The document presents a threat model for extensible smart home gateways. It outlines 11 potential threats from malicious plugins, divided into categories of confidentiality, integrity, availability, authentication, and authorization. It describes a reference smart home architecture and potential attack targets. Two proofs-of-concept malicious plugins are developed that exploit threats by accessing private data, altering device states and functionality, and interacting anonymously on the network. The model aims to help programmers evaluate plugin security and guide the development of more reliable smart home systems.
1. A Threat Model for Extensible
Smart Home Gateways
Fulvio CORNO and Luca MANNELLA
e-Lite research group
Department of Control and Computer Engineering
Politecnico di Torino, Turin, Italy
7th International Conference On Smart and Sustainable Technologies
Split, July 6, 2022
2. OUTLINE
• Introduction
• Reference Smart Home Architecture
• Proposed Threat Model
• Use Case & Proofs of Concept
• Conclusions & Future Work
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 2
3. INTRODUCTION
• Smart Home (SH) systems are in a dangerous situation
• At least 40% houses have an IoT device (70% in the USA)
• In 62% of involved houses, at least one device has a known vulnerability
• A compromised device could affect other SH devices
• To manage them, Smart Home gateways are often involved
• Such solutions are often extensible (EvenGhost, Home Assistant, OpenHAB, Pimatic, etc.)
• Extending something developed by a third-party is never an easy task
• Therefore, a compromised IoT gateway in a SH is particularly critical
• Goal: supporting programmers during development (or evaluation) of plug-ins for SH gateways
• Proposing a threat model with a twofold purpose
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 3
6. 2022-07-05
SpliTech 2022 — Fulvio Corno and Luca Mannella 11
• The gateway OS
• The smart home gateway application
• Other plug-ins
• Other applications running on the gateway
• A device belonging to the smart home
POSSIBLE
ATTACK TARGETS
7. A THREAT MODEL FOR
EXTENSIBLE SMART HOME GATEWAYS
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 12
8. THREAT MODEL INTRODUCTION
• The 11 threats are labeled with the letter “T” and a digit
• The model considers menaces originated from a plug-in
• Plug-in scope:
• Set of variables, files, or resources that the plug-in can legitimately access
• Accessed resources must be declared in plug-in documentation
• Resources must be accessed through the modalities envisaged by the platform (e.g., API)
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 13
9. THREATS DIVIDED BY CATEGORIES
• Confidentiality
• T1: a plug-in could access and use private data of other attack targets
• T2: a plug-in could access and spread private data of other attack targets
• Integrity
• T3: a plug-in could alter the state of other smart home devices outside its scope
• T4: a plug-in could alter private data of other attack targets outside its scope
• Availability
• T5: a plug-in could delay the regular functionality of an attack target
• T6: a plug-in could alter one of the regular functionalities of an attack target
• T7: a plug-in could alter the regular functionality of an attack target, preventing the users from using it
• T8: a plug-in could physically damage an attack target
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 14
10. THREATS DIVIDED BY CATEGORIES
• Authentication
• T9: a plug-in could interact with an attack target, pretending to be a different entity
• Authorization
• T10: a plug-in could access an authorization level higher than expected
• Non-Repudiation
• T11: a plug-in could anonymously communicate with an attack target
(i.e., there is no way to know that the plug-in establishes a specific communication).
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 15
11. USE CASE
& PROOFS OF CONCEPT
SpliTech 2022 — Fulvio Corno and Luca Mannella 2022-07-06 16
12. USE CASE
• Home Assistant (HAss) — https://www.home-assistant.io/
• A Python-based open-source smart home gateway software
• Developed since 2013 and released in 2016
• More than 150.000 active installations (estimated to be four-fold)
• Four different types of release (additional features with respect to core version)
• Extensible through two different kind of plug-ins: integrations and add-ons
• Focus on Integrations — https://www.home-assistant.io/integrations
• Available in all Home Assistant releases
• Closer to “traditional” plug-in concept
• Deeply integrated in Hass
• Impacting only other integrations
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 17
13. DEVELOPED PROOFS OF CONCEPT
• One target integration: switch_target
• Two states: on & off
• Contains a secret value
• It should be accessible
only by the integration itself
• Note: open source and available on GitHub
https://github.com/Sarcares/HAss-TM-Integrations
• Two malicious integrations
• light_simple_access
• light_altering_state
• Integrations designed for managing lights
• Two states: on & off
• A brightness value
• With additional malicious side-effects
• Both integrations retrieve a reference to the
switch_target through the Python’s
Garbage Collector
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 18
14. DEVELOPED PROOFS OF CONCEPT
• Two malicious integrations
• light_simple_access
• light_altering_state
• Integrations designed for managing lights
• Two states: on & off
• A brightness value
• With additional malicious side-effects
• Both integrations retrieve a reference to the
switch_target through the Python’s
Garbage Collector
2022-07-06 19
Threat Category Threat Exploited
Confidentiality T1 ✔️
T2 ✔️
Integrity T3 ✔️
T4 ✔️
Availability T5 ❌
T6 ✔️
T7 ✔️
T8 ❌
Authentication T9 ✔️
Authorization T10 ❌
Non-Repudiation T11 ✔️
15. LIGHT_SIMPLE_ACCESS
• Access and retrieve the secret from the switch_target
• This could lead to T1 or T2 according to malicious developer’s behavior
• Confidentiality: “a plug-in could access and use/spread private data of other attack targets”
When the light is turned on
• Modify the secret stored in the switch_target
• T4 (integrity): altering private data
• T6 (availability): altering one of the regular functionalities
When the light is turned off
2022-07-05
SpliTech 2022 — Fulvio Corno and Luca Mannella 21
16. LIGHT_ALTERING_STATE
• Malicious effect triggered every time a user turns on or off this light
• The state of switch_target is toggled
• T3: (integrity) alter the state of the switch_target
• T7: (integrity) alter the regular functionality: the user partially lose control over the switch_target
• T9: (authentication) interacting with the switch_target as the original integration
• T11: (non-repudiation) it interacts anonymously with the switch_target
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 22
18. CONCLUSIONS
• Purposes of the proposed threat model
• Understand security issues in plug-ins
• helping programmers think about possible countermeasures
• Set of guidelines
• plug-ins should not act like the reported threats
• Exploited some threats through a couple of proofs of concept
• Suggestions for Home Assistant:
• More isolation among its components
• Introducing a permission system (T10)
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 24
19. FUTURE WORK
• Creating proofs of concept addressing other attack targets
• Analyzing publicly available Home Assistant plug-ins looking for the presented threats
• Can developers accidentally fall into the presented issues?
• Provide best practices and/or tools for developing more reliable smart home systems
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 25
20. THANK YOU FOR YOUR KIND ATTENTION!
ANY QUESTIONS?
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 26
fulvio.corno@polito.it luca.mannella@polito.it
21. 1. D. Kumar, et al., “All Things Considered: An Analysis of IoT Devices on Home Networks,”
in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1169–1185.
2. K. Kafle, et al., “Security in Centralized Data Store-based Home Automation Platforms: A Systematic
Analysis of Nest and Hue,”
ACM Trans. on Cyber-Phys. Syst., vol. 5, no. 1, jan 2021.
3. F. Pub, “Standards for Security Categorization of Federal Information and Information Systems,”
NIST FIPS, vol. 199, 2004.
4. U.S. Congress, “Federal Information Security Modernization Act of 2014,”
Public Law, pp. 113–283, 2014.
5. H. Kim and E. A. Lee, “Authentication and Authorization for the Internet of Things,”
IT Professional, vol. 19, no. 5, pp. 27–33, 2017.
6. https://analytics.home-assistant.io/
7. https://www.home-assistant.io/blog/2021/11/12/100k-analytics/
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 27
REFERENCES
22. LICENSE
• These slides are distributed under a Creative Commons license
“Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)”
• You are free to:
• Share — copy and redistribute the material in any medium or format
• Adapt — remix, transform, and build upon the material
• The licensor cannot revoke these freedoms as long as you follow the license terms.
• Under the following terms:
• Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made.
You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
• NonCommercial — You may not use the material for commercial purposes.
• ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
• No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
• https://creativecommons.org/licenses/by-nc-sa/4.0/
2022-07-06
SpliTech 2022 — Fulvio Corno and Luca Mannella 28