Tyche: A new permission model to defend against smart home hacks

With the use of many integrated smart devices, an app-driven home environment is now a reality. But this young technology faces many new challenges – in particular, how users grant permission to different apps to access device operations. Prompting the user for permission to every individual operation can cause usability issues (too many approval prompts) while grouping permissions by, say, function or device can cause an app to be too powerful and become a future security or privacy risk.

To remedy this, Prof. Atul Prakash, CSE PhD student Kevin Eykholt, and CSE alumni Amir Rahmati and Earlence Fernandes have proposed Tyche, a safer app permissions system for smart homes and the Internet of Things. Their paper on this project, “Tyche: A Risk-Based Permission Model for Smart Homes,” received a Best Paper Award at the IEEE Cybersecurity Development Conference.

Currently, app permission models are inspired by smartphone operating systems – permission levels that group access to different operations by either device or by functionality. For example, in device-level grouping, an app that needs to only monitor the battery status of a door lock is also granted dangerous permissions to lock and unlock the door. In function-level grouping, an app designed to automatically lock all the doors at night may also get rights to unlock the doors (a much more dangerous operation).

At the other extreme, users can be prompted for each individual permission, but that can annoy the users or lead to them ignoring the prompts and approving everything.

Tyche was designed as a secure alternative technique and introduces the notion of “risk-based permissions.” When using risk-based permissions, device operations are grouped by similar risk. Users can grant different apps permissions based on the risk level they trust that app with. The researchers developed the different risk levels with a user study that computed a relative ranking of risks associated with different device operations. They defined the risk groups and applied them to existing Samsung SmartThings apps.

Through this permissions model change, they showed that existing apps better inform users of risks, reduce access to high-risk operations by 60%, and still allow apps to function normally. That is 60% fewer risky operations an attacker could issue in the event of a breach.

According to Prakash, “The work is an important step towards understanding how to make tradeoffs between usability and security in the design of permission systems for emerging application domains.”

The researchers presented the paper at the 2018 IEEE SECDEV Conference in Cambridge, Massachusetts on October 2.