On the User Perception of Security Risks of TAP Rules: A User Study

Trigger-Action Platforms (TAPs) provide users with enhanced control to automate interactions between IoT devices using rules that consist of trigger conditions and actions that get executed when the triggers are fired. To better describe the behavior of these rules from the perspective of reuse and sharing, end-users can provide natural language descriptions. Unfortunately, TAPs do not assess these descriptions, which can result in unintentional exposure of sensitive information about the user’s smart environment, and consequently, pose significant security and privacy threats. In this paper, we present a study involving end-users to evaluate the plausibility of cyberattacks that leverage information inferred from rules of the IFTTT platform, also known as applets. The study recruited 30 participants of varying technical proficiency, to investigate the degree of perceived risk when exposed to attack scenarios involving specific smart objects. ChatGPT was utilized to automatically generate descriptions of potential cyberattacks based on sensitive information inferred from applets by using NLP techniques. The findings highlight that users, particularly experts, considered attack scenarios highly plausible, especially given the ease of access to such sensitive information as a user’s routine schedule or home environment. Qualitative analysis revealed that users were overall very concerned about how information in trigger-action rule descriptions could give malicious individuals important clues to plan cyberattacks. Finally, based on the study results, we draw some recommendations to the EUD community to improve the security of the interaction with TAPs.