Earlence Fernandes

Security Analysis of Emerging Smart Home Applications

Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such emerging smart home programming platform. We analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform. Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes. We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes, (2) stole existing door lock codes, (3) disabled vacation mode of the home, and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks.

CRêPE: A System for Enforcing Fine-Grained Context-Related Policies on Android

Current smartphone systems allow the user to use only marginally contextual information to specify the behavior of the applications: this hinders the wide adoption of this technology to its full potential. In this paper, we fill this gap by proposing CRêPE, a fine-grained Context-Related Policy Enforcement System for Android. While the concept of context-related access control is not new, this is the first work that brings this concept into the smartphone environment. In particular, in our work, a context can be defined by: the status of variables sensed by physical (low level) sensors, like time and location; additional processing on these data via software (high level) sensors; or particular interactions with the users or third parties. CRêPE allows context-related policies to be set (even at runtime) by both the user and authorized third parties locally (via an application) or remotely (via SMS, MMS, Bluetooth, and QR-code). A thorough set of experiments shows that our full implementation of CRêPE has a negligible overhead in terms of energy consumption, time, and storage, making our system ready for a production environment.

MOSES: supporting operation modes on smartphones

Smartphones are very effective tools for increasing the productivity of business users. With their increasing computational power and storage capacity, smartphones allow end users to perform several tasks and be always updated while on the move. As a consequence, end users require that their personal smartphones are connected to their work IT infrastructure. Companies are willing to support employee-owned smartphones because of the increase in productivity of their employees. However, smartphone security mechanisms have been discovered to offer very limited protection against malicious applications that can leak data stored on them. This poses a serious threat to sensitive corporate data. In this paper we present MOSES, a policy-based framework for enforcing software isolation of applications and data on the Android platform. In MOSES, it is possible to define distinct security profiles within a single smartphone. Each security profile is associated with a set of policies that control the access to applications and data. One of the main characteristics of MOSES is the dynamic switching from one security profile to another.

MOSES: Supporting and Enforcing Security Profiles on Smartphones

Smartphones are very effective tools for increasing the productivity of business users. With their increasing computational power and storage capacity, smartphones allow end users to perform several tasks and be always updated while on the move. Companies are willing to support employee-owned smartphones because of the increase in productivity of their employees. However, security concerns about data sharing, leakage and loss have hindered the adoption of smartphones for corporate use. In this paper we present MOSES, a policy-based framework for enforcing software isolation of applications and data on the Android platform. In MOSES, it is possible to define distinct Security Profiles within a single smartphone. Each security profile is associated with a set of policies that control the access to applications and data. Profiles are not predefined or hardcoded, they can be specified and applied at any time. One of the main characteristics of MOSES is the dynamic switching from one security profile to another. We run a thorough set of experiments using our full implementation of MOSES. The results of the experiments confirm the feasibility of our proposal.

FM 99.9, Radio Virus: Exploiting FM Radio Broadcasts for Malware Deployment

Many modern smartphones and car radios are shipped with embedded FM radio receiver chips. The number of devices with similar chips could grow very significantly if the U.S. Congress decides to make their inclusion mandatory in any portable device as suggested by organizations such as the RIAA. While the main goal of embedding these chips is to provide access to traditional FM radio stations, a side effect is the availability of a data channel, the FM Radio Data System (RDS), which connects all these devices. Different from other existing IP-based data channels among portable devices, this new one is open, broadcast in nature, and so far completely ignored by security providers. This paper illustrates for the first time how to exploit the FM RDS protocol as an attack vector to deploy malware that, when executed, gains full control of the victims device. We show how this attack vector allows the adversary to deploy malware on different platforms. Furthermore, we have shown the infection is undetected on devices running the Android OS, since malware detection solutions are limited in their ability due to some features of the Android security model. We support our claims by implementing an attack using RDS on different devices available on the market (smartphones, car radios, and tablets) running three different versions of Android OS. We also provide suggestions on how to limit the threat posed by this new attack vector and explain what are the design choices that make Android vulnerable. However, there are no straightforward solutions. Therefore, we also wish to draw the attention of the security community towards these attacks and initiate more research into countermeasures.

Android UI Deception Revisited: Attacks and Defenses

App-based deception attacks are increasingly a problem on mobile devices and they are used to steal passwords, credit card numbers, text messages, etc. Current versions of Android are susceptible to these attacks. Recently, Bianchi et al. proposed a novel solution “What the App is That” that included a host-based system to identify apps to users via a security indicator and help assure them that their input goes to the identified apps [7]. Unfortunately, we found that the solution has a significant side channel vulnerability as well as susceptibility to clickjacking that allow non-privileged malware to completely compromise the defenses, and successfully steal passwords or other keyboard input. We discuss the vulnerabilities found, propose possible defenses, and then evaluate the defenses against different types of UI deception attacks.

Demonstrating the effectiveness of MOSES for separation of execution modes

In this paper, we describe a demo of a light virtualisation solution for Android phones. We named our solution MOSES (MOde-of-uses SEcurity Separation). MOSES is a policy-based framework for enforcing software isolation of applications and data. In MOSES, it is possible to define distinct security profiles within a single smartphone. Each security profile is associated with a set of policies that control the access to applications and data. One of the main characteristics of MOSES is the dynamic switching from one security profile to another. Each profile is associated with a context as well. Through the smartphones sensors, MOSES is able to detect changes in context and to dynamically switch to the security profile associated with the current context. Our current implementation of MOSES shows minimal overhead compared to standard Android in terms of latencies and battery consumption.

Internet of Things Security Research: A Rehash of Old Ideas or New Intellectual Challenges?

The Internet of Things (IoT) is a new computing paradigm that spans wearable devices, homes, hospitals, cities, transportation, and critical infrastructure. Building security into this new computing paradigm is a major technical challenge. What IoT security problems can we solve using existing security principles? And, what new problems and challenges in this space will require new security mechanisms?

The Confinement Problem: 40 Years Later

The confinement problem was first noted four decades ago. Since then, a huge amount of efforts have been spent on defining and mitigating the problem. The evolution of technologies from traditional operating systems to mobile and cloud computing brings about new security challenges. It is perhaps timely that we review the work that has been done. We discuss the foundational principles from classical works, as well as the efforts towards solving the confinement problem in three domains: operating systems, mobile computing, and cloud computing. While common issues exist across all three domains, unique challenges arise for each of them, which we discuss.

Heimdall: A Privacy-Respecting Implicit Preference Collection Framework

Many of the everyday decisions a user makes rely on the suggestions of online recommendation systems. These systems amass implicit (e.g.,location, purchase history, browsing history) and explicit (e.g.,reviews, ratings) feedback from multiple users, produce a general consensus, and provide suggestions based on that consensus. However, due to privacy concerns, users are uncomfortable with implicit data collection, thus requiring recommendation systems to be overly dependent on explicit feedback. Unfortunately, users do not frequently provide explicit feedback. This hampers the ability of recommendation systems to provide high-quality suggestions. We introduce Heimdall, the first privacy-respecting implicit preference collection framework that enables recommendation systems to extract user preferences from their activities in a privacy respecting manner. The key insight is to enable recommendation systems to run a collector on a users device and precisely control the information a collector transmits to the recommendation system back-end. Heimdall introduces immutable blobs as a mechanism to guarantee this property. We implemented Heimdall on the Android platform and wrote three example collectors to enhance recommendation systems with implicit feedback. Our performance results suggest that the overhead of immutable blobs is minimal, and a user study of 166 participants indicates that privacy concerns are significantly less when collectors record only specific information--a property that Heimdall enables.