TY - GEN
T1 - How risky are real users' IFTTT applets?
AU - Cobb, Camille
AU - Surbatovich, Milijana
AU - Kawakami, Anna
AU - Sharif, Mahmood
AU - Bauer, Lujo
AU - Das, Anupam
AU - Jia, Limin
N1 - Funding Information:
This work was supported in part by gifts from Google and the CyLab Security and Privacy Institute at Carnegie Mellon University; by a CyLab Presidential Fellowship and a Symantec Research Lab fellowship; and by DARPA and the Air Force Research Laboratory under agreement number FA8750-15-2-0277.
Publisher Copyright:
© 2020 by The USENIX Association.
PY - 2020
Y1 - 2020
N2 - Smart-home devices are becoming increasingly ubiquitous and interconnected with other devices and services, such as phones, fitness trackers, cars, and social media accounts. Built-in connections between these services are still emerging, but end-user-programming tools such as If-This-Then-That (IFTTT) have existed for almost a decade, allowing users to create rules (called applets in IFTTT) that dictate interactions between devices and services. Previous work found potential secrecy or integrity violations in many applets, but did so without examining how individual users interact with the service. In this work, we study the risks of real-world use of IFTTT by collecting and analyzing 732 applets installed by 28 participants and participants' responses to several survey questions. We found that significantly fewer applets than previously thought pose realistic secrecy or integrity risks to the users who install them. Consistent with this finding, participants were generally not concerned about potential harms, even when these were explained to them. However, examining participants' applets led us to identify several new types of privacy risks, which challenge some assumptions inherent in previous analyses that focus on secrecy and integrity risks. For example, we found that many applets involve monitoring incidental users: family, friends, and neighbors who may interact with someone else's smart-home devices, possibly without realizing it. We discuss what our findings imply for automatically identifying potentially harmful applets.
AB - Smart-home devices are becoming increasingly ubiquitous and interconnected with other devices and services, such as phones, fitness trackers, cars, and social media accounts. Built-in connections between these services are still emerging, but end-user-programming tools such as If-This-Then-That (IFTTT) have existed for almost a decade, allowing users to create rules (called applets in IFTTT) that dictate interactions between devices and services. Previous work found potential secrecy or integrity violations in many applets, but did so without examining how individual users interact with the service. In this work, we study the risks of real-world use of IFTTT by collecting and analyzing 732 applets installed by 28 participants and participants' responses to several survey questions. We found that significantly fewer applets than previously thought pose realistic secrecy or integrity risks to the users who install them. Consistent with this finding, participants were generally not concerned about potential harms, even when these were explained to them. However, examining participants' applets led us to identify several new types of privacy risks, which challenge some assumptions inherent in previous analyses that focus on secrecy and integrity risks. For example, we found that many applets involve monitoring incidental users: family, friends, and neighbors who may interact with someone else's smart-home devices, possibly without realizing it. We discuss what our findings imply for automatically identifying potentially harmful applets.
UR - http://www.scopus.com/inward/record.url?scp=85091848375&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091848375&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85091848375
T3 - Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020
SP - 505
EP - 529
BT - Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020
PB - USENIX Association
T2 - 16th Symposium on Usable Privacy and Security, SOUPS 2020
Y2 - 10 August 2020 through 11 August 2020
ER -