Prianka Mandal, Amit Seal Ami, Victor Olaiya, Sayyed Hadi Razmjo, and Adwait Nadkarni, William & Mary
As IoT security regulations and standards emerge, the industry has begun adopting the traditional enforcement model for software compliance to the IoT domain, wherein Commercially Licensed Evaluation Facilities (CLEFs) certify vendor products on behalf of regulators (and in turn consumers). Since IoT standards are in their formative stages, we investigate a simple but timely question: does the traditional model work for IoT security, and more importantly, does it work as well as consumers expect it to? This paper investigates the initial artifacts resultant from IoT compliance certiﬁcation, and user perceptions of compliance, in the context of certiﬁed mobile-IoT apps, i.e., critical companion and automation apps that expose an important IoT attack surface, with a focus on three key questions: (1) are certiﬁed IoT products vulnerable?, (2) are vulnerable-but-certiﬁed products non-compliant?, and ﬁnally, (3) how do consumers perceive compliance enforcement? Our systematic analysis of 11 mobile-IoT apps certiﬁed by IOXT, along with an analysis of 5 popular compliance standards, and a user study with 173 users, together yield 17 key ﬁndings. We ﬁnd signiﬁcant vulnerabilities that indicate gaps in certiﬁcation, but which do not violate the standards due to ambiguity and discretionary language. Further, these vulnerabilities contrast with the overwhelming trust that users place in compliance certiﬁcation and certiﬁed apps. We conclude with a discussion on future directions towards a "belt and suspenders" scenario of effective assurance that most users desire, from the status quo of "just red tape", through objective checks and balances that empower the regulators and consumers to reform compliance enforcement for IoT.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.