Systematically Evaluating Security and Privacy for Consumer IoT Devices

Abstract

Internet-of-Things (IoT) devices such as smart bulbs, cameras, and health monitors are being enthusiastically adopted by consumers, with numbers projected to rise to the billions. However, such devices are also easily attacked, or used for launching attacks, at large scale and at increasing frequency. This paper is an attempt at developing a systematic method to identify the security and privacy shortcomings of various IoT devices, with a view towards alerting consumers, manufacturers, and regulators to the associated risks. We categorize the threats along four dimensions: confidentiality of private data sent to/from the IoT device; integrity of data from the IoT device to internal/external entities; access control of the IoT device; and reflective attacks that can be launched from an IoT device. We develop scripts to automate the security testing along each of these dimensions, subject twenty market-ready consumer IoT devices to our test suite, and reveal findings that give a fairly comprehensive picture of the security/privacy posture of these devices. Our methodology can be used as a basis for a star-based security ratings system for IoT devices being brought to market.