This study was undertaken to investigate user awareness and perception of security and privacy within the IoT. In addition, with reference to this study, the problem of botnet activity and proliferation within the IoT will be discussed. This discussion emphasizes the difficulty of making users situationally aware of threats facing consumer level IoT devices.
5.2. Situational Awareness of Threats Facing the IoT
The first contribution of this paper is a study of attitudes towards security and privacy in the IoT. To assess whether respondents ranked security and privacy highly in theory, but not in practice, respondents were asked how concerned they would be if a smart device they owned was infected with a virus, but was still functioning as expected. In asking this question, the aim was to assess whether the well documented phenomenon known as the
Privacy Paradox, was evident in the context of attitudes towards IoT devices. The privacy paradox has been well documented in papers such as [
28,
29], and although mainly in the context of online security, demonstrates that user attitudes towards security and privacy, often differ from the actions they take or decisions they make. Indeed, this has been highlighted in studies such as [
10,
13] discussed in
Section 2. In our study,
Figure 2b shows that given a scenario where a device was infected with malware, but still functioning normally, over three quarters of respondents indicated that they would still be very concerned. When asked to rate the importance of various features related to IoT devices (as shown in
Figure 3), security 102 (65%) and privacy 100 (63%) were clearly considered very important features. However, interestingly when asked to rank the features in order of priority, cost was ranked higher than both security and privacy by the largest percentage of respondents 53 (34%) (see
Figure 4). In [
30] it is suggested, while many users show theoretical interest in their privacy and maintain a positive attitude towards privacy-protection behavior, this rarely translates into actual protective behavior. Our results could confirm this, and suggest a possible dichotomy between privacy attitudes and actual behavior, in terms of procurement of IoT devices.
The second contribution of this paper is the evaluation of user ability to detect threats in consumer IoT networks. In doing so, a sandboxed botnet environment was used to infect an IoT IP camera, and leverage it to perform four attacks against a target. Respondents of the online survey were presented with video recordings of the four recorded attack scenarios, and their situational awareness and ability to detect infections recorded. Situational Awareness (SA) can be defined as “the state of being aware of circumstances that exist around us, especially those that are particularly relevant to us and which we are interested about” [
31]. Applied in a cyber context the author further presents an adapted SA model comprised of four levels where perception, deals with evidence gathering of situations in the network. Comprehension refers to the analysis of evidence to deduce threat level, type and associated risk. Projection deals with predictive measures to address future incidents, and resolution deals with controls to repair, recover and resolve network situations [
32]. Our study evaluates the first of these levels (perception), and clearly demonstrates the difficulty users face in detecting threats found in IoT consumer networks. In scenario 1 and 2 users were presented with video recordings as shown in
Figure 5. During the infection process and attacks, participants indicated that the camera did not display any adverse symptoms of infection, and continued to function as expected. This was evident from the results in
Table 2 and
Table 3 where 61% and 59% of respondents reported not being able to detect any unusual activity in the video. Comments from respondents included:
“There wasn’t any clear evidence”
(Advanced Respondent)
“I could not tell at all if the camera was infected”
(Intermediate Respondent)
In [
32] the author suggests that perception in the context of Cyber SA also refers to knowledge of the elements in the network, and awareness of alerts such as those reported by intrusion detection systems, firewall logs, and scan reports. However, while this is true of security analysts, this information is likely not available in consumer networks, therefore would not be a contributing factor in achieving SA in consumer networks. In these environments the user would only have information displayed by the IoT device, in the case of scenarios 1 and 2 in our study that would be the live video feed. Since there were no adverse symptoms of infection, and the IP camera continued to function as expected, it is understandable that 32 (38%) indicated it was very difficult, and 25 (29%) difficult, to detect the device was infected from the presented live video feed.
In scenarios 3 and 4 users were presented with recorded outputs from a popular packet capture tool
(wireshark) as shown in
Figure 6. The use of the packet capture tool significantly improved detection in scenario 3 with 120 (76%) of respondents now indicating they knew when an attack took place. Results in
Table 4 confirm this, with 76 (48%) [11–20 s] and 92 (58%) [21–30 s] correctly identifying the time period when the attack took place. However, in scenario 4 the packet capture tool did not appear to improve detection, as results presented in
Table 5 show respondent responses were varied across all time periods. The number of respondents who indicated they knew when the attack took place also dropped to 93 (59%).
In [
33] the author presents the need for greater online awareness and protection for NEUs. The author undertook a study to establish the views of NEUs on personal cyber security and suggests a lack of technical knowledge and ability to explore network communication, results in little or no awareness of security issues. To test this statement, we derive a null and alternate hypothesis as follows:
Hypothesis 1. Accuracy of detecting IoT botnets in consumer networks increases as technical knowledge increases.
Hypothesis 2. Accuracy of detecting IoT botnets in consumer networks does not increase as technical knowledge increases.
Previous studies such as [
15] have demonstrated relationships between the technical ability of a user, and the ability to be perceive and be aware of risks. To our knowledge, this paper presents the first study to assess the ability of users to perceive and detect threats (botnets) facing the IoT. The results in
Table 6 show that for scenario 1, where no attack was performed, detection accuracy across the four knowledge levels did not demonstrate any association between knowledge level and ability to detect an infected device. Novice (83%) and Expert (88%) demonstrated similar accuracy, and better than that of both Intermediate (56%) and Advanced (53%). The results are considered significant (
p = 0.026) and the null hypothesis is rejected. In
Table 7, the results for scenario 2 again show that detection accuracy across the four knowledge levels did not demonstrate any association between knowledge level and ability to detect an infected device. The evidence is considered weak (
p = 0.054) but again the null hypothesis is rejected. For both these tests the alternate hypothesis is accepted
Accuracy of detecting IoT botnets in consumer networks does not increase as technical knowledge increases.
The results in
Table 8 do however demonstrate an association between knowledge level and ability to detect an infected device. As technical knowledge increases from Novice to Expert, so does the ability to detect an infected device: Novice (48%), Intermediate (59%), Advanced (65%) and Expert (75%). Presenting network communication as shown in
Figure 6a to participants appeared to greatly improve SA of a threat, and the ability to correctly detect when an attack took place. Comments from respondents included:
"Program code went red", "Bulk black lines appeared", "Maybe the black bits with red writing may be something bad?"
(Novice Respondents)
"yes wire shark made it easier to see that it was infected by all the random traffic", "there were red warnings on the screen", "Vast number of red highlighted addresses"
(Intermediate Respondents)
"On the first the red warning messages were visible", "I saw a lot of areas highlighted in red, red highlights usually denotes a problem, so by deduction, those were errors", "Red text black blocks"
(Expert Respondents)
It was clear from respondent comments that the way information is presented, and importantly the colors used, helped to aid better detection. This was evident even among Novice participants, who appeared not to fully understand what the information was showing, but were able to use it to become more situationally aware of what was happening with the IoT device. There is no evidence (p = 0.423) to disprove the null hypothesis, therefore it is accepted.
In scenario 4, participants were again shown network communication as shown in
Figure 6b; however, the results in
Table 9 again do not demonstrate an association between knowledge level and ability to detect an infected device. Although a positive trend is evident, the evidence against the null hypothesis is statistically strong (
p = 0.013), therefore the null is rejected. Data presentation differed from the network traffic in scenario 3, and appeared to be a contributing factor in detection rates, particularly within the Novice knowledge group where the detection rate significantly dropped to (9%). We can therefore conclude that the authors assertion in [
33] that “a lack of technical knowledge, and the ability to explore network communication, results in little or no awareness of security issues”, is true in part. The results in this study show that a lack of network communication can result in little or no awareness of security issues; however, if presented with data, SA can be improved. Presentation of the data is however also vitally important, otherwise the presence of the additional data, can have little impact. This point is recognized by the author and a security visualization framework is proposed to support NEUs to engage with network traffic analysis to better support their perception and comprehension of cyber security concerns. The work is extended in [
18] where the visualization tool is further developed and used to assess participant ability across two case studies involving malware identification and home network monitoring. Participant feedback was positive, although the results were limited since only a single radial visual representation was used, leaving room for future research in the area.