Security Implications of Permission Models in Smart-Home Application Frameworks

IEEE Software magazine via InfoQ:  Analysis of a popular programming framework reveals that many smart-home apps are automatically overprivileged, leaving users at risk for remote attacks that can cause physical, financial, and psychological harm.

Smart-home technology has evolved beyond basic convenience functionality, such as automatically controlled lights and door openers, to provide tangible benefits. For instance, water flow sensors and smart meters facilitate energy efficiency. IP-enabled cameras, motion sensors, and connected door locks offer better control of home security. However, attackers can manipulate smart devices to cause users physical, financial, and psychological harm. For example, burglars can target a connected door lock to plant hidden access codes1.

Early smart-home systems had steep learning curves and complicated device setup procedures and thus were limited to do-it-yourself enthusiasts. (Many forums exist for people to exchange know-how, such as this one.) Recently, several companies introduced cloud-backed systems that are easier for users to set up and that provide a programming framework for third-party developers to build smart-home apps. Examples of such frameworks are Samsung's SmartThings, Apple's HomeKit, Vera Control's Vera3, Google's Weave/ Brillo, and AllSeen Alliance's AllJoyn (including Qualcomm, Microsoft , LG, Cisco, and AT&T).

We consider the security implications of a key component of such smart-home programming frameworks: their permission models. These models limit the risk third-party apps pose to users and their devices. We first survey the permission models of Apple HomeKit, IoTivity, AllJoyn, and SmartThings, then discuss results from a deep-dive analysis of the SmartTh ings framework2.  Full Article:

Comments (0)

This post does not have any comments. Be the first to leave a comment below.


Post A Comment

You must be logged in before you can post a comment. Login now.

Featured Product

Platinum Tools - ezEX-RJ45 Termination & Test Kit

Platinum Tools - ezEX-RJ45 Termination & Test Kit

The new EXOtm Crimp Frame and ezEX-RJ45® Connectors provide the solution for terminating larger diameter Cat6/6A twisted-pair cables. Made in USA. • Conductor sizes up to .048", • Die sets for EZ-RJ45 & ezEX-RJ45 connectors • Feed-through EZ-RJ45 design verifies EIA568A/B wiring • One-step to crimp and flush cut/trim EZ-RJ45 conductor