If-This-Then-Allow-That (to phone home): A trigger-based network policy enforcement framework for smart homes

Anthony Tam, Furkan Alaca, David Barrera.

International Symposium on Foundations & Practice of Security (FPS) 2022, December 12-14, Ottawa, ON.

The Internet of Things (IoT) has become entrenched in many users' networks due to the utility these Internet-connected objects provide. But this does not mean that users should unconditionally trust IoT devices on their networks. While several approaches exist for restricting network connectivity of IoT devices, these proposals typically identify legitimate traffic, and then permanently allow it to flow to or from the device. In this paper, we argue that this permanent access control can lead to privacy and security violations, and in many cases is not strictly required. We present If-This-Then-Allow-That (IFTAT), a framework that supports security policies that dynamically update network access control rules based on the type of access that is required at any given time. Device or environmental triggers such as motion sensors or mobile phone applications initiate the process of adding firewall exceptions, which are removed either automatically or after another trigger is activated. We describe a proof of concept implementation which shows how IFTAT can restrict the network access of untrusted IoT devices with little impact to the usability of these devices.

Authors' copy (PDF)