An official website of the United States government
Consumer Internet of Things (IoT) devices are increasingly common, from smart speakers to security cameras, in homes. Along with their benefits come potential privacy and security threats. To limit these threats a number of commercial services have become available (IoT safeguards). The safeguards claim to provide protection against IoT privacy risks and security threats. However, the effectiveness and the associated privacy risks of these safeguards remains a key open question. In this paper, we investigate the threat detection capabilities of IoT safeguards for the first time. We develop and release an approach for automated safeguards experimentation to reveal their response to common security threats and privacy risks. We perform thousands of automated experiments using popular commercial IoT safeguards when deployed in a large IoT testbed. Our results indicate not only that these devices may be ineffective in preventing risks, but also their cloud interactions and data collection operations may introduce privacy risks for the households that adopt them.
more »
« less
This content will become publicly available on October 1, 2026
Lost in Translation: Exploring the Risks of Web-to-Cross-platform Application Migration
The cross-platform application-development paradigm alleviates a major challenge of native application development, namely the need to re-implement the codebase for each target platform, and streamlines the deployment of applications to different platforms. Essentially, cross-platform application development relies on migrating web application code and repackaging it as a native application. In other words, code that was designed and developed to execute within the confines of a browser, with all the security checks and safeguards that that entails, is now deployed within a completely different execution environment. In this paper, we explore the inherent security and privacy risks that arise from this migration, due to the fundamental differences between these two execution environments, which we refer to as security lacunae. To that end, we establish a differential analysis workflow and develop a set of customized tests designed to uncover divergent behaviors of web code executed within a browser and as an Electron cross-platform application. Guided by the findings from our empirical exploration, we retrofit part of the Web Platform Tests (WPTs) testing suite so as to apply to the Electron framework, and systematically assess mechanisms that relate to isolation and access control, and critical security policies and headers. Our research uncovers semantic gaps that exist between the two execution environments, which affect the enforcement of critical security mechanisms, thus exposing users to severe risks. This can lead to privacy issues such as the exposure of sensitive data over unencrypted connections or unregulated third-party access to the local filesystem, and security issues such as the incorrect enforcement of CSP script execution directives. We demonstrate that directly migrating web application code to a cross-platform application, without refactoring the code and implementing additional safeguards to address the conceptual and behavioral mismatches between the two execution environments, can significantly affect the application's security and privacy posture.
more »
« less
- PAR ID:
- 10625206
- Publisher / Repository:
- PETS Symposium
- Date Published:
- Journal Name:
- Proceedings on Privacy Enhancing Technologies
- Volume:
- 2025
- Issue:
- 4
- ISSN:
- 2299-0984
- Page Range / eLocation ID:
- 24 to 39
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
This report will analyze issues related to web browser security and privacy. The web browser applications that will be looked at are Google Chrome, Bing, Mozilla Firefox, Internet Explorer, Microsoft Edge, Safari, and Opera. In recent months web browsers have increased the number of daily users. With the increase in daily users who may not be as well versed in data security and privacy, comes an increase in attacks. This study will discuss the pros and cons of each web browser, how many have been hacked, how often they have been hacked, why they have been hacked, security flaws, and more. The study utilizes research and a user survey to make a proper analysis and provide recommendations on the topic.more » « less
-
Modern web security and privacy research depends on accurate measurement of an often evasive and hostile web. No longer just a network of static, hyperlinked documents, the modern web is alive with JavaScript (JS) loaded from third parties of unknown trustworthiness. Dynamic analysis of potentially hostile JS currently presents a cruel dilemma: use heavyweight in-browser solutions that prove impossible to maintain, or use lightweight inline JS solutions that are detectable by evasive JS and which cannot match the scope of coverage provided by in-browser systems. We present VisibleV8, a dynamic analysis framework hosted inside V8, the JS engine of the Chrome browser, that logs native function or property accesses during any JS execution. At less than 600 lines (only 67 of which modify V8's existing behavior), our patches are lightweight and have been maintained from Chrome versions 63 through 72 without difficulty. VV8 consistently outperforms equivalent inline instrumentation, and it intercepts accesses impossible to instrument inline. This comprehensive coverage allows us to isolate and identify 46 JavaScript namespace artifacts used by JS code in the wild to detect automated browsing platforms and to discover that 29% of the Alexa top 50k sites load content which actively probes these artifacts.more » « less
-
Mobile web browsing remains slow despite many efforts to accelerate page loads. Like others, we find that client-side computation (in particular, JavaScript execution) is a key culprit. Prior solutions to mitigate computation overheads, however, suffer from security, privacy, and deployability issues, hindering their adoption. To sidestep these issues, we propose a browser-based solution in which every client reuses identical computations from its prior page loads. Our analysis across roughly 230 pages reveals that, even on a modern smartphone, such an approach could reduce client-side computation by a median of 49% on pages which are most in need of such optimizations.more » « less
-
As the digital world gets increasingly ingrained in our daily lives, cyberattacks—especially those involving malware—are growing more complex and common, which calls for developing innovative safeguards. Keylogger spyware, which combines keylogging and spyware functionalities, is one of the most insidious types of cyberattacks. This malicious software stealthily monitors and records user keystrokes, amassing sensitive data, such as passwords and confidential personal information, which can then be exploited. This research introduces a novel browser extension designed to effectively thwart keylogger spyware attacks. The extension is underpinned by a cutting-edge algorithm that meticulously analyzes input-related processes, promptly identifying and flagging any malicious activities. Upon detection, the extension empowers users with the immediate choice to terminate the suspicious process or validate its authenticity, thereby placing crucial real-time control in the hands of the end user. The methodology used guarantees the extension's mobility and adaptability across various platforms and devices. This paper extensively details the development of the browser extension, from its first conceptual design to its rigorous performance evaluation. The results show that the extension considerably strengthens end-user protection against cyber risks, resulting in a safer web browsing experience. The research substantiates the extension's efficacy and significant potential in reinforcing online security standards, demonstrating its ability to make web surfing safer through extensive analysis and testing.more » « less
