rIoT | Quantifying Consumer Harms
The goal of rIoT is to influence policy change around cybersecurity regulation and security practices employed by consumer Internet of Things (“IoT”) device manufacturers.
Our project tries to identify and quantify the injury to consumers who purchase insecure IoT devices. Specifically, we measure the additional electricity and bandwidth consumption and network latency when an IoT device is hacked and used to launch a DDoS attack. By identifying and measuring the additional resource consumption, our research demonstrates that consumers are injured in a way that the law can address.
What gave you the idea for this project?
Our project advisor, Chris Hoofnagle, pointed us toward a recent FTC enforcement action against D-Link for unreasonable security practices. The court dismissed the FTC’s claim because the agency failed to allege “any actual consumer injury in the form of a monetary loss or an actual incident where sensitive personal data was accessed or exposed.” Based on work we did in Doug Tygar’s Privacy, Security, and Cryptography class, we suspected that devices infected with malware actually did impose costs on consumers, even when it was impossible to show that sensitive data was exposed. Our project tries to show that consumer injuries resulting from unreasonable security practices are predictable and direct.
We specifically chose this project because of our interest in consumer protection and educating consumers about cybersecurity, as well as our goal of encouraging manufacturers and industries to develop better security for IoT devices.
What did you do?
We tested electricity consumption, bandwidth consumption, and network latency across two IoT devices in two states: infected with a well-known malware (Mirai), and uninfected. We tried to determine whether participating in a DDoS attack causes these devices to consume noticeably more resources than in normal operation. In order to simulate real-world conditions, we selected devices suspected to have been involved in actual Mirai botnet attacks.
How does this project integrate what you've learned during your two years at the I School?
This project brings together several topics and courses we have studied in our time at the I School:
- Privacy Law for Technologists
- Privacy and Security Lab
- Privacy, Security, and Cryptography
- Applied Behavioral Economics
- Technology and Delegation
- Information Policy
- IT Economics & Strategy
- Information Visualization
- Quantitative Research Methods
Who might benefit from a system like this?
The goal of this project is to raise awareness about the costs to consumers because of IoT device insecurity in an attempt to influence cybersecurity policy and practices. This will hopefully benefit consumers, who may be more motivated to protect themselves and their devices, and society, which benefits from the overall reduction in insecurity.