of end-user homes (as previously and designated device attributes would have a higher integrity level described in Section 4.2). We begin by creating a device-attribute than a state such as home, and hence, would be trusted to endorse it. map, i.e., a comprehensive mapping between device types (e.g., cam- We identify read-only device-attributes in a manner similar to eras, door locks) and the attributes they embody. We then define the our approach for extracting the device-attribute map, i.e., by parsing endorsement attributes to be used for tamperproof endorsement, and platform documentation and device handler code. For identifying describe our approach for identifying them (G3). Finally, we use designated attributes, we leverage the rationale of popular platforms an open coding methodology for identifying the observations and for assigning integrity levels to attributes only writable by the plat- inferences that can be made from the endorsement attributes, which form app, particularly those belonging to security-sensitive devices.
Table 1: AHOs inferred from Endorsement Attributes state changes and their timestamps. It also hooks into the state ma- AHO Endorsement attributes chine to intercept the incoming state change requests, to mediate all home home API accesses. Furthermore, HomeAssistant has a component known fire as an Event Bus, which announces and logs the addition/removal of fire devices, among other events. HomeEndorser adds callbacks in the safety_state Event Bus and re-instantiates the endorsement policies in response illuminance to any change in device deployment. Finally, HomeEndorser keeps track of device-connectivity using HomeAssistant’s built-in mech- 3. Generating Endorsement Policies from Attribute Inferences: anisms, and falls-back to the next most restrictive policy in case a We now address the question of how the endorsement attributes are device becomes unavailable at runtime. Note that no such loss of used to endorse a specific AHO, by designing a holistic inference connectivity was noticed throughout our evaluation. study. We begin by identifying 5 additional AHOs, by considering the objects that have been previously examined and found to be susceptible to transitive attacks [13, 31], and by considering AHOs 6 EVALUATION not mentioned in prior work, but which we encountered when build- Our evaluation is guided by the following research questions: ing our device-attribute map (e.g., the security_state from • RQ1 : (Feasibility of the policy model.) Is it feasible to specify en- NEST, which prior work does not account for). Then, we consider dorsement policies using only a small subset of trusted endorsement each device-attribute, and identify the type of information sensed or attributes, i.e., only the read-only and designated device attributes? observed by that device-attribute, which we then translate to an infer- • RQ2 : (Generalizability of the policy model) Do feasible endorse- ence that could be used for endorsing an integrity-sensitive change ment policies exist for endorsing AHOs other than home? in one or more of the AHOs. For example, the device-attribute pair • RQ3 : (Security.) Does HomeEndorser prevent an attacker from indicates that the security panel/keypad escalating privilege to a high-integrity device (e.g., a camera) using was recently disarmed, which may indicate that the user recently one or more shared objects? arrived home, and hence, provide an inference to endorse the home • RQ4 : (False Denials.) What is the rate of false denials in typical AHO’s proposed change to “home”. As a key principle in the con- benign usage, i.e., when users intentionally cause AHO changes? struction of policies is the a combination of device inferences, we • RQ5 : (Runtime Performance.) What is the performance overhead combine inferences to construct deployment-independent policy tem- introduced by HomeEndorser? plates using the structure defined in Section 4.1. An example set of • RQ6 : (Integration Cost.) How much effort is required to integrate inferences discovered using this process are shown in Table 1. and deploy HomeEndorser? We evaluate RQ1 →RQ6 using a diverse array of empirical and 5 IMPLEMENTATION experimental methods. We first derive 1023 endorsement policies This section describes our policy specification study, as well as the (i.e., templates) for endorsing the home AHO using the approach reference monitor implemented in HomeAssistant. described in Section 4.3, which demonstrates that the proposed approach is feasible with even a limited endorsement attributes 1. Policy Specification Study: We automatically generated a com- (RQ1 ). Further, we demonstrate that HomeEndorser may generally bined device-attribute map from all the data sources consisting of apply to 5 additional AHOs drawn from platform documentation and 100 device-types and 510 device-attribute pairs. Of these, we identi- prior work, as these AHOs may be endorsed using policies composed fied 41 endorsement attributes, i.e., read-only or designated device- of ≈ 5 device attributes on average (RQ2 ). We then deploy 11 devices attributes. Two authors then independently identified the inferences (7 real, 4 virtual) in a real home, and perform a case study wherein that could be drawn from these endorsement attributes to endorse we assume that the attacker’s goal is to disable the security camera changes in one or more of our 6 AHOs. When identifying inferences, by tampering with state variables that the camera depends on. Our the coders disagreed on 12 out of the 510 device-attribute pairs (2.4% experiments demonstrate that HomeEndorser correctly endorses the disagreement rate), which were resolved through mutual discussion. two AHOs that can be tampered with to disable the camera, thus The inferences specified for these endorsement attributes led to 1023 demonstrating its effectiveness (RQ3 ). policies for the home AHO alone. Note that the generation of the We perform 10 additional realistic scenarios obtained from (or in- device-attribute map was fully automated and directly derived from spired by) prior work [30], which represent the various logical ways platform sources, and hence, did not result in any disagreements.Our in which the user would intentionally change the AHOs endorsed data is available in our online appendix [2]. in the case study. Our evaluation demonstrates that HomeEndorser 2. Implementation on HomeAssistant: We implemented Home- correctly allows all of the intentional AHO changes, resulting in Endorser in HomeAssistant, a popular open-source smart home no false denials (RQ4 ). We also measure the performance overhead platform, for two main reasons: (1) the availability of source code, incurred by HomeEndorser’s hooks using macro and microbench- and (2) the centralized execution of automation and state changes. marks, demonstrating practical performance overheads (RQ5 ). Similar to the platform state machine described in Section 4.2, Home- Finally, we evaluate the effort required to configure HomeEn- Assistant has a state machine component that saves and updates all dorser and integrate it into other platforms. Particularly, we demon- the devices and their states within HomeAssistant. In fact, all state strate that policy specification is a feasible, one-time effort per- changes to the devices occur through the state machine. HomeEn- formed by security experts, and HomeEndorser automatically in- dorser modifies this state machine to keep track of the most recent stantiates policies in the context of the user’s home (i.e., as described
Front door (i.e., the door lock being unlocked, the garage door opened, and the Aotec Door security panel disarmed). As a result, even if the user had one of Sensor August DoorLock these 3 devices, they would be able to endorse home; the remaining Closet 7 devices would only make the endorsement stronger. Further, even Hallway Virtual Devices: if we include the policies that only have only 1 of these 3 device- Security Panel Hue attribute pairs (and other device-attributes), we get a total of 255 Presence Sensor Motion/Illumin- Blink Beacon Sensor ance/Temperature Camera Wemo policies. For example, as shown in Table 2, a user who has a door Thermostat Sensor Switch lock and motion sensor, or another who has a security panel, or another who has a garage doorlock and a presence sensor, would all Hue Lamp Google Home be able to endorse home using HomeEndorser. This demonstrates Figure 5: Layout of the physical device placement that our approach is feasible, i.e., we can define a large number Table 2: Sample policies for endorsing home AHO (“away”→“home”) of diverse policies for an AHO (i.e., home), using a limited set Policy (location independent) of endorsement attributes, and hence, support a diverse array of 1 ∧ 2 ∧ ∧ device-deployment scenarios (RQ1 ). 3 ∧ 4 ∧ 6.2 Generalizability of the Policy Model (RQ2 ) in Sec. 4.3), drastically minimizing user effort. Moreover, we distill To demonstrate the generalizability of our policy model, we con- the key properties that a platform would need to exhibit in order to sider 5 additional AHOs (i.e., security_state, fire, water integrate HomeEndorser, qualitatively analyze 4 popular smart home leak, illuminance, and safety_state). For each AHO, we platforms, and demonstrate that it is feasible to integrate HomeEn- identified endorsement attributes from the device-attribute map and dorser with modest engineering effort (RQ6 ). then generated inferences using the process described in Section 4.3. Experimental Setup: We integrated HomeEndorser into HomeAs- Our process resulted in 41 inferences (cumulatively) that would sistant (v0.112.0.dev0), running on a Macbook Pro machine with be useful for endorsement, with each AHOs being endorsed using 16GB of RAM. Further, we connected 7 smart home devices to our at least 3 device-attributes (examples provided in Table 1 in Sec- smart home, and created 4 other virtual devices (see Table 5 in Ap- tion 4.3). This demonstrates that our approach is generalizable to pendix A for full list). Our choice of devices was limited by devices AHOs other than home, i.e., similar policies are feasible for 5 other compatible with HomeAssistant, with a bias towards known/popu- AHOs, as demonstrated by the substantial availability of applicable lar brands, as well as device types that would allow us to evaluate and trusted device-attributes (RQ2 ). HomeEndorser’s endorsement policies. We installed these devices in a room as shown in Figure 5, influenced by effective deployment 6.3 Case Study: Protecting the Security Camera recommendations from prior work [30]. To elaborate, we placed the from Privilege Escalation (RQ3 ) August door lock and the Aotec door sensor on the main door, and HomeEndorser enables the following guarantee: given the attacker’s the motion sensor in the hallway directly past the door. The motion goal to tamper with a high-integrity device that they cannot di- sensor was placed such that it would not be triggered by the opening rectly access (e.g., a security camera), HomeEndorser’s endorsement or closing of the door but would be triggered if someone walked checks prevent the attacker from affecting malicious changes to any down the hallway to get into the room. The Blink camera was placed AHO that the aforementioned device depends on. We demonstrate inside the room. We interacted with the real devices physically and HomeEndorser’s effectiveness, with respect to the guarantee, using with the virtual devices through the HomeAssistant UI. the attack described in the motivating example (Section 2.1). As the camera depends on both the home and security_state AHOs, 6.1 Feasibility of the Policy Model (RQ1 ) we experimentally demonstrate HomeEndorser’s effectiveness at We do not expect users to possess all possible device-combinations preventing malicious modifications to both, using two scenarios: that may endorse a specific AHO. Instead, our approach must enable Malicious Scenario 1 – Bob modifies home: We deploy a mali- the specification of a large and diverse set of candidate policies (i.e., cious third-party service controlled by the attacker, Bob. We assume templates), to increase the possibility of finding at least one policy that Alice has granted to the service the permission (i.e., a REST API that contains the limited set of devices the user may possess. Thus, token) to write to the home AHO. When Alice is out of the home, our approach would be feasible if such a set of policies is possible, Bob writes to the value “home” to home, to disable the camera. given the small number of trusted endorsement attributes. Without HomeEndorser, the home AHO will change, allowing Bob Using the approach specified in Section4.3, we were able to to remotely disable the security camera; however, we consider that specify 1023 unique policies for endorsing the home AHO (i.e., the Alice uses HomeEndorser with the policy home1 (home) enabled: change from “away” to “home”), consisting of 5 device-attributes on home1 (home) = (door-lock_lock == UNLOCKED ∧ average, with the largest containing 10. Table 2 contains 5 example motion_sensor == ACTIVE) − policies generated using HomeEndorser (our online appendix [2] provides the full list). These policies were constructed from 10 Thus, when Bob writes to home, the policy home1 (home) is checked device-attribute pairs that provide some inference for the home as follows: HomeEndorser queries the state machine, and obtains AHO change, of which 3 provide particularly strong endorsement the most recent change in the state of the door lock as well as the of the user entering the home, as they denote authenticated entry entryway motion detector. Since the door lock was not unlocked, and
the motion detector has also not detected motion recently, the policy However, she gets a call from her office and leaves immediately returns a DENY decision, and Bob’s access is denied, preventing without entering the house, accidentally also leaving the door open the attack. It is also important to note that Bob could attempt to in the process. Regardless, Alice’s home/away service accidentally circumvent HomeEndorser’s policy by satisfying one of the two requests the home AHO to change to “home” (i.e., even when Alice conditions in it, e.g., by sliding a thin object (e.g., a card) through has actually left), which would disable the camera and leave the the door to trigger the motion sensor; however, the conjunction home in an unmonitored state. among device-attributes prevents this attack variation. In response to the request, HomeEndorser gathers the recent states Malicious Scenario 2 – Bob modifies security_state: We of the devices to check against the active policy (i.e., home2 (home)). deploy a malicious third-party service controlled by Bob, to which The policy constraints are partially satisfied, as the door lock was Alice has granted the permission to write to the security_state recently manually unlocked, and the door sensor’s state changed AHO. Bob will attempt to set the security_state to “ok” (as to “open”. However, as Alice did not enter, the motion sensor did opposed to “deter”), which will trigger a routine that turns off the not detect any motion, and the policy results in a correct denial, camera. Without HomeEndorser, the security_state state will preventing an unsafe situation in which the camera is turned off successfully change, allowing Bob to disable the camera; how- while the home is vulnerable (i.e., the door is unlocked). That is, HomeEndorser’s composite policy design leverages additional de- ever, we consider that Alice uses HomeEndorser with the policy vices such as the motion detector to provide stronger endorsement, security_state1 (ok) enabled: and hence, is useful for preventing accidental but unsafe changes. security_state1 (ok) = (security-panel == DISARMED ∧ motion_sensor == ACTIVE) − Scenario 3 – A home without a smart door lock: Alice does not When Bob writes to security_state, security_state1 (ok) possess a smart door lock, but enables the following policy based on is checked. Since the security panel wasn’t disarmed and the motion the devices in her home: sensor wasn’t active recently, the policy returns a DENY decision, home3 (home) = (presence_sensor == ACTIVE ∧ preventing the attack. To summarize, HomeEndorser successfully motion_sensor == ACTIVE) − endorses both of the AHOs on the transitive attack path to the secu- Alice comes home and enters through the front door, triggering the rity camera, thereby preventing Bob from disabling the camera via a motion sensor and the presence sensor in the hallway . At the same lateral privilege escalation. time, her service requests a change to home. In response, HomeEn- dorser gathers the recent device states to check against the active 6.4 Endorsing Intentional State Changes (RQ4 ) policy, home3 (home). Since both the sensors were recently active, the We experimentally evaluate the behavior of HomeEndorser when policy is satisfied and the state change is correctly allowed. That is, users intentionally request state changes. Users may themselves HomeEndorser’s policy structure enables us to specify a variety of choose to change AHOs (e.g., by manually selecting home mode in endorsement policies containing a diverse array of devices, which their platform mobile app after getting home), or by using a third- supports several home configurations, and prevents false denials due party service that automatically requests appropriate state changes to the absence of certain devices. based on the user’s location (e.g., when the user arrives home). We derive a set of 10 realistic user behavior scenarios from prior Scenario 4 – Disarming the security panel and entering: In this work [30] to use as our benign examples, and enact those scenar- scenario, Alice returns home and inputs the key-code in the security ios in our apartment testbed. Note that HomeEndorser can provide panel near the door, disarming the home. She then enters the home endorsement policies to endorse all 10 scenarios, even when they triggering the motion sensor. At the same time, a home security contain a diverse array of devices, as previously demonstrated in Sec- service requests change to the security_state object on Alice’s tion 6.1. Due to space constraints, we summarize 5/10 scenarios that behalf, from “deter” to “ok”, which if allowed, would disable the are exemplary of HomeEndorser’s decisions in response to benign security camera, as well as any other security devices (e.g., alarms). user behavior, with the rest available in Table 6 in Appendix B. HomeEndorser gathers the recent states of the devices to check against the active policy, security_state1 (ok) (provided previously Scenario 1 – Entering the house: Alice returns home, unlocks in Section 6.3). Since the security panel was manually disarmed and the front door lock and opens the door. She then closes the door the motion sensor was active recently as well, the policy is satisfied and enters, triggering the motion sensor near the door. Around the and the state change is correctly allowed. same time, her home/away tracker service requests a state change from away to home using REST API. In response to the request, Scenario 5 – Direct state change request: Alice returns home, and HomeEndorser gathers the recent states of the devices to check manually changes the home AHO to “home” using the HomeAs- against the active policy (i.e., home2 (home)). sistant dashboard. HomeEndorser identifies that the request was not made through the REST API, and correctly allows it without home2 (home) = (door-lock_lock == UNLOCKED ∧ checking the policy, thereby honoring the user’s explicit intent. motion_sensor == ACTIVE ∧ door_sensor == ACTIVE) − Our evaluation demonstrates that HomeEndorser does not cause Since the door lock was manually unlocked and the sensors were false denials under benign behavior. That is, it generally does not active recently, the policy is satisfied and HomeEndorser allows the deny state changes intended by the user, and when it does, its de- change, as Alice intended. nials prevent accidental and harmful state changes by users (i.e., Scenario 2 – Unlocking the house, and then leaving: Alice returns and hence, are correct) (RQ4 ). We further observed that in several home and opens the front door after unlocking the front door lock. cases, by the time the endorsement was requested (i.e., time of REST
You can also read
