Smart Home Apps: Detecting Potential Data Leaks Before Danger Strikes
By Clara Wong
Only half a century ago, the concept of automated homes was creative fodder for Hollywood sci-fi screenwriters. Fast forward to 2019 and the technology is now a reality. It’s called the Internet of Things (IoT) and it empowers homeowners to remotely control everything from draperies to door locks – right from their smartphones.
Yet, amid the benefits of an ultra-connected lifestyle, fear is rising over potential security and privacy breaches. In one CBC Marketplace investigation, it took only three hackers, a parked van and a phishing email to unlock the doors of one Oakville smart home – a risky trade-off for the convenience and flexibility of transmitting personalized information over the Internet.
Ryerson Computer Science Masters student Bara’ Nazzal has been studying IoT security since 2018 and he’s feeling concerned: “When technology becomes trendy, everyone gets on board without sufficient consideration for users and the impacts on them.”
Current IoT security efforts often focus on operating systems embedded within smart-enabled appliances or on the networks over which data is transmitted. Nazzal, along with fellow researcher Florian Schmeidl and supervisor Dr. Manar Alalfi, are concentrating on a third area: the written programming of smart home apps on mobile devices.
Optimized Security Analysis Tool
During their research, Nazzal and his colleagues reviewed available literature in their field. The results were worrisome. They found an abundance of poor source code and a notable lack of secure programming standards.
“Past papers reveal many bad practices,” Nazzal explains. “Even the simplest of apparently ‘well-written’ programs with the most basic functionality have potential for vulnerabilities. So, our goal is to help developers write code in a safer way.”
In an effort to support the establishment of best practices, Nazzal and his colleagues created Taint-Things, an IoT security analysis tool. Programmers and security auditors can upload source code, and the tool automatically detects potential data leaks. They singled out Samsung’s SmartThings system as their subject.
“Our tool doesn’t measure the likelihood of a data leak happening,” Nazzal explains, “but if there’s going to be a breach, we can show them exactly where, and that it will happen because of this or that part of the program.”
It’s a wise first step in cleaning up faulty code – and far preferable to discovering problems only after damage has been done.
4x Improved Performance
Taint-Things uses static analysis to identify tainted data flows – an approach that holds certain advantages over test-running an app. Rather than searching for security gaps based on how a program functions live, Taint-Things detects vulnerabilities by assessing the entirety of an app’s written source code.
The result: an automated and comprehensive view of a program’s overall security. The report reveals potentially leaky data flows by presenting the parts where they happen in the source code, the lines affected and their line numbers.
When comparing their results against SAINT, a leading tool using the same approach to detect data leaks, Taint-Things successfully identified the same tainted flows, but with significant gains: four times faster performance. The team achieved drastic reductions in processing time by computing dependency chains directly from the code through an inductive transformation paradigm.
Ongoing Efforts Continually Needed
While corporations sometimes blame IoT vulnerabilities on consumer failure to use strong passwords or security software, Nazzal points out another part of the equation: “The average consumer is not that tech savvy. So, even before they enter the picture, the people who develop the programs have a responsibility to write code safely with that in mind.”
Contemplating the risks that come with IoT’s growing popularity, Nazzal reflects: “When everything is connected and sensitive data is involved, efforts in the present will never be sufficient. The work needs to be ongoing.”
Nazzal and his colleagues recently published their findings and have made Taint-Things available for testing on SmartThings apps source code. They’re now working to extend the tool for greater precision in detecting more new data sinks and sources. They also plan to generalize the tool for more smart home platforms such as Apple’s HomeKit and possibly create an add-on for coding text editors.
“Our research adds to the work in the field. We’ve created more transparency. We’ve set out good coding standards,” Nazzal concludes. “Best practices can always be made better.”