Real-time Analysis of Privacy-(un)aware IoT Applications

TL;DR

This paper introduces IoTWatcH, a real-time dynamic analysis tool that detects privacy risks in IoT applications by analyzing data flows and informing users, with high accuracy and minimal performance impact.

Contribution

The paper presents IoTWatcH, a novel tool that uses NLP to analyze IoT app data in real-time, providing privacy risk insights based on user preferences.

Findings

Achieved 94.25% accuracy in classifying privacy-related data

Successfully flagged privacy data leaks to unauthorized parties

Minimal overhead of 105 ms latency introduced

Abstract

Users trust IoT apps to control and automate their smart devices. These apps necessarily have access to sensitive data to implement their functionality. However, users lack visibility into how their sensitive data is used (or leaked), and they often blindly trust the app developers. In this paper, we present IoTWatcH, a novel dynamic analysis tool that uncovers the privacy risks of IoT apps in real-time. We designed and built IoTWatcH based on an IoT privacy survey that considers the privacy needs of IoT users. IoTWatcH provides users with a simple interface to specify their privacy preferences with an IoT app. Then, in runtime, it analyzes both the data that is sent out of the IoT app and its recipients using Natural Language Processing (NLP) techniques. Moreover, IoTWatcH informs the users with its findings to make them aware of the privacy risks with the IoT app. We implemented IoTWatcH on real IoT applications. Specifically, we analyzed 540 IoT apps to train the NLP model and evaluate its effectiveness. IoTWatcH successfully classifies IoT app data sent to external parties to correct privacy labels with an average accuracy of 94.25%, and flags IoT apps that leak privacy data to unauthorized parties. Finally, IoTWatcH yields minimal overhead to an IoT app's execution, on average 105 ms additional latency.