Iulia Bastys
Chalmers University of Technology, Gothenburg, Sweden

IoT apps enhance our (digital) lives by connecting a variety of otherwise unconnected services and devices. "Get an email every time you park your BMW with a map to where you're parked" or "Back up your iOS photos to Google Drive" are a couple of examples of such apps. The apps are freely available on IoT app platforms and anybody with an account on the platform can create and publish such apps. In this talk I will show examples of malicious apps stealthily exfiltrating private user data, such as photos or location, through what we call URL-based attacks. Our experiments reveal that most popular IoT app platforms (IFTTT, Microsoft Power Automate, and Zapier) are susceptible to this type of attacks. Next, I will introduce the attacker model for this setting and finally, I will present our framework for information flow tracking in IoT apps, which secures the apps against such URL-based attacks.