Internet of Things (IoT)

Best Practices in IoT

Internet of Things is rapidly growing and its growth rate has been improving in the last decade. With the introduction of more IoT devices, there has been increasing concerns regarding security and privacy issues included with the usage of these devices. One of the main appeals of IoT is the fact that many devices are connected together which can lead to interoperability of these devices. However, interoperability is a double-edged sword as sharing information between devices can result in more exposure.

Currently, Internet of Things (IoT) security appears to depend on the kindness of strangers, especially as a single vulnerable device in an IoT network can lead to loss of information from other devices as well. In response, a range of organizations have published best practices for producing secure IoT devices. These organizations range from governmental organizations (like Federal Trade Commission) to international organizations (like Online Trust Alliance.)

Traditional security threats are still relevant in the Internet of Things (IoT). Yet traditional security threat models are inadequate for technologies that act upon our homes, families, and even pets. One response to the inadequacy of traditional threat models has been the creation of IoT best practices. These best practices have been created to answer the traditional and modern security threats relating to both computer systems in general and threats relating to IoT devices specifically. In our IoT project, we look to evaluate these best practices and see how effective they are in regards to minimizing vulnerabilities in the current IoT world.

Our first contribution is to provide case studies of security issues in two very different consumer IoT hubs. We enumerate a union of the best practices from the guidelines that existed at the time of the analysis, illustrating in which cases they would have mitigated or prevented the vulnerabilities we identified. We illustrate that the extant best practices, if properly used, could have mitigated some of the vulnerabilities. We note where a simple Boolean check box is an inadequate measure. We also mention our disclosure efforts and how the companies responded and reacted to the disclosures.


Publications
Articles in journals or book chapters (4)
  1. Behnood Momenzadeh, Helen Dougherty, Matthew Remmel, Steven Myers, and L Jean Camp. Best Practices Would Make Things Better in the IoT. IEEE Security & Privacy, 2020.
    Keywords: IoT. [bibtex-entry]

  2. Shakthidhar Reddy Gopavaram, Jayati Dev, Sanchari Das, and Jean Camp. IoTMarketplace: Informing Purchase Decisions with Risk Communication. 2019.
    Keywords: IoT, Mental Models, Mobile Privacy. [bibtex-entry]

  3. L. Jean Camp and Kalpana Shankar. Constructing the Older User in Home-Based Ubiquitous Computing. The Social Impact of Social Computing, pp 110, 2011.
    Note: Sheffield Hallam University.
    Keywords: Aging, Privacy, IoT. [bibtex-entry]

  4. Kay Connelly and L. Jean Camp. Beyond Consent: Privacy in Ubiquitous Computing (Ubicomp). In Digital Privacy: Theory, Technologies and Practices eds, pages 332--348. Auerbach Publications, 2007.
    Keywords: Aging, Human-Centered Computing, user studies, Privacy, IoT. [bibtex-entry]

Conference publications (15)
  1. L Jean Camp, Shakthidhar Gopavaram, Jayati Dev, and Ece Gumusel. Lessons for Labeling from Risk communication. In Workshop and Call for Papers on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software, September 2021.
    Keywords: Privacy and Security Labels, IoT. [bibtex-entry]

  2. Jayati Dev, Shakthidhar Gopavaram, Ece Gumusel, and L Jean Camp. A Consumer-focused Modular Approach to Labeling IoT Devices and Software. In Workshop and Call for Papers on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software, September 2021.
    Keywords: Privacy and Security Labels, IoT. [bibtex-entry]

  3. Shakthidhar Gopavaram, Jayati Dev, Ece Gumusel, and L Jean Camp. Going Beyond Labels. In Workshop and Call for Papers on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software, September 2021.
    Keywords: Privacy and Security Labels, IoT. [bibtex-entry]

  4. Vafa Andalibi, Jayati Dev, DongInn Kim, Eliot Lear, and Jean Camp. Making Access Control Easy in IoT. In IFIP International Symposium on Human Aspects of Information Security & Assurance, June 2021.
    Keywords: IoT, MUD, MUD-Visualizer. [bibtex-entry]

  5. Shakthidhar Gopavaram, Jayati Dev, Sanchari Das, and L Jean Camp. IoT Marketplace: Willingness-To-Pay vs. Willingness-To-Accept. In Proceedings of the 20th Annual Workshop on the Economics of Information Security (WEIS 2021), June 2021.
    Keywords: IoT, Privacy Labels, Marketplace, Psychological Biases. [bibtex-entry]

  6. Vafa Andalibi, Eliot Lear, DongInn Kim, and Jean Camp. On the Analysis of MUD-Files' Interactions, Conflicts, and Configuration Requirements Before Deployment. In 5th EAI International Conference on Safety and Security in Internet of Things, SaSeIoT, May 2021. Springer.
    Keywords: IoT, MUD, MUD-Visualizer. [bibtex-entry]

  7. DongInn Kim, Vafa Andalibi, and L Jean Camp. Protecting IoT Devices through Localized Detection of BGP Hijacks for Individual Things. In SafeThings 2021, Oakland, May 2021. IEEE Workshop on the Internet of Safe Things.
    Keywords: Fingerprinting, IoT. [bibtex-entry]

  8. Hilda Hadan and Sameer Patil. Understanding Perceptions of Smart Devices. In International Conference on Financial Cryptography and Data Security, 08 2020.
    Keywords: IoT. [bibtex-entry]

  9. DongInn Kim, Vafa Andalibi, and L Jean Camp. Fingerprinting Edge and Cloud Services in IoT. In Systematic Approaches to Digital Forensic Engineering, City University of New York (CUNY), New York City, May 2020. IEEE Computer Society.
    Keywords: Fingerprinting, IoT. [bibtex-entry]

  10. Vafa Andalibi, DongInn Kim, and L. Jean Camp. Throwing MUD into the FOG: Defending IoT and Fog by expanding MUD to Fog network. In 2nd USENIX Workshop on Hot Topics in Edge Computing (HotEdge 19), Renton, WA, July 2019. USENIX Association.
    Keywords: MUD, IoT. [bibtex-entry]

  11. Jacob Abbott, Gege Gao, and Patrick Shih. Creen: A Carbon Footprint Calculator Designed for Calculation in Context. In International Conference on Information, pages 769--776, 2019. Springer.
    Keywords: Sustainability, IoT, HCI. [bibtex-entry]

  12. Joshua Streiff, Sanchari Das, and Joshua Cannon. Overpowered and Underprotected Toys Empowering Parents with Tools to Protect Their Children. In IEEE HUMANS AND CYBER SECURITY WORKSHOP (HACS 2019), 2019. IEEE.
    Keywords: IoT. [bibtex-entry]

  13. Joshua Streiff, Connie Justice, and L Jean Camp. Escaping to Cybersecurity Education: Using Manipulative Challenges to Engage and Educate. In Proceedings of the 13th European Conference on Games Based Learning, pages 1046--1050, 2019. ACPI.
    Keywords: IoT. [bibtex-entry]

  14. Andrew Dingman, Gianpaolo Russo, George Osterholt, Tyler Uffelman, and L. Jean Camp. Good Advice That Just Doesn't Help. In 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation (IoTDI), pages 289--291, 2018. IEEE.
    Keywords: Mental Models, IoT, Governance. [bibtex-entry]

  15. Joshua Streiff, Olivia Kenny, Sanchari Das, Andrew Leeth, and L Jean Camp. Who's Watching Your Child? Exploring Home Security Risks with Smart Toy Bears. In Internet-of-Things Design and Implementation (IoTDI), 2018 IEEE/ACM Third International Conference on, pages 285--286, 2018. IEEE.
    Keywords: IoT. [bibtex-entry]

Posters and Presentations (14)
  1. Laura Calloway. Harm Reduction for Internet of Things Devices. Presentation at Annual Meeting of Society For Social Studies Of Science (4S, 2021), Toronto, CA, Virtual, October 2021.
    Keywords: privacy, health, IoT, surveillance. [bibtex-entry]

  2. Corey Allen and Joshua Streiff. Sleeping Alone: Detecting and Countering Hidden Cameras in AirBnB Environments. IU GROUPS STEM Poster (IN), July 2021.
    Keywords: IoT. [bibtex-entry]

  3. Joshua Streiff. Finding Alice & Bob: Using BLE to Locate Victims & First Responders in Buildings. IU IDER Poster (IN), July 2021.
    Keywords: IoT. [bibtex-entry]

  4. Andy Puga and Joshua Streiff. Hunting for the Internet of Things: An Educational BLE Scavanger Hunt Game. IU GROUPS STEM Poster (IN), July 2020.
    Keywords: IoT. [bibtex-entry]

  5. Lizbeth Roque, Emily Sung, and Joshua Streiff. Gaming For Cyber Kids: Building Manipulative Cyber Educational Games for Grades 7th-8th. IU GROUPS STEM Poster (IN), July 2020.
    Keywords: IoT. [bibtex-entry]

  6. Joshua Streiff, Vafa Andalibi, and Sanchari Das. Securtle: The Security Turtle. A Bsides STL Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  7. Joshua Streiff. Practical Cybersecurity and Manipulative Gaming Education. A Flipping the Switch! Cybersecurity Workshop Session at Indiana Department of Education Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  8. Joshua Streiff. Bears, Unicorns, & Crockpots, Oh My! An Introduction to Internet of Things (IoT) Threat Modeling Education. An AI & Connected Conference Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  9. Joshua Streiff, Vafa Andalibi, and Sanchari Das. Eyes In Your Child’s Bedroom: Exploiting Child Data Risks with Smart Toys. A Bsides MSP Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  10. Joshua Streiff. Educational Hacking Using Command Line & Bluetooth Low Energy. An Avon STEM Educator Leadership Day Workshop, September 2019.
    Keywords: IoT. [bibtex-entry]

  11. Niang Chin, Joshua Streiff, and Sameer Patil. The Overly Friendly Crockpot. Trusted CI Poster Session (IL), July 2019.
    Keywords: IoT. [bibtex-entry]

  12. Nathaly Reynaga, Behnod Momensadeh, Joshua Streiff, and Sameer Patil. The One Where Patty Trusted Her Printer: The Threat of IoT Printers. IU GROUPS STEM Poster (IN), July 2019.
    Keywords: IoT. [bibtex-entry]

  13. Joshua Streiff. Capturing Education: CTF and IoT in K-12 Education. A Luddy Hall Pathfinders Workshop, July 2019.
    Keywords: IoT. [bibtex-entry]

  14. Joshua Streiff. How Santa knows if you are Naughty or Nice: How your IoT toys can spy on you. A SPICE Colloquium Speaker Series, September 2018.
    Keywords: IoT. [bibtex-entry]