DTL 2017


DTL 2017 Program

DTL 2017 Program

Where the Insecure Things Are: Easy-to-use identification of insecure and privacy leaking IoT devices

Sascha Fahl (Head of Information Security Chair, Leibniz University of Hanover); Yasemin Acar (Leibniz University of Hanover); Dominik Wermke (Leibniz University of Hanover)

The ever increasing number of smart devices enrich users’ lives in various ways. Smart door locks grant or deny access to people’s houses, medical devices such as insulin pumps have Internet connected remote controls, toys for kids have integrated video cameras, heating can be scheduled to match the season, coffee can be brewed before leaving the bed and light’s hue can be changed according to the mood, all by applying some settings in an app.

But this convenience also comes with some hefty drawbacks: Security and privacy protecting features for Internet of Things ({IoT}) devices and associated control apps are often lenient to say the least. Especially end-users inexperienced in information security and privacy are exposed to a large number of risks by vulnerable devices.

In recent times, this has led to a wide reaching integration of {IoT} devices into botnets, turning the generally weak computation power of the devices into devastating denial-of-service attacks. Vulnerable devices also led to critical leaks of private information such as voice messages in kids’ toys. While existing solutions allow end-users to identify insecure and malicious devices, they mostly rely on specific hardware in the form of routers or only detects devices that are likely already infected. Purchasing specific hardware requires enormous effort from end-users and requires them to be very much aware of the possible risks stemming from {IoT} devices. Given that previous research showed, that information security and privacy are mostly never end-users’ primary concerns, we argue that a promising solution to the given problem needs to be easy-to-use and must be fully integrated into the user’s existing device infrastructure.

Therefore, we believe that end-users would be empowered to protect their own privacy if they did not need specialized hardware or having to research tech-savvy articles on the Internet. We want to help end-users identify vulnerable {IoT} devices in their network, offering users comprehensive risk assessment and easy-to-apply countermeasures.

For this, we propose a mobile app called IoTdroid that (a) scans {IoT} devices in a network for known vulnerabilities such as insecure network connections or authentication, (b) acts as a {WiFi} hotspot to investigate network traffic between {IoT} devices and remote cloud servers for insecurities and privacy leaks and (c) identifies vulnerable {IoT} control apps installed on the user’s mobile device. End-users will be enabled to quickly investigate the security and privacy status of their {IoT} devices. We will distribute \app{} as a free Android application in Google Play.


You can now check the videos of the sessions of DTL Conference 2017 that took place from 11-12th December in Barcelona.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy.

OK More information