Data Privacy in Trigger-Action IoT Systems

Trigger-action platforms (TAPs) allow users to connect independent IoT or web-based services to achieve useful automation. TAPs provide a simple interface that helps users to program trigger-compute-action rules that pass data between disparate services through the TAPs. Unfortunately, TAPs introduce a large-scale security risk: if they are compromised, attackers will gain access to all sensitive data for millions of users. Towards that end, we propose eTAP, a privacy-enhancing trigger-action platform that executes trigger-compute-action rules without accessing users' private data in plaintext or learning anything about the results of the computation. We use garbled circuits as a primitive, and leverage the unique structure of trigger-compute-action rules to make them practical. We formally state and prove the security guarantees of our protocols. We prototyped eTAP, which supports the most commonly used operations on popular commercial TAPs like IFTTT and Zapier. Specifically, we support boolean, arithmetic, and string operations on private trigger data and can run 100% of the top-500 rules of IFTTT users and 93.4% of all rules published on Zapier. We run ten existing user-created rules that exercise a variety of operations on trigger data. Performance tests show that the overhead is modest: on average rule execution latency increases by 70 ms (55%) and throughput reduces by 59%.