Internet of Things (IoT)

Best Practices in IoT

Internet of Things is rapidly growing and its growth rate has been improving in the last decade. With the introduction of more IoT devices, there has been increasing concerns regarding security and privacy issues included with the usage of these devices. One of the main appeals of IoT is the fact that many devices are connected together which can lead to interoperability of these devices. However, interoperability is a double-edged sword as sharing information between devices can result in more exposure.

Currently, Internet of Things (IoT) security appears to depend on the kindness of strangers, especially as a single vulnerable device in an IoT network can lead to loss of information from other devices as well. In response, a range of organizations have published best practices for producing secure IoT devices. These organizations range from governmental organizations (like Federal Trade Commission) to international organizations (like Online Trust Alliance.)

Traditional security threats are still relevant in the Internet of Things (IoT). Yet traditional security threat models are inadequate for technologies that act upon our homes, families, and even pets. One response to the inadequacy of traditional threat models has been the creation of IoT best practices. These best practices have been created to answer the traditional and modern security threats relating to both computer systems in general and threats relating to IoT devices specifically. In our IoT project, we look to evaluate these best practices and see how effective they are in regards to minimizing vulnerabilities in the current IoT world.

To evaluate the efficacy of these best practices, we selected two very different hubs: Sen.se and Samsung. One system is arguably the most closed hub on the market, designed to interact only with its own sensors. The second system is highly interoperable, working with Amazon, Apple, and Android devices. The targeted markets are consequently very different, with Sen.se targeting specific vulnerable populations and Samsung offering interoperability to all. The hubs are organizationally different, with one system from a small new entrant and one from a large established manufacturer. Upon penetration testing, we found both had vulnerabilities. Unfortunately these vulnerabilities are acute for each hub: the hub targeting sensitive populations is subject to data manipulation, and the one with the broadest interoperability is at risk for botnet enrollment.

Ideally, best practices should address the requirements necessary to provide security and privacy in IoT. Some of these practices are purely technical, part of the construction and design of the devices. However, some requirements are inherently organizational, including the disclosure of vulnerabilities. We try out evaluate all of these practices where possible.

Our first contribution is to provide case studies of security issues in two very different consumer IoT hubs. We enumerate a union of the best practices from the guidelines that existed at the time of the analysis, illustrating in which cases they would have mitigated or prevented the vulnerabilities we identified. We illustrate that the extant best practices, if properly used, could have mitigated some of the vulnerabilities. We note where a simple Boolean check box is an inadequate measure. We also mention our disclosure efforts and how the companies responded and reacted to the disclosures.


Publications
Conference publications (4)
  1. Jacob Abbott, Gege Gao, and Patrick Shih. Creen: A Carbon Footprint Calculator Designed for Calculation in Context. In International Conference on Information, pages 769--776, 2019. Springer.
    Keywords: Sustainability, IoT, HCI. [bibtex-entry]

  2. Joshua Streiff, Sanchari Das, and Joshua Cannon. Overpowered and Underprotected Toys Empowering Parents with Tools to Protect Their Children. In IEEE HUMANS AND CYBER SECURITY WORKSHOP (HACS 2019), 2019. IEEE.
    Keywords: IoT. [bibtex-entry]

  3. Joshua Streiff, Connie Justics, and L Jean Camp. Escaping to Cybersecurity Education: Using Manipulative Challenges to Engage and Educate. In Proceedings of the 13th European Conference on Games Based Learning, pages 1046--1050, 2019. ACPI.
    Keywords: IoT. [bibtex-entry]

  4. Joshua Streiff, Olivia Kenny, Sanchari Das, Andrew Leeth, and L Jean Camp. Who's Watching Your Child? Exploring Home Security Risks with Smart Toy Bears. In Internet-of-Things Design and Implementation (IoTDI), 2018 IEEE/ACM Third International Conference on, pages 285--286, 2018. IEEE.
    Keywords: IoT. [bibtex-entry]

Posters and Presentations (10)
  1. Adalibi Streiff and S. Das. Eyes In Your Child’s Bedroom: Exploiting Child Data Risks with Smart Toys. A Bsides MSP Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  2. Adalibi Streiff and S. Das. Securtle: The Security Turtle. A Bsides STL Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  3. Joshua Streiff. Cybersecurity & You. A Brown Co. Schools Speaker Series, September 2019.
    Keywords: IoT. [bibtex-entry]

  4. Joshua Streiff. Educational Hacking Using Command Line & Bluetooth Low Energy. An Avon STEM Educator Leadership Day Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  5. Joshua Streiff. Bears, Unicorns, & Crockpots, Oh My! An Introduction to Internet of Things (IoT) Threat Modeling Education. An AI & Connected Conference Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  6. Joshua Streiff. Practical Cybersecurity and Manipulative Gaming Education. A Flipping the Switch! Cybersecurity Workshop Session at Indiana Department of Education Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  7. Niang Chin, Sameer Patil, and Joshua Streiff. The Overly Friendly Crockpot. Trusted CI Poster Session (IL), July 2019.
    Keywords: IoT. [bibtex-entry]

  8. Nathaly Reynaga, Behnod Momensadeh, Joshua Streiff, and Sameer Patil. The One Where Patty Trusted Her Printer: The Threat of IoT Printers. IU GROUPS STEM Poster (IN), July 2019.
    Keywords: IoT. [bibtex-entry]

  9. Joshua Streiff. Capturing Education: CTF and IoT in K-12 Education. A Luddy Hall Pathfinders Workshop, July 2019.
    Keywords: IoT. [bibtex-entry]

  10. Joshua Streiff. How Santa knows if you are Naughty or Nice: How your IoT toys can spy on you. A SPICE Colloquium Speaker Series, September 2018.
    Keywords: IoT. [bibtex-entry]