Enhancing Security and Privacy in Augmented Collective Beings

PI: Hsu-Chun Hsiao (National Taiwan University)

Champion: Anand Rajan (Intel), Matthias Schunter (Intel)

Status Quo: 

According to a survey by Gartner, more than 20 billions devices will be installed in the environments we live and work by 2020. As these networked devices are gradually involved in our lives, the interaction between autonomous machines and humans becomes closer and the boundary gets much blurrier. Thus, an adversary in the cyberspace can threaten human users’ safety and privacy in the physical world.

However, it is challenging to secure so many devices due to their inherent diversities. Moreover, the situation gets worse because of the emergence of end-user programming that allows users to specify customized interactions between IoT devices. This programming often takes the form “if trigger, then action”, which is termed as trigger-action programming. Once attackers compromise some vulnerable devices, they can influence or access higher-value targets through exploiting automation rules. For example, attackers may control lights and cameras after they compromise motion sensors and abuse automation rules. That is, automation rules enlarge the attack surface for adversary.

In this project, we would like to discuss possible attacks under trigger-action programming in IoT and propose a solution against them.

Key New Insights:

We adopt the following definition for information leakage:

For any two states which are indistinguishable for attackers, they should stay indistinguishable in the future. Nonetheless, this definition cannot be expressed in linear temporal logic or computation tree logic, which can be handled by off-the-shelf model checkers. Also, current off-the-shelf model checker cannot handle many devices and automation rules due to the state explosion problem.

To correctly verify the property of information leakage, we use a cloned machine to build product FSM and transform the problem into a reachability one. We also utilize the characteristics of IoT to mitigate the state explosion problem. One is that not every device can influence each other. Temperature sensors probably have no relationship with surveillance cameras. The other is that not all different states trigger different rules. Combined with this two method, we can reduce the time needed for model checking.

 (Updated in Jul, 2017)