An Institute for Security Science and Technology led study indicates we should not fully rely on these solutions just yet.
Consumer Internet of Things (IoT) devices are rapidly finding their place in our homes; from smart speakers, to baby monitors, and children’s toys.
Along with their benefits come potential threats. To limit these threats, a number of commercial security solutions have become available (commonly referred as IoT safeguards). The safeguards claim to provide protection against IoT privacy risks and security threats. However, the effectiveness and the associated privacy risks of these safeguards remains a key open question.
In an important investigation at the Institute for Security Science and Technology, conducted jointly with our colleagues at Northeastern University, we used our large-scale IoT testbed to investigate the threat detection capability of IoT safeguards.
We developed and released as opensource a methodology that relies on automated experimentation with the devices against safeguards to reveal their response to common security threats and privacy risks.
Our results indicate that not only these safeguards may currently be ineffective in preventing risks, but also their cloud interactions and data collection operations may introduce further privacy risks for the households that adopt them.
The lead author, Dr Anna Mandalari, suggests some potential solutions to this new emerging challenge for smart homes. To mitigate privacy risks, we should focus on approaches that rely on local traffic analysis, edge-based solutions running on the home gateway, and crowdsourcing approaches, such as IoTrim. The implementation of regulation, standards and guidelines for manufactures is also critical for ensuring the security, privacy, and ethical use of our connected devices.
For more insights and results, please read the full text here: Protected or Porous: A Comparative Analysis of Threat Detection Capability of IoT Safeguards, appearing at the 44th IEEE Symposium on Security and Privacy (Oakland 2023), May 22-25, 2023, San Francisco, CA, & Online.
The research presented in this post was supported by the EPSRC PETRAS National Centre of Excellence for IoT Systems Cybersecurity (EP/S035362/1), EPSRC Open Plus Fellowship (EP/W005271/1), UKRI’s Strategic Priorities Fund under the SDTaP programme’s commercialization stream (10049005), and the NSF (ProperData SaTC-1955227).
Article text (excluding photos or graphics) © Imperial College London.
Photos and graphics subject to third party copyright used with permission or © Imperial College London.