TY - GEN
T1 - A case study of the security vetting process of smart-home assistant applications
AU - Hu, Hang
AU - Yang, Limin
AU - Lin, Shihan
AU - Wang, Gang
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/5
Y1 - 2020/5
N2 - The popularity of smart-home assistant systems such as Amazon Alexa and Google Home leads to a booming third-party application market (over 70, 000 applications across the two stores). While existing works have revealed security issues in these systems, it is not well understood how to help application developers to enforce security requirements. In this paper, we perform a preliminary case study to examine the security vetting mechanisms adopted by Amazon Alexa and Google Home app stores. With a focus on the authentication mechanisms between Alexa/Google cloud and third-party application servers (i.e. endpoints), we show the current security vetting is insufficient as developers' mistakes cannot be effectively detected and notified. A weak authentication would allow attackers to spoof the cloud to insert/retrieve data into/from the application endpoints. We validate the attack through ethical proof-of-concept experiments. To confirm vulnerable applications have indeed passed the security vetting and entered the markets, we develop a heuristic-based searching method. We find 219 real-world Alexa endpoints that carry the vulnerability, many of which are related to critical applications that control smart home devices and electronic cars. We have notified Amazon and Google about our findings and offered our suggestions to mitigate the issue.
AB - The popularity of smart-home assistant systems such as Amazon Alexa and Google Home leads to a booming third-party application market (over 70, 000 applications across the two stores). While existing works have revealed security issues in these systems, it is not well understood how to help application developers to enforce security requirements. In this paper, we perform a preliminary case study to examine the security vetting mechanisms adopted by Amazon Alexa and Google Home app stores. With a focus on the authentication mechanisms between Alexa/Google cloud and third-party application servers (i.e. endpoints), we show the current security vetting is insufficient as developers' mistakes cannot be effectively detected and notified. A weak authentication would allow attackers to spoof the cloud to insert/retrieve data into/from the application endpoints. We validate the attack through ethical proof-of-concept experiments. To confirm vulnerable applications have indeed passed the security vetting and entered the markets, we develop a heuristic-based searching method. We find 219 real-world Alexa endpoints that carry the vulnerability, many of which are related to critical applications that control smart home devices and electronic cars. We have notified Amazon and Google about our findings and offered our suggestions to mitigate the issue.
UR - http://www.scopus.com/inward/record.url?scp=85096166483&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85096166483&partnerID=8YFLogxK
U2 - 10.1109/SPW50608.2020.00029
DO - 10.1109/SPW50608.2020.00029
M3 - Conference contribution
AN - SCOPUS:85096166483
T3 - Proceedings - 2020 IEEE Symposium on Security and Privacy Workshops, SPW 2020
SP - 76
EP - 81
BT - Proceedings - 2020 IEEE Symposium on Security and Privacy Workshops, SPW 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2020 IEEE Symposium on Security and Privacy Workshops, SPW 2020
Y2 - 21 May 2020
ER -