More Like this

1. Which Privacy and Security Attributes Most Impact Consumers’ Risk Perception and Willingness to Purchase IoT Devices?

   https://doi.org/10.1109/SP40001.2021.00112  

   Emami-Naeini, Pardis ; Dheenadhayalan, Janarth ; Agarwal, Yuvraj ; Cranor, Lorrie Faith ( May 2021 , 2021 IEEE Symposium on Security and Privacy (SP))

   In prior work, researchers proposed an Internet of Things (IoT) security and privacy label akin to a food nutrition label, based on input from experts. We conducted a survey with 1,371 Mechanical Turk (MTurk) participants to test the effectiveness of each of the privacy and security attribute-value pairs proposed in that prior work along two key dimensions: ability to convey risk to consumers and impact on their willingness to purchase an IoT device. We found that the values intended to communicate increased risk were generally perceived that way by participants. For example, we found that consumers perceived more risk when a label conveyed that data would be sold to third parties than when it would not be sold at all, and that consumers were more willing to purchase devices when they knew that their data would not be retained or shared with others. However, participants’ risk perception did not always align with their willingness to purchase, sometimes due to usability concerns. Based on our findings, we propose actionable recommendations on how to more effectively present privacy and security attributes on an IoT label to better communicate risk to consumers 

   more » « less
2. Are Consumers Willing to Pay for Security and Privacy of IoT Devices?

   PARDIS EMAMI-NAENI, JANARTH DHEENADHAYALAN ( January 2023 , In Proceedings of the 32nd USENIX Security Symposium)

   Internet of Things (IoT) device manufacturers provide little information to consumers about their security and data handling practices. Therefore, IoT consumers cannot make informed purchase choices around security and privacy. While prior research has found that consumers would likely consider security and privacy when purchasing IoT devices, past work lacks empirical evidence as to whether they would actually pay more to purchase devices with enhanced security and privacy. To fill this gap, we conducted a two-phase incentive compatible online study with 180 Prolific participants. We measured the impact of five security and privacy factors (e.g., access control) on participants’ purchase behaviors when presented individually or together on an IoT label. Participants were willing to pay a significant premium for devices with better security and privacy practices. The biggest price differential we found was for de-identified rather than identifiable cloud storage. Mainly due to its usability challenges, the least valuable improvement for participants was to have multi-factor authentication as opposed to passwords. Based on our findings, we provide recommendations on creating more effective IoT security and privacy labeling programs. 

   more » « less
3. A Capstone Project: Designing an IoT Threat Modeling to Prevent Cyber-attacks

   Toutsop, O. ( November 2021 , 2021 Fall ASEE Middle Atlantic Section Meeting)

   The NTT (Nippon Telegraph and Telephone) Data Corporation report found that 80% of U.S. consumers are concerned about their smart home data security. The Internet of Things (IoT) technology brings many benefits to people's homes, and more people across the world are heavily dependent on the technology and its devices. However, many IoT devices are deployed without considering security, increasing the number of attack vectors available to attackers. Numerous Internet of Things devices lacking security features have been compromised by attackers, resulting in many security incidents. Attackers can infiltrate these smart home devices and control the home via turning off the lights, controlling the alarm systems, and unlocking the smart locks, to name a few. Attackers have also been able to access the smart home network, leading to data exfiltration. There are many threats that smart homes face, such as the Man-in-the-Middle (MIM) attacks, data and identity theft, and Denial of Service (DoS) attacks. The hardware vulnerabilities often targeted by attackers are SPI, UART, JTAG, USB, etc. Therefore, to enhance the security of the smart devices used in our daily lives, threat modeling should be implemented early on in developing any given system. This past Spring semester, Morgan State University launched a (senior) capstone project targeting undergraduate (electrical) engineering students who were thus allowed to research with the Cybersecurity Assurance and Policy (CAP) center for four months. The primary purpose of the capstone was to help students further develop both hardware and software skills while researching. For this project, the students mainly focused on the Arduino Mega Board. Some of the expected outcomes for this capstone project include: 1) understanding the physical board components, 2) learning how to attack the board through the STRIDE technique, 3) generating a Data Flow Diagram (DFD) of the system using the Microsoft threat modeling tool, 4) understanding the attack patterns, and 5) generating the threat based on the user's input. To prevent future threats and attacks from taking advantage of systems vulnerabilities, the practice of "threat modeling" is implemented. This method allows the analysis of potential attackers, including their goals and techniques, while also providing solutions and mitigation strategies. Although Threat modeling can be performed throughout the development of a system, implementing it during developmental stages will prevent further problems in the future. Threat Modeling is crucial because it will help identify any potential threat before it propagates in the system. Identifying threats and providing countermeasures will save both time and money while also keeping the consumers safe. As a result, students must grow to understand how essential detecting and preventing attacks are to protect consumer information systems and networks. At the end of this capstone project, students should take away hands-on skills in cyber defense. 

   more » « less
4. Consumer-Driven Design and Evaluation of Broadband Labels

   https://doi.org/10.2139/ssrn.4528761  

   Choy, Christopher ; Young, Ellie ; Li, Megan ; Cranor, Lorrie Faith ; Peha, Jon M. ( January 2023 , SSRN Electronic Journal)

   This study examines the content and layout of the proposed broadband consumer disclosure labels mandated by the U.S. Federal Communications Commission (FCC). Our large-scale user study identifies key consumer preferences and comprehension factors through a two-phase survey of 2,500 broadband internet consumers. Findings reveal strong support for broadband labels, but dissatisfaction with the FCC's proposed labels from 2016. Participants generally struggled to use the label for cost computations and plan comparisons. Technical terms confused participants, but providing participants with brief education made the terms usable. Participants desired additional information, including reliability, speed measures for both periods when performance is “normal” and periods when performance is much worse than normal, quality-of-experience ratings, and detailed network management practices. This feedback informed our improved label designs that outperformed the 2016 labels in comprehension and preference. Overall, consumers valued clear pricing and performance details, comprehensive information, and an easy-to-understand format for plan comparison. Requiring broadband service providers to deposit machine-readable plan information in a publicly accessible database would enable third parties to further customize how information is presented to meet these consumer needs. Our work additionally highlights the need for user studies of labels to ensure they meet consumer demands. 

   more » « less
5. On the Security of Bluetooth Low Energy in Two Consumer Wearable Heart Rate Monitors/Sensing Devices

   https://doi.org/10.3390/s22030988  

   Kurt Peker, Yeṣem ; Bello, Gabriel ; Perez, Alfredo J. ( February 2022 , Sensors)

   Since its inception in 2013, Bluetooth Low Energy (BLE) has become the standard for short-distance wireless communication in many consumer devices, as well as special-purpose devices. In this study, we analyze the security features available in Bluetooth LE standards and evaluate the features implemented in two BLE wearable devices (a Fitbit heart rate wristband and a Polar heart rate chest wearable) and a BLE keyboard to explore which security features in the BLE standards are implemented in the devices. In this study, we used the ComProbe Bluetooth Protocol Analyzer, along with the ComProbe software to capture the BLE traffic of these three devices. We found that even though the standards provide security mechanisms, because the Bluetooth Special Interest Group does not require that manufacturers fully comply with the standards, some manufacturers fail to implement proper security mechanisms. The circumvention of security in Bluetooth devices could leak private data that could be exploited by rogue actors/hackers, thus creating security, privacy, and, possibly, safety issues for consumers and the public. We propose the design of a Bluetooth Security Facts Label (BSFL) to be included on a Bluetooth/BLE enabled device’s commercial packaging and conclude that there should be better mechanisms for informing users about the security and privacy provisions of the devices they acquire and use and to educate the public on protection of their privacy when buying a connected device. 

   more » « less