IoTBench

 

We introduce an IoT-specific test suite, an open repository for evaluating information leakage in IoT apps. We designed our test suite similar to those designed for mobile systems and the smart grid; they have been widely adopted by the security community. IoTBench currently includes 19 hand-crafted malicious SmartThings apps that contain data leaks. Sixteen apps have a single data leak, and three have multiple data leaks; a total of 27 data leaks via either Internet and messaging service sinks. We carefully crafted the IoTBench apps based on official and third-party apps. They include data leaks whose accurate identification through program analysis would require solving problems including multiple entry points, state variables, call by reflection, and field sensitivity. Each app in IoTBench also comes with ground truth of what data leaks are in the app; this is provided as comment blocks in the app’s source code. IoTBench can be used to evaluate both static and dynamic taint analysis tools designed for SmartThings apps; It enables assessing a tool’s accuracy and effectiveness through the ground truths included in the suite. IoTBench apps can be accessed from our IoTBench GitHub repository.