The Problem of Over-Privilege in IoT Platforms

Seminar
Friday, February 23, 2018
11:00 AM to 12:00 PM
EER 3.640
Free and open to the public

Internet of Things (IoT) is connected set of physical devices (called “smart devices”), consisting of sensors and actuators that enable a general class of cyber-physical systems such as smart homes, smart vehicles, smart buildings, smart cities, and intelligent transportation. To enable IoT systems to be managed and controlled, software platforms such as SmartThings by Samsung and IFTTT have emerged. In this talk, we systematically examine the security of such platforms. In particular, we show systematic analysis of such platforms and apps on them for the existence of over-privilege, which can lead to unanticipated exploits.  For example, on SmartThings, exploit apps to remotely steal codes for smart door locks, remotely program new locks, and spoof alerts from safety sensors.  As another example, we found that IFTTT has potentially millions of over-privileged OAuth tokens that introduce  a long-term risk if the platform is ever compromised.   I discuss directions to reduce over-privilege in such systems.

Speaker

Atul Prakash

Atul Prakash

Professor in Computer Science and Engineering
University of Michigan

Atul Prakash is a Professor in Computer Science and Engineering at the University of Michigan, Ann Arbor with research interests in computer security and privacy. He received a Bachelor of Technology in Electrical Engineering from IIT, Delhi, India and a Ph.D. in Computer Science from the University of California, Berkeley.  His current research is focusing on security of Internet of Things. His recent work on security analysis of the SmartThings cloud platform for hosting IoT apps received a Distinguished Practical Paper Award at IEEE Security and Privacy Symposium (2016) and also attracted press. At the University of Michigan, He has served as Director of the Software Systems Lab, led the creation of the new Data Science undergraduate program, and is the recipient of the 2016-17 EECS Outstanding Achievement Award.