IEEE Technology and Society Magazine - June 2018 - 73

1) Smart TV with Google Chromecast, which plays games
and streams videos;
2) Triby portable speaker;
3) Amazon Echo voice-activated assistant;
4) HP Envy smart printer; and
5) Pixstar photo frame, which automatically syncs photos
with their Facebook accounts.

Testing
We selected a number of devices based on the above
scenarios as well as on product availability and popularity in Australia, and carried out detailed tests on each
(as well as its supplied mobile app and data server).
These tests ranged from the simple (capturing wireless
transmissions from the device to evaluating the contents of the communication) to the complex (making
the device communicate to a fake server, and overwhelming the device with fake query messages). We
automated the process in a laboratory to make it easier
to reproduce and compare results.
The IoT devices were connected to a home gateway
router either through Wi-Fi or via direct connection with
an Ethernet cable. The applications for the IoT devices
were downloaded onto an Android tablet, which was
connected to the same router. Checks were performed
from a laptop running a digital testing platform called
Kali Linux, which was on the same network as the
IoT devices.
Using this setup, we ran basic computerized scripts
and penetration testing tools to assess the safety and
security performance of each IoT device.
The devices tested were:
■ Cameras (TP-Link, Belkin, Dlink, Samsung, Canary,
Netatmo and Nest Drop).
■ Motion sensor (Belkin).
■ Smoke alarm (Nest).
■ Medical device (Withings sleep monitor, Withings
weighing scale).
■ Air quality monitor (Awair, Netatmo weather station).
■ Light bulbs (Phillips Hue and LIFX).
■ Power switches (Belkin and TP-Link).
■ Talking doll (Hello Barbie).
■ Photo frame (Pixstar).
■ Printer (HP Envy).
■ Controller (Samsung SmartThings).
■ Voice assistant (Amazon Echo).
■ Smart TV with Google Chromecast.
■ Speaker (Triby portable speaker).
The Results section lists full tables of results showing
how each device performed in each category. The
results of our tests were consistent and alarming. Every
device we tested showed some form of vulnerability in
integrity, access control, or reflection capabilities. Many
were susceptible to attack in a number of ways. The
JUNE 2018

∕

Phillips Hue light bulb and Belkin switch had notably
poor security. But there was some good news. Devices
such as the Amazon Echo, Hello Barbie, Nest Drop
Cam, and Withings sleep monitor were relatively secure
in terms of confidentiality. The Echo, in particular, was a
top-rated device in security with encrypted communication channels and almost all of its ports closed to outside attack. A vivid illustration of these vulnerabilities
can be gained by applying them to our four scenarios.
In the first scenario, a former target of Tuan's investigation would be able to sit in a car outside her house
and deduce her Wi-Fi network password using freely
available software. He would then place a cheap batterypowered device beneath her letterbox. This device connects with her home wireless network, capturing all of
the information being transmitted by her IoT devices.
This information is then sent back to his laptop, which
he monitors from his home. Essentially, his device is
performing a "man-in-the-middle" attack on Tuan's
motion sensor and camera - both of which send out
information that is not encrypted. This makes it quite
simple to see video and read motion-sensor information
from Tuan's devices on his laptop at home. He would
therefore know when Tuan's devices have been inactive
for a few hours. Surmising that Tuan is away, perhaps in
Melbourne or Sydney, he drives back to his parking spot
in the street outside Tuan's home. He uses a denial-ofservice attack on Tuan's motion sensor, cameras, and
smoke alarm by bombarding them with a large number
of requests. Unable to cope, these devices simply shut
down. This ensures that she will never get the smoke
alert from her IoT alarm - even though her home has
been physically set alight.
In the second scenario, a criminal buys a list of email
addresses of people who have recently registered IoT
products. One of these belongs to Joe and Lorna Jones.
The criminal sends them an email that contains a link
to an app that promises technology customers help with
their finances. The app, however, has embedded malware that scouts for IoT devices. Lorna is not sure what
the email is about but thinks it sounds interesting. Without thinking, she manages to download the app. The
malware immediately disables the Joneses' firewall and
enables port forwarding, making them vulnerable to
security breaches. Now the criminal is in control. His
malware finds unencrypted messages from their weighing scales, enabling him to deduce their names, ages,
gender, height and weight. From this, he can start hatching a plan for someone else in his criminal syndicate to
steal the Joneses' identity and take their social security
benefits. He can also use Joe and Lorna's IoT devices to
reflect and amplify attacks on other Internet-connected
devices. Whenever he likes, he can use the open ports
on the Joneses' Withings sleep monitor, Awair air

IEEE Technology and Society Magazine

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2018