This study was undertaken to investigate user awareness and perception of security and privacy within the IoT. In addition, with reference to this study, the problem of botnet activity and proliferation within the IoT will be discussed. This discussion emphasizes the difficulty of making users situationally aware of threats facing consumer level IoT devices.
5.1. Botnets in the Internet of Things
Some of the most extensive and destructive cyber-attacks deployed on the Internet have been DDoS attacks. Several of these attacks, some the largest ever to be recorded, occurred in the second half of 2016, fueled in full or part by the IoT. During this time, attacks of over 100 Gbps were up by 140%, with three attacks reaching over 300 Gbps. The severity of the attacks continued in 2017, evidenced in Verisign’s annual DDoS Trends report, which reported that 82% of recorded DDoS attacks in quarter 4 of 2017, also now employed a multi-vector attack strategy [20
]. The evidence would suggest IoT botnets are becoming increasingly more sophisticated in their effectiveness and ability to exploit basic security vulnerabilities, and obfuscate their activity. In [21
] the authors present MalwareMustDie as a botnet example which uses iptables rules to protect its infected devices, while Hajime uses fully distributed communications and makes use of the BitTorrent protocol for peer discovery. BrickerBot was also presented, which leverages SSH default credentials to perform a permanent denial-of-service (PDoS) attack. However, one of the most prominent examples of a DDoS attack emanating from the IoT in recent times, is presented in [22
is a piece of malware that attempts to find and infect IoT devices to establish and propagate a network of robots (botnet) consisting of the infected IoT devices (bots). An attacker (botmaster) then uses a command and control (C&C) server to remotely control the bots, forcing them to participate in DDoS attacks against targets on the Internet. On 20 September 2016, the Mirai botnet was used to perform an unprecedented 620 Gbps DDoS attack on security journalist Brian Krebs website krebsonsecurity.com [25
]. Shortly after it was also responsible for a series of additional DDoS attacks peaking at over 1.2 Tbps against French hosting company OVH and DNS provider DYN, who estimated that up to 100,000 infected IoT devices (bots) were involved in the attack. The severity of the DYN attack was sufficient to cause major disruption on the Internet, and render several high-profile websites such as GitHub, Twitter, Reddit, Netflix, inaccessible.
Since the Mirai
malware predominately targeted consumer IoT devices, it was chosen for use in our experimental setup. In the process of building the experimental setup shown in Figure 1
it became clear how easily botnet malware can spread, and new variants and mutations of existing botnets appear on the Internet. Indeed, this is evident in [26
] where satori
, and JenX
are presented as new variants of the original Mirai
botnet. Sharing the original basecode with Mirai
, these new variants are enhanced to allow direct control of compromised devices, making other malicious actions possible, including running trojan viruses, redirecting traffic for man-in-the-middle attacks, and delivering other viruses to devices on the network by proxy. The last point being particularly concerning, since devices which were not originally vulnerable, could now be infected. In our study, 56% of respondents indicated they owned an IoT device, with 20% owning one more device. The study found the Amazon Echo
to be the most popular IoT device (30%); however, many IoT devices leveraged by the above botnets, such as smart lightbulbs (16%) and IP cameras (8%), were also popular. Despite IP cameras only accounting for 8% of devices, if they could be leveraged and used as a proxy to infect other devices in home networks, the potential impact from IoT botnets, could be significantly greater than already experienced. Clearly, early detection and mitigation of such attacks is vital. This has led to much research in the area of botnet detection, which will be discussed in the next section.
5.2. Situational Awareness of Threats Facing the IoT
The first contribution of this paper is a study of attitudes towards security and privacy in the IoT. To assess whether respondents ranked security and privacy highly in theory, but not in practice, respondents were asked how concerned they would be if a smart device they owned was infected with a virus, but was still functioning as expected. In asking this question, the aim was to assess whether the well documented phenomenon known as the Privacy Paradox
, was evident in the context of attitudes towards IoT devices. The privacy paradox has been well documented in papers such as [28
], and although mainly in the context of online security, demonstrates that user attitudes towards security and privacy, often differ from the actions they take or decisions they make. Indeed, this has been highlighted in studies such as [10
] discussed in Section 2
. In our study, Figure 2
b shows that given a scenario where a device was infected with malware, but still functioning normally, over three quarters of respondents indicated that they would still be very concerned. When asked to rate the importance of various features related to IoT devices (as shown in Figure 3
), security 102 (65%) and privacy 100 (63%) were clearly considered very important features. However, interestingly when asked to rank the features in order of priority, cost was ranked higher than both security and privacy by the largest percentage of respondents 53 (34%) (see Figure 4
). In [30
] it is suggested, while many users show theoretical interest in their privacy and maintain a positive attitude towards privacy-protection behavior, this rarely translates into actual protective behavior. Our results could confirm this, and suggest a possible dichotomy between privacy attitudes and actual behavior, in terms of procurement of IoT devices.
The second contribution of this paper is the evaluation of user ability to detect threats in consumer IoT networks. In doing so, a sandboxed botnet environment was used to infect an IoT IP camera, and leverage it to perform four attacks against a target. Respondents of the online survey were presented with video recordings of the four recorded attack scenarios, and their situational awareness and ability to detect infections recorded. Situational Awareness (SA) can be defined as “the state of being aware of circumstances that exist around us, especially those that are particularly relevant to us and which we are interested about” [31
]. Applied in a cyber context the author further presents an adapted SA model comprised of four levels where perception, deals with evidence gathering of situations in the network. Comprehension refers to the analysis of evidence to deduce threat level, type and associated risk. Projection deals with predictive measures to address future incidents, and resolution deals with controls to repair, recover and resolve network situations [32
]. Our study evaluates the first of these levels (perception), and clearly demonstrates the difficulty users face in detecting threats found in IoT consumer networks. In scenario 1 and 2 users were presented with video recordings as shown in Figure 5
. During the infection process and attacks, participants indicated that the camera did not display any adverse symptoms of infection, and continued to function as expected. This was evident from the results in Table 2
and Table 3
where 61% and 59% of respondents reported not being able to detect any unusual activity in the video. Comments from respondents included:
“There wasn’t any clear evidence”
“I could not tell at all if the camera was infected”
] the author suggests that perception in the context of Cyber SA also refers to knowledge of the elements in the network, and awareness of alerts such as those reported by intrusion detection systems, firewall logs, and scan reports. However, while this is true of security analysts, this information is likely not available in consumer networks, therefore would not be a contributing factor in achieving SA in consumer networks. In these environments the user would only have information displayed by the IoT device, in the case of scenarios 1 and 2 in our study that would be the live video feed. Since there were no adverse symptoms of infection, and the IP camera continued to function as expected, it is understandable that 32 (38%) indicated it was very difficult, and 25 (29%) difficult, to detect the device was infected from the presented live video feed.
In scenarios 3 and 4 users were presented with recorded outputs from a popular packet capture tool (wireshark)
as shown in Figure 6
. The use of the packet capture tool significantly improved detection in scenario 3 with 120 (76%) of respondents now indicating they knew when an attack took place. Results in Table 4
confirm this, with 76 (48%) [11–20 s] and 92 (58%) [21–30 s] correctly identifying the time period when the attack took place. However, in scenario 4 the packet capture tool did not appear to improve detection, as results presented in Table 5
show respondent responses were varied across all time periods. The number of respondents who indicated they knew when the attack took place also dropped to 93 (59%).
] the author presents the need for greater online awareness and protection for NEUs. The author undertook a study to establish the views of NEUs on personal cyber security and suggests a lack of technical knowledge and ability to explore network communication, results in little or no awareness of security issues. To test this statement, we derive a null and alternate hypothesis as follows:
Accuracy of detecting IoT botnets in consumer networks increases as technical knowledge increases.
Accuracy of detecting IoT botnets in consumer networks does not increase as technical knowledge increases.
Previous studies such as [15
] have demonstrated relationships between the technical ability of a user, and the ability to be perceive and be aware of risks. To our knowledge, this paper presents the first study to assess the ability of users to perceive and detect threats (botnets) facing the IoT. The results in Table 6
show that for scenario 1, where no attack was performed, detection accuracy across the four knowledge levels did not demonstrate any association between knowledge level and ability to detect an infected device. Novice (83%) and Expert (88%) demonstrated similar accuracy, and better than that of both Intermediate (56%) and Advanced (53%). The results are considered significant (p
= 0.026) and the null hypothesis is rejected. In Table 7
, the results for scenario 2 again show that detection accuracy across the four knowledge levels did not demonstrate any association between knowledge level and ability to detect an infected device. The evidence is considered weak (p
= 0.054) but again the null hypothesis is rejected. For both these tests the alternate hypothesis is accepted Accuracy of detecting IoT botnets in consumer networks does not increase as technical knowledge increases
The results in Table 8
do however demonstrate an association between knowledge level and ability to detect an infected device. As technical knowledge increases from Novice to Expert, so does the ability to detect an infected device: Novice (48%), Intermediate (59%), Advanced (65%) and Expert (75%). Presenting network communication as shown in Figure 6
a to participants appeared to greatly improve SA of a threat, and the ability to correctly detect when an attack took place. Comments from respondents included:
"Program code went red", "Bulk black lines appeared", "Maybe the black bits with red writing may be something bad?"
"yes wire shark made it easier to see that it was infected by all the random traffic", "there were red warnings on the screen", "Vast number of red highlighted addresses"
"On the first the red warning messages were visible", "I saw a lot of areas highlighted in red, red highlights usually denotes a problem, so by deduction, those were errors", "Red text black blocks"
It was clear from respondent comments that the way information is presented, and importantly the colors used, helped to aid better detection. This was evident even among Novice participants, who appeared not to fully understand what the information was showing, but were able to use it to become more situationally aware of what was happening with the IoT device. There is no evidence (p = 0.423) to disprove the null hypothesis, therefore it is accepted.
In scenario 4, participants were again shown network communication as shown in Figure 6
b; however, the results in Table 9
again do not demonstrate an association between knowledge level and ability to detect an infected device. Although a positive trend is evident, the evidence against the null hypothesis is statistically strong (p
= 0.013), therefore the null is rejected. Data presentation differed from the network traffic in scenario 3, and appeared to be a contributing factor in detection rates, particularly within the Novice knowledge group where the detection rate significantly dropped to (9%). We can therefore conclude that the authors assertion in [33
] that “a lack of technical knowledge, and the ability to explore network communication, results in little or no awareness of security issues”, is true in part. The results in this study show that a lack of network communication can result in little or no awareness of security issues; however, if presented with data, SA can be improved. Presentation of the data is however also vitally important, otherwise the presence of the additional data, can have little impact. This point is recognized by the author and a security visualization framework is proposed to support NEUs to engage with network traffic analysis to better support their perception and comprehension of cyber security concerns. The work is extended in [18
] where the visualization tool is further developed and used to assess participant ability across two case studies involving malware identification and home network monitoring. Participant feedback was positive, although the results were limited since only a single radial visual representation was used, leaving room for future research in the area.