Franco Loi
ABSTRACT
Internet-of-Things (IoT) devices such as smart bulbs, cameras, and health monitors are being enthusiastically adopted by consumers, with numbers projected to rise to the billions. However, such devices are also easily attacked, or used for launching attacks, at large scale and at increasing frequency. This paper is an attempt at developing a systematic method to identify the security and privacy shortcomings of various IoT devices, with a view towards alerting consumers, manufacturers, and regulators to the associated risks. We categorize the threats along four dimensions: confidentiality of private data sent to/from the IoT device; integrity of data from the IoT device to internal/external entities; access control of the IoT device; and reflective attacks that can be launched from an IoT device. We develop scripts to automate the security testing along each of these dimensions, subject twenty market-ready consumer IoT devices to our test suite, and reveal findings that give a fairly comprehensive picture of the security/privacy posture of these devices. Our methodology can be used as a basis for a star-based security ratings system for IoT devices being brought to market.
- D. Hall. 2015. Building a LIFX packet. https://community.lifx.com/t/building-a-lifx-packet/59. (2015).Google Scholar
- N. Dhanjani. 2015. Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts. O'Reilly Media.Google Scholar
- Fernandes et al. 2016. Security Analysis of Emerging Smart Home Applications Proc. IEEE Symposium on Security and Privacy (SP).Google Scholar
- M. Lyu et al. 2017. Quantifying the Reflective DDoS Attack Capability of Household IoT Devices Proc. ACM WiSec. Boston, Massachusetts.Google Scholar
- T. Yu et al. 2015. Handling a Trillion (Unfixable) Flaws on a Billion Devices: Rethinking Network Security for the Internet-of-Things. In Proc. ACM HotNets. Google ScholarDigital Library
- Herzberg et al. 2016. Breaking Down Mirai: An IoT DDoS Botnet Analysis. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html. (2016).Google Scholar
- J. Gamblin. 2016. Mirai Source Code. https://github.com/jgamblin/Mirai-Source-Code/tree/master/mirai/bot. (2016).Google Scholar
- M. Mimoso. 2017. Legislation Proposed to Secure Connected IoT Devices. https://goo.gl/fUQzaT. (2017).Google Scholar
- Ms. Smith . 2017. A Hacker just Pwned Over 150,000 Printers Left Exposed Online. https://goo.gl/1SZSUw. (2017).Google Scholar
- Ms. Smith. 2017. Hacker stackoverflowin pwning printers. https://goo.gl/4E4e71. (2017).Google Scholar
- N. Woolf. 2016. DDoS attack that disrupted internet was largest of its kind in history, experts say. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet. (2016).Google Scholar
- R. Eyal et al. 2016. IoT goes nuclear: Creating a ZigBee chain reaction. Technical Report.Google Scholar
- S. Gibbs. 2015. Hackers can hijack Wi-Fi Hellow Barbie to spy on your children. https://goo.gl/p2Pfk9. (2015).Google Scholar
- S. Gibbs. 2017. Smart fridges and TVs should carry security rating, police chief says. https://goo.gl/P9MsA6. (2017).Google Scholar
- S. Notra et al. 2014. An Experimental Study of Security and Privacy Risks with Emerging Household Appliances Proc. First International Workshop on Security and Privacy in Machine-to-Machine Communications (M2MSec).Google Scholar
Index Terms
- Systematically Evaluating Security and Privacy for Consumer IoT Devices
Recommendations
Exploring How Privacy and Security Factor into IoT Device Purchase Behavior
CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing SystemsDespite growing concerns about security and privacy of Internet of Things (IoT) devices, consumers generally do not have access to security and privacy information when purchasing these devices. We interviewed 24 participants about IoT devices they ...
Internet of Things security
The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Emerging Security Threats and Countermeasures in IoT
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityIoT (Internet of Things) diversifies the future Internet, and has drawn much attention. As more and more gadgets (i.e. Things) connected to the Internet, the huge amount of data exchanged has reached an unprecedented level. As sensitive and private ...
Comments