Request For Research Presentations For the PrivacyCon Conference
Recent years have seen the emergence and proliferation of Internet-of-Things (IoT) devices. However, many of them are found to contain security vulnerabilities that adversaries could exploit remotely to launch high-profile attacks. For example, the Mirai botnet compromised a few hundred thousand Internet-connected cameras, before it launched a distributed denial-of-service (DDoS) attack on a DNS provider used by Twitter and Reddit, causing widespread disruption on these major platforms. As the total number of IoT devices is projected to reach a billion in the next five to ten years, attacks from insecure devices are likely to cause higher damages. These problems have led to some effort from the industry to create security standards among manufacturers of IoT devices. Additionally, one consumer advocacy group offers security evaluations of devices, in the hope of helping buyers make more informed decisions. For both manufacturers and consumers, however, such momentum for security efforts remains to be seen. One reason is the lack of incentives to adopt security practices. For the manufacturers, security features could lead to higher costs, which often translate into higher prices for consumers. For consumers with potentially insecure and vulnerable devices, improving device security, such as regularly downloading any available firmware upgrades, takes extra effort. If a device is compromised and used to attack other services online, as in the case of the Mirai botnet, few manufacturers or owners suffer significant losses from the attack. To mitigate this lack of incentives, we propose a policy that regulates the manufacturers and/or consumers of IoT devices. Specifically, we require the manufacturers to enforce minimum security standards for their devices --- for instance, setting strong passwords or encrypting the network traffic --- to reduce the probability of being compromised. Alternatively, we fine owners of IoT devices which are compromised and used to attack other services on the Internet, in the hope that consumers will favor more secure devices and thus drive less secure ones out of the market. Please see the attached PDF to view our method, preliminary observations, and next steps. Contact: Danny Yuxing Huang at [REDACTED].