Trigger-Action platforms are web-based systems that enable users to create automation rules by stitching together online services representing digital and physical resources using OAuth tokens. Unfortunately, these platforms introduce a long range large-scale security risk: If they are compromised, an attacker can misuse the OAuth tokens belonging to a large number of users to arbitrarily manipulate their devices and data. To tackle this issue, we introduce Decentralized Action Integrity, a security principle that prevents an untrusted trigger-action platform from misusing compromised OAuth tokens in ways that are inconsistent with any given user’s set of trigger-action rules.
Earlence Fernandes (http://www.earlence.com/) is an Assistant Professor in the Computer Sciences department at UW Madison. His research interests are in emerging cyber-physical systems like smart homes, buildings and vehicles. He has been awarded two best papers (at Oakland and IEEE SecDev) for his work on smart homes. He earned his PhD at the University of Michigan in 2017.