Quantifying the Risk of Internet of Things Devices
Twenty-four computer science and cybersecurity seniors evaluated the security features of dozens of IoT devices for their senior capstone project to help consumers make more informed decisions
By the nature of their function, Internet of Things (IoT) products always hold a certain relationship to a person’s or organization’s safety.
Equipped with sensors and communications software, these physical, Internet-connected devices are continually polling for personal and even private data — such as people’s locations, health metrics, the engagement of a door lock or security system, or the air quality in a room — and then transferring and storing that data to online cloud servers. This sensory detection and transfer of data allows IoT devices to assess and react to an environment or set of circumstances in real time, such as opening a smart window in response to a change in temperature or alerting a user with a live video feed when their doorbell is rung.
But the moment that chain of events is breached — whether by nefarious actors engaging in a cyberattack or through the simple failure of a system to securely perform its function — a person’s or organization’s data, and consequently their safety and security, is placed at risk.
With little information available and no universal standard in place for proving the security of networked devices, consumers are too often left in the dark about the vulnerabilities they are purchasing.
“Some users are more inclined to spend less money on a product even if there are potential security risks. However, for products like door locks, safes, medical devices, et cetera, consumers are expecting security to be a priority without knowing what criteria to look for,” said cybersecurity major Maddie Johnson ’23. “These devices are becoming increasingly accessible to users who are vastly unaware of the potential security implications.”
To help instill trust in a selection of interconnectable IoT products, 24 computer science and cybersecurity seniors (including Johnson) organized into four teams to test and evaluate the security of these devices for their senior design capstone project.
Sponsored by Affinity IoT Security Labs, the project aimed to evaluate the devices according to an established set of security features in order to quantify a security rating for each one. Devices that achieved above a certain score were then qualified to receive Affinity IoT’s security certification.
The advantage of this certification is to provide device manufacturers with proof of their commitment to providing safe and secure products to their customers and to provide customers with the confidence that the device they are about to purchase has been proven to have a high level of security features in place.
“Just like when you sign a waiver before going skydiving, consumers should be aware of what they are getting themselves into when they introduce a new IoT device into their lives,” Johnson said. “These evaluations show the need for transparency when it comes to IoT security and allow these standards to be communicated in a comprehensible manner so that users can make informed decisions.”
Assessing IoT security
Each of the four teams tested between 10 and 20 devices, ranging from smaller-scale consumer products like video doorbell cameras, baby monitors and blood pressure monitors, to larger industrial control system devices, including a robotic arm.
The teams were tasked with conducting two types of evaluations: static and dynamic.
In static tests, for which a device was not physically available, the teams evaluated the security features of the device based on available documentation, such as user manuals and specifications posted online.
When access to a physical device was available, however, the teams conducted dynamic tests in which, according to computer science major Ethan Che ’23, the students “met up together on campus and tried to ‘break’ the device.”
“This could mean intercepting the data the device was transmitting or just playing around with whatever app paired with the device and seeing what we could find,” Che said. “We only needed a minimal amount of outside tools or equipment to do these — a laptop and some extra software got us by.”
The students assessed each device and its associated mobile app for up to 20 different criteria provided by Affinity IoT. Security considerations included whether the device encrypted its communications or enforced strong password requirements, whether the product authenticated the devices or servers it interacted with, how easy (or not) the device was to update, and the presence or absence of administrative account security features, such as whether users could be added or deleted easily.
“We looked into some fancier capabilities like resisting physical tampering, Denial of Service (DoS) resistance, and logging capabilities, but those weren’t as important to the overall security score,” noted cybersecurity major Christian de Poortere ’23.
Although the evaluation criteria remained the same across all devices, the students adjusted their approach according to the most common use cases and most likely points of failure of each individual device.
“For example, for the string lights, we tested other remotes on the device, and for the cat feeder, we tested its capability if the power went off or a new user was added to the app,” said Johnson. “We also considered the data at hand and how it may be used by someone with malicious intent to determine what security features to look at.”
The score of each evaluated feature was weighted, ranging from 1 point to 5 points based on level of importance. The resulting aggregate score of all criteria combined was then calculated to provide a final security certification rating.
Insecurity surprises — and expectations
“The biggest challenge for our group was probably figuring out how to adjust to the project workload and the structure of weekly reviews,” de Poortere said. “The experience was very different from the typical classroom flow, and there were varying results in the speed at which we were able to make that adjustment.”
Perhaps both the biggest challenge and the biggest surprise for many of the seniors, however, was just how insufficient security features and available information for IoT devices truly were. Too often, the students found, the security of a device was implied more as a matter of faith, rather than one of proof.
“There was an overwhelming number of products that had little to no documentation regarding the security of their devices. This meant that we often had to reach out to customer service representatives to get an answer — often with no luck,” Johnson said. “When products did have documentation, they often made broad claims like, ‘Don’t worry, your information is encrypted!’ without specifying what information and how it is encrypted.”
“The lack of security on some industrial devices is what surprised me the most,” said Che, who minored in cybersecurity. “One would think devices that belong in such an important setting would be secure, but one such device only scored a 0.8 out of 10.”
While Che and Johnson both expressed surprise at the extent of the IoT security shortcomings, de Poortere, in contrast, said the project rather “reinforced my previous opinions on the IoT market with solid data.”
“Consumers should be very skeptical about the IoT devices they leave in their homes,” de Poortere said. “These devices collect vast amounts of personal information and are often missing standard security features.”
De Poortere noted that the value of conducting security evaluations of IoT devices lies far beyond the evaluation results themselves.
“Those who are paying attention to cybersecurity know there isn’t enough being done to protect consumer information. If anything, the best hope for this kind of research is to spread awareness that the devices people use, IoT or otherwise, are exposing their personal information,” he said. “The more aware people are, the more pressure companies will face about the security of the devices they sell, which will hopefully result in greater security for these devices and greater protection for consumer information.”
Working toward a more secure future
The students each noted that participating in this project affected them.
Che, who will join the U.S. Department of Defense full time as a software engineer after graduation, appreciated that the project gave him the opportunity to combine his background in computer science and cybersecurity with his interest in knowing how technologies work “under the hood.” He said he will keep what he learned from the experience with him as he progresses through his career.
“Being involved in this project has definitely changed the way I look at the IoT market,” he said. “I have realized that these devices are not always as secure as they should be, and I think it is important for manufacturers to make sure their devices are secure since more and more people are starting to rely on them.”
Johnson, who will begin a full-time position at AT&T this summer as a cybersecurity associate on the data analytics team, noted how her involvement with the project has already begun to alter her own consumer habits.
“This project changed the way I look at IoT products online. I definitely shop differently and exercise caution when trying new devices,” she said.
De Poortere noted how the project bridged the gap well between classroom learning and professional implementation. He begins a full-time job at the Johns Hopkins University Applied Physics Lab this summer and will start a cybersecurity master’s degree there in Fall 2023.
“The experience was a unique blend of school work and real work that has helped the transition toward entering the workforce. It was great to shift from studying cybersecurity to using what we’ve learned to assess devices and provide useful security data,” he said. “The project also highlighted how my education has given me the ability to identify real-world problems and develop solutions.”
For more information on how to propose a computer science senior capstone project, visit https://sites.google.com/view/seniordesignprojects/ or contact David Klappholz at [email protected].