Decentralized Action Integrity for Trigger-Action IoT Platforms


Trigger-Action platforms are web-based systems that enable users to create automation rules by stitching together online services representing digital and physical resources using OAuth tokens. Unfortunately, these platforms introduce a longrange large-scale security risk: If they are compromised, an attacker can misuse the OAuth tokens belonging to a large number of users to arbitrarily manipulate their devices and data. We introduce Decentralized Action Integrity, a security principle that prevents an untrusted trigger-action platform from misusing compromised OAuth tokens in ways that are inconsistent with any given user’s set of trigger-action rules. We present the design and evaluation of Decentralized Trigger-Action Platform (DTAP), a trigger-action platform that implements this principle by overcoming practical challenges. DTAP splits currently monolithic platform designs into an untrusted cloud service, and a set of user clients (each user only trusts their client). Our design introduces the concept of Transfer Tokens (XTokens) to practically use fine grained rule-specific tokens without increasing the number of OAuth permission prompts compared to current platforms. Our evaluation indicates that DTAP poses negligible overhead: it adds less than 15ms of latency to rule execution time, and reduces throughput by 2.5%.

Research Paper


When referring to our work, please cite it as:

Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, Atul Prakash 
Decentralized Action Integrity for Trigger-Action IoT Platforms 
22nd Network and Distributed Security Symposium (NDSS 2018), San Diego, CA, Feb 2018

or, use BibTeX for citation:

     author = {Earlence Fernandes and Amir Rahmati and Jaeyeon Jung and Atul Prakash},
     title = {{Decentralized Action Integrity for Trigger-Action IoT Platforms}},
     booktitle = {22nd Network and Distributed Security Symposium (NDSS 2018)},
     month = Feb,
     year = 2018


Earlence Fernandes, Postdoctoral Researcher, University of Washington

Amir Rahmati, Professor, Stony Brook University

Jaeyeon Jung, Vice President, Samsung

Atul Prakash, Professor, University of Michigan