On the privacy risks of compromised trigger-action platforms

Yu Hsi Chiang*, Hsu Chun Hsiao, Chia Mu Yu, Tiffany Hyun Jin Kim


研究成果: Conference contribution同行評審

2 引文 斯高帕斯(Scopus)


Trigger-action platforms empower users to interconnect various physical devices and online services with custom automation. While providing convenience, their centralized design raises privacy concerns for end users. Unlike prior work that consider privacy leakage to action services, we consider privacy leakage to compromised platforms. After investigating potential privacy exposure to a popular trigger-action platform, IFTTT, we identified three types of leakages: event data, trigger event presence, and device possession. We also found that 91% of the top 500 triggers on IFTTT potentially leak sensitive information to the platform, and 25% leak implicitly. To achieve the paradoxical goal of hiding the event data and presence while asking the platform to trigger corresponding actions when an event occurs, we propose Obfuscated Trigger-Action Platform (OTAP) and Anonymous Trigger-Action Platform (ATAP). ATAP additionally provides device set confidentiality at the cost of minor platform modification. Our schemes can preserve user privacy without sacrificing convenience, and are incrementally deployable in various use cases. Our work addresses a crucial missing piece in securing the trigger-action ecosystem, and can be integrated with solutions that ensure integrity against untrusted platforms or solutions that address untrusted vendor services and users.

主出版物標題Computer Security – ESORICS 2020 - 25th European Symposium on Research in Computer Security, ESORICS 2020, Proceedings
編輯Liqun Chen, Steve Schneider, Ninghui Li, Kaitai Liang
發行者Springer Science and Business Media Deutschland GmbH
出版狀態Published - 2020
事件25th European Symposium on Research in Computer Security, ESORICS 2020 - Guildford, United Kingdom
持續時間: 14 9月 202018 9月 2020


名字Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
12309 LNCS


Conference25th European Symposium on Research in Computer Security, ESORICS 2020
國家/地區United Kingdom


深入研究「On the privacy risks of compromised trigger-action platforms」主題。共同形成了獨特的指紋。