With IoT devices becoming an increasingly common and convenient addition to our daily lives, we examine whether the safeguards meant to maintain security and privacy when using these devices are actually effective.
The advent of consumer Internet of Things (IoT) devices has revolutionised our daily lives, bringing convenience and connectivity to our homes. From smart speakers that play our favourite tunes to security cameras that monitor our property, these devices offer a world of possibilities.
However, with the benefits of IoT come privacy and security risks. To address these challenges, a slew of commercial services, known as IoT safeguards, have emerged. But the burning question remains: just how effective are these safeguards and what privacy risks do they introduce?
In a recent analysis conducted by my colleagues and I, we delved deep into the intriguing world of IoT safeguards to examine their threat detection capabilities and also the potential privacy risks they pose. For the first time, we carried out an investigation into the effectiveness of these safeguards with the aim of unveiling their responses to common security threats and privacy risks. Using one of the most advanced IoT testbeds in the world, our study relies on automated experimentation, designed to uncover the truth about these IoT safeguards.
We conducted - and released as opensource - thousands of automated experiments, simulating real-world scenarios where these devices are tasked with protecting households from potential threats. The threat detection capabilities we test are against:
- Security threats - spanning specific attacks - e.g., flooding - to generic anomalies - e.g., a device behaving in an unexpected way - and;
- Privacy threats - spanning the presence of unencrypted traffic to the proper enforcement of DNS over HTTPS (DoH).
Our focus was twofold: to evaluate the safeguards' threat detection capability and to study their cloud interactions and data collection operations for privacy vulnerabilities.
Our results paint a rather intriguing picture of the IoT safeguard landscape. While these devices may promise enhanced security and privacy, our experiments revealed a different reality:
Ineffectiveness in Preventing Risks
Surprisingly, our experiments showed that many of these IoT safeguards may be ineffective in preventing security threats. They often struggled to detect and mitigate common vulnerabilities, raising concerns about their reliability.
Uncovering Privacy Risks
One of the most significant revelations was that, in the process of protecting users from security threats, these safeguards might introduce overhead and privacy risks.
The extensive cloud interactions and data collection operations associated with these devices can potentially expose sensitive user information, inadvertently making users vulnerable to privacy breaches.
As the IoT landscape continues to evolve, it is crucial for both consumers and developers to collaborate in addressing these issues. Transparency, thorough testing, and regular updates are vital in ensuring that IoT safeguards effectively protect against threats while safeguarding user privacy.
For more insights and results, please read the full text here: Protected or Porous: A Comparative Analysis of Threat Detection Capability of IoT Safeguards, published at the 44th IEEE Symposium on Security and Privacy (Oakland 2023), May 22-25, 2023, San Francisco, CA, & Online.
The research presented in this post was supported by the EPSRC PETRAS National Centre of Excellence for IoT Systems Cybersecurity (EP/S035362/1), EPSRC Open Plus Fellowship (EP/W005271/1), UKRI’s Strategic Priorities Fund under the SDTaP programme’s commercialization stream (10049005), and the NSF (ProperData SaTC-1955227).