Toward Identification and Characterization of IoT Software Update Practices

Software update systems are critical for ensuring systems remain free of bugs and vulnerabilities while they are in service. While many Internet of Things (IoT) devices are capable of outlasting desktops and mobile phones, their software update practices are not yet well understood. This paper discusses efforts toward characterizing the IoT software update landscape through network analysis of IoT device traffic. Our results suggest that vendors do not currently follow security best practices, and that software update standards, while available, are not being deployed. We discuss our findings and give a research agenda for improving the overall security and transparency of software updates on IoT.Comment: 11 pages, 6 figure

Cybersecurity Hygiene in the Era of Internet of Things (IoT): Best Practices and Challenges

The rapid growth of the Internet of Things (IoT) has resulted in an increasing number of interconnected devices, creating new opportunities for data collection and automation. However, this expansion also brings with it unique cybersecurity challenges. This research paper aims to investigate the best practices for maintaining cybersecurity hygiene in the IoT environment and explore the challenges that need to be addressed to ensure robust security for these connected devices. This study will delve into the vulnerabilities associated with IoT devices, their impact on overall system security, and the potential solutions that can be implemented to enhance cybersecurity hygiene in the IoT environment

CYBER-INSECURITY: THE REASONABLENESS STANDARD IN INTERNET OF THINGS DEVICE REGULATION AND WHY TECHNICAL STANDARDS ARE BETTER EQUIPPED TO COMBAT CYBERCRIME

While the Internet of Things (IoT) has created an interconnected world via phones, laptops, and even household devices, it is not infallible. As cyber-attacks increase in frequency, affecting companies of all sizes and industries, IoT device manufacturers have become particularly vulnerable, due in large part to the fact that many companies fail to implement adequate cybersecurity protocols. Mass data breaches occur often. However, these companies are not held accountable due to the use of the reasonableness standard in existing cybersecurity legislation, which is flexible and malleable. In 2019, the California Legislature enacted a cybersecurity law specific to IoT device manufacturers. This Note considers how the existing California IoT legislation fails to hold companies accountable for poor cybersecurity practices through malleable and relaxed standards, and proposes a new standard of industry best practices which looks to a multi-stakeholder initiative to develop more rigorous standards to ensure manufacturers undertake proper cybersecurity initiatives to protect consumer data

Tell the Smart House to Mind its Own Business!: Maintaining Privacy and Security in the Era of Smart Devices

Consumers want convenience. That convenience often comes in the form of everyday smart devices that connect to the internet and assist with daily tasks. With the advancement of technology and the “Internet of Things” in recent years, convenience is at our fingertips more than ever before. Not only do consumers want convenience, they want to trust that their product is performing the task that they purchased it for and not exposing them to danger or risk. However, due to the increasing capabilities and capacities of smart devices, consumers are less likely to realize the implications of what they are agreeing to when they purchase and begin using these products. This Note will focus on the risks associated with smart devices, using smart home devices as an illustration. These devices have the ability to collect intimate details about the layout of the home and about those who live within it. The mere collection of this personal data opens consumers up to the risk of having their private information shared with unintended recipients whether the information is being sold to a third party or accessible to a hacker. Thus, to adequately protect consumers, it is imperative that they can fully consent to their data being collected, retained, and potentially distributed. This Note examines the law that is currently in place to protect consumers who use smart devices and argues that a void ultimately leaves consumers vulnerable. Current data privacy protection in the United States centers on the self-regulatory regime of “notice and choice.” This Note highlights how the self-regulatory notice-and-choice model fails to ensure sufficient protection for consumers who use smart devices and discusses the need for greater privacy protection in the era of the emerging Internet of Things. Ultimately, this Note proposes a state-level resolution and calls upon an exemplar state to experiment with privacy protection laws to determine the best way to regulate the Internet of Things

Verifying and Monitoring IoTs Network Behavior using MUD Profiles

IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with arXiv:1804.0435