This past week has been the last for my summer research internship, I worked really hard to get the second draft of my guide done to send it to my mentor. Dr. Motti and I are going to continue to work on the guide to make it something that other can use. My next step is to make a survey that we will send out then analyze the results. The research board has to approve our way of collecting data before we can send it out, to make sure we are protecting the people in the study. I am posting the guide I made onto my press page so check it out if you are curious.
I have learned so much over this summer not just about IoT security but about how to focus myself and make personal goals. Dr. Motti has been a amazing mentor she has given me the room to develop project and guided me when I was not sure where to go. My project would not be anything like it is now without her and I am very proud of what I have made this summer. I am very grateful to have been matched with Dr. Motti, she is a great mentor to have.
This has been an annoying week George Mason’s network blocked my laptop from connecting to wifi because it thought I had a virus. Which was incorrect, they scanned my laptop (which i do once a week) and found nothing. Once my laptop back online I could work on the guide, the second draft is almost done. I will finish it next week then send it to Dr. Motti to review and see what her notes are on it.
I decided at the beginning of the summer that I was going to work an extra week, but the university housing is closing at the end of week 10. I will be staying in a Airbnb in capitol hill which will be fun because it is close to downtown dc. Work the extra week gives me more time to work on my paper and make sure that it is as good as I can make it.
Week 9 i finished the rough draft of the homeowner version and made my paper into a presentation. I then showed it to the other researchers in the lab and Dr. Motti, she gave me some very helpful advice. She told me how to organize the paper so it is a bit easier to read, and reminded me to keep the reader in mind more when writing the homeowner version. I thought about who would be reading something like a IoT security guide? My conclusion to that question is anyone who is concerned about their privacy and security. Which lead to me to the conclusion I need to make the homeowner version much more user friendly. I kept a lot of the descriptions the same of what the viruses is for both versions and now i am thinking i need to change that to make it easier to understand.
Week 8 I finished the first draft of the business version and send it to my mentor so she could tell me her thoughts and edits. I started to work on the home version of the guide, which was harder because with the business one i could assume that someone with a tech background was reading it. With the homeowner one I have to assume that there is a limited knowledge of all things tech and security. I had issues writing it because normally if i am talking to someone who doesn't understand much about tech i will ask them as we are talking if they understand. It has been difficult to try and get the right wording, i have to find a balance between over explaining and under explaining.
I spent all week just working on the business version of the guide, there was a outline created and a general idea of what the goal guide would be. For each virus there is section on what it is, why is it concerning, how to prevent it, then the negative side to the solutions given. The attacks I talked about are DDoS, Ransomware, Man-in-the-Middle, Spoofing, Physical Tampering, eavesdropping, Trust between devices on the same network. With those selected I knew that when describing what the hacks do and why that is important to the company would be difficult. With so many simple IoT devices it is hard to see what danger there is if one of them got infected, I wanted to be sure that I showed they could do dange. I tried think of when the hacks could negatively affect business and tried to come up with an example for each.
Originally I wanted to make a decision tree to try and help business and homeowners to be able to understand different prevention techniques easier. I kept trying to make one and it was very difficult then eventually I just stopped and thought about what could be done instead of a decision tree. Then I came up with a guide that lists the hacks that would be that most concerning for IoT devices, that list is based on OWASP and many different articles. From the articles I gathered what the writer thinks the biggest concerns are and from those I had a list of 7 hack that IoT devices are vulnerable to. Due to the list of hacks I thought how each hack is different and decided since each hack is different they should get their own section. I wanted it to be easy to read and easy to understand, so i started with the business directed guide. I wanted to be able to taylor what I said to relate specifically to businesses. I spent most of the week figuring out exactly what I wanted to do and how it is best to do that. I also had to figure out what level someone reading the guide should be to be able to comprehend what is being said.
Week 5 was a fun week I learned a lot about the different hacks that are directed at IoT devices and how the attackers do it. The reasons behind the attacks makes some more concerning than others. The attacks that are the most common are DDoS, Ransomware, spoofing, physical tampering and using IoT devices as a gateway to the rest of the network. The way that most of the hackers gain access to IoT devices is the same, using the username and password the developers hard coded into the devices.Most users don’t know about this weakness but hackers do and the passwords used to protect them are weak and easy to find for a lot of devices. Once the credentials are entered the attackers have access to the device. Through that access they control that specific device and can download whatever malware they want, they also have access to the network. You would think that once companies realized this weakness they would make it so the user has to change the factory password.That is not the case, and even if with the new devices they did that there are still all the old ones that would be a opening in a network if they are not disconnected.
With the information I found on the attacks I started to work on condensing it to ways to avoid the problems, I looked at that two ways one for corporations and one for the average IoT consumer. I chose those two categories because companies have more money to put towards the problem. From there I started to break it down further into categories of the different threat levels for different types of IoT devices. Different devices are targets for different attacks and have different amount of processing power which can affect the attack directed at them.
I spent my fourth week doing two things the first was working with the OWASP Internet of Things webpage that identifies vulnerabilities in IoT devices. The website had a list of possible attack points for hackers based on authentication. With that list I defined what each vulnerability is and why it is important. Then from the weakness I found possible solutions for each, I had a bit of a hard time doing this though because for each solution there is a weakness. For instance one of the authentication problems is device to device communication which can be fixed with more complex authentication protocols that are continuous and stronger encrypted. Some IoT devices would be able to implement that but most would not therefore the best solution does not work. That means I had to look at other solution with known weaknesses and fro those find the best. The problem with having to find solutions for these devices is considering all the different levels of processing power within the devices which will affect the security that can be run on it. The best solution is no possible so there needs be be on that makes it so the devices are reasonably secure. I made a list it had the best solution but also that due to lack of processing power how at the moment it is impossible to implement. Then I listed the other solution and their weakness.
Then I spent the second part of the week researching the most effective and popular IoT attacks. Mirai, the 2016 DDOS attack is definitely the most well known of them it took down the server that runs some very popular websites such as Twitter, Netflix and Reddit. The same army of botnets later targeted the popular security blog Krebs on Security taking down his website for a bit. There have been other well known ones such as when researches showed how they could hack into pacemakers and defibrillators. Other researchers have also shown how it is possible to breach insulin pumps, these medical devices and others are a big concern due to how important they are. There are many popular attacks that have reported and some are more concerning than others but they all point to exactly how poor the security on these devices is. With this information I gathered the next week I used it to make a list of attacks that are likely to be directed at IoT devices.
I have spent all of last week reading posting people have made about IoT devices and I was left with a hopeless feeling over our future privacy. There is a plethora of problems currently with security I found there were 3 main concerns that all most people seem to agree on that needs to happen for IoT devices to be secure in the future. The main issues everyone seems to agree on are authentication, developers, and encryption. Authentication has many different issues one is that someIoT devices have a set password to access that device users can’t change that hackers can easily figure out. Once hackers have access to the devices depending on its capabilities it could invade the privacy of the owners or be used to attack servers. Another way that authentication is lacking is that for a bluetooth enabled tool such as a smartphones they can connect to IoT device with bluetooth abilities with ease. For a the tools to connect to a IoT device there should be some authentication to confirm they are the intended user not just a phone that has the necessary app and is on the same network. The next issue is developers and the corporations they work for, neither party think of security when the IoT devices is in the development process. If the developers do they often do not have enough time to implement it into the device. Companies need to push security and give developers a chance to add it so these tools reasonably secure when put into use in someones home. The mindset of the tech industry needs to change but I like many others don't think that will happen until a massive breech happens and the companies are forced to add security. Then last but not least we have encryption. The encryption on these devices have is not up to par, the data the devices collect to need to encrypted before passes between devices or is sent elsewhere. Encryption needs to become a part of these devices due to the the amount that they collect and that these devices are in peoples homes collecting personal information. There are many other problems with the security on IoT devices these three are just the ones that stood out the most to me as I was looking through discussion broads and articles.
Week 2 I had to decide which devices to focus on for my research project, I chose Ecobee 3 amazon echo, Samsung SmartThings and Google Home. I chose them because they are very popular for people to have in their homes and the most of the devices primary purpose is different except for Echo and Google Home. I looked for security related reviews for each of the products it was a lot more difficult than I thought it would be. People did not seems to care about the security of the devices they have put into their homes. By that I mean they were not concerned about hacks and the vulnerabilities these devices have just if they are doing the job that they were created for. Samsung Smarthings is a home security service which I was hoping would have better security for the device itself but it does not. It is open to vulnerabilities that many other IoT devices are. Google home and Echo are constantly being "woken up" and listening to conversation that the device should not be recording. Ecobee is the worst in my option because it is the one that people seem to care the least about because it is a thermostat. For Ecobee to have the knowledge to function as it is meant to then the user must input their schedule of when they are home or not for the weeks and even then the sensor will be detecting movement. Which is great because it can save you money but it is the perfect way to plan a robbery or other illegal activities.
After spending the week reading about the devices I made a power point showing the main concerns for each devices specifically. Though all the reviews and blogs I read it makes sense why people would want these devices in their homes. Samsung SmartThing in theory is a great way to keep your house and family safe, Ecobee with save you money on heating and cooling. Echo and Google home make life easier by being a assistant and allowing you to control your house by talking to a devices. That in theory is fantastic making life easier cheaper and safer who wouldn't sign up for that. It is not the whole picture though each of those devices have specific weakness but all IoT devices currently have vulnerabilities. The devices are not secure enough to be in people homes and from what I read in the past week I would strongly discourage anyone I know from buying any kind of home device until the obvious weakness in the design are patched.