research-article

Opinion: Security Lifetime Labels - Overcoming Information Asymmetry in Security of IoT Consumer Products

Authors:

Philipp Morgner,

Felix Freiling,

Zinaida BenensonAuthors Info & Claims

WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Pages 208 - 211

https://doi.org/10.1145/3212480.3212486

Published: 18 June 2018 Publication History

Abstract

The installed base of Internet of Things (IoT) consumer products is steadily increasing, in conjunction with the number of disclosed security vulnerabilities in these devices. In this paper, we share the opinion that strong security measures are necessary but IoT security cannot solely be improved by means of sophisticated technical solutions. From our point of view, economic incentives for the manufacturers have to be established through enabling consumers to reward security. This is currently not the case, as an asymmetric information barrier prevents consumers from assessing the level of security that is provided by IoT products. As a result, consumers are not willing to pay for a comprehensive security design as they cannot distinguish it from insufficient security measures. Learning from regulatory approaches that overcame information asymmetries about other non-functional properties in consumer products, e.g., energy labels to compare the power consumption, we propose security lifetime labels, a mechanism that transforms security into an accessible feature and enables consumers to make informed buying decisions. Focusing on the delivering of security updates as an important aspect of enforcing IoT security, we aim to transform the asymmetric information about the manufacturers' willingness to provide security updates into a label that can be assessed by the consumers.

References

[1]

George A. Akerlof. 1970. The Market for "Lemons": Quality Uncertainty and the Market Mechanism. The Quarterly Journal of Economics 84, 3 (1970), 488--500.

[2]

Omar H. Alhazmi, Yashwant K. Malaiya, and Indrajit Ray. 2007. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security 26, 3 (2007), 219--228.

Digital Library

[3]

Ross Anderson. 2001. Why Information Security is Hard-An Economic Perspective. In 17th Annual Computer Security Applications Conference (ACSAC 2001).

Digital Library

[4]

Ross Anderson and Tyler Moore. 2006. The Economics of Information Security. Science 314, 5799 (2006), 610--613.

[5]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017. 1093--1110.

[6]

Imane Bouij-Pasquier, Anas Abou El Kalam, Abdellah Ait Ouahman, and Mina De Montfort. 2015. A Security Framework for Internet of Things. In Cryptology and Network Security - 14th International Conference, CANS 2015, Marrakesh, Morocco, December 10-12, 2015, Proceedings. 19--31.

[7]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014. 95--110.

Digital Library

[8]

European Commission. 2017. Energy Efficiency Directive. https://ec.europa.eu/energy/en/topics/energy-efficiency/energy-efficiency-directive

[9]

European Parliament and the Council of the European Union. 2009. Regulation (EC) No 1222/2009. Official Journal of the European Union. http://eur-lex.europa.eu/legal-content/EN/ALL/?uriCELEX:32009R1222

[10]

European Parliament and the Council of the European Union. 2010. Directive 2010/30/EU. Official Journal of the European Union. http://eur-lex.europa.eu/legal-content/EN/ALL/?uriCELEX:32010L0030

[11]

Federal Trade Commission. 2018. Energy and Water Use Labeling for Consumer Products Under the Energy Policy and Conservation Act ("Energy Labeling Rule"). https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/energy-water-use-labeling-consumer

[12]

Laurence P. Feldman. 1976. New Legislation and the Prospects for Real Warranty Reform. Journal of Marketing 40, 3 (1976), 41--47. http://www.jstor.org/stable/1249993

[13]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. 636--654.

[14]

Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. 2016. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016. 531--548.

Digital Library

[15]

Stefan Frei, Martin May, Ulrich Fiedler, and Bernhard Plattner. 2006. Large-Scale Vulnerability Analysis. In Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense. ACM, 131--138.

Digital Library

[16]

Gartner. 2017. Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016. https://www.gartner.com/newsroom/id/3598917

[17]

Dan Goodin. 2015. 9 Baby Monitors Wide Open to Hacks that Expose Users' Most Private Moments. Ars Technica (September 2015). https://arstechnica.com/information-technology/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/

[18]

Ian Grigg. 2008. The Market for Silver Bullets.

[19]

Alex Hern. 2016. Someone Made a Smart Vibrator, so of Course It Got Hacked. The Guardian (August 2016). https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack

[20]

C. L. Kendall and Frederick A. Russ. 1975. Warranty and Complaint Policies: An Opportunity for Marketing Management. Journal of Marketing 39, 2 (1975), 36--43. http://www.jstor.org/stable/1250113

[21]

Jun Young Kim, Wen Hu, Dilip Sarkar, and Sanjay Jha. 2017. ESIoT: Enabling Secure Management of the Internet of Things. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017, Boston, MA, USA, July 18-20, 2017. 219--229.

Digital Library

[22]

Frank Li and Vern Paxson. 2017. A Large-Scale Empirical Study of Security Patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30-November 03, 2017. 2201--2215.

Digital Library

[23]

Library of Congress. 2007. H.R.6 - Energy Independence and Security Act of 2007. https://www.congress.gov/bill/110th-congress/house-bill/6

[24]

Yashwant K. Malaiya and Jason Denton. 1998. Estimating the Number of Residual Defects. In 3rd IEEE International Symposium on High-Assurance Systems Engineering (HASE '98), 13-14 November 1998, Washington, D.C, USA, Proceedings. IEEE Computer Society, 98--107.

Digital Library

[25]

McAfee. 2018. New Security Priorities in An Increasingly Connected World. https://securingtomorrow.mcafee.com/consumer/key-findings-from-our-survey-on-identity-theft-family-safety-and-home-network-security/

[26]

Mujahid Mohsin, Zahid Anwar, Farhat Zaman, and Ehab Al-Shaer. 2017. IoTChecker: A Data-Driven Framework for Security Analytics of Internet of Things Configurations. Computers & Security 70 (2017), 199--223.

[27]

Philipp Morgner and Zinaida Benenson. 2018. Exploring Security Economics in IoT Standardization Efforts. Proceedings of the NDSS Workshop on Decentralized IoT Security and Standards, DISS'18, San Diego, CA, USA, February 18, 2018.

[28]

Philipp Morgner, Stephan Mattejat, Zinaida Benenson, Christian Müller, and Frederik Armknecht. 2017. Insecure to the Touch: Attacking ZigBee 3.0 via Touchlink Commissioning. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017, Boston, MA, USA, July 18-20, 2017. 230--240.

Digital Library

[29]

Steven J. Murdoch, Mike Bond, and Ross Anderson. 2012. How Certification Systems Fail: Lessons from the Ware Report. IEEE Security & Privacy 10, 6 (2012), 40--44.

Digital Library

[30]

Jerry C Olson and Jacob Jacoby. 1972. Cue Utilization in the Quality Perception Process. ACR Special Volumes (1972).

[31]

Danny Palmer. 2017. Security Flaw in LG IoT Software Left Home Appliances Vulnerable. ZDNet (October 2017). http://www.zdnet.com/article/security-flaw-in-lg-iot-software-left-home-appliances-vulnerable/

[32]

Mark V. Pauly. 1968. The Economics of Moral Hazard: Comment. The American Economic Review 58, 3 (1968), 531--537. http://www.jstor.org/stable/1813785

[33]

Michael Perry and Arnon Perry. 1976. Service Contract Compared to Warranty as a Means to Reduce Consumer's Risk. Journal of Retailing 52, 2 (1976), 33--90.

[34]

Eyal Ronen, Colin O'Flynn, Adi Shamir, and Achi-Or Weingarten. 2017. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017. 195--212.

[35]

Ted Roselius. 1971. Consumer Rankings of Risk Reduction Methods. Journal of Marketing 35, 1 (1971), 56--61. http://www.jstor.org/stable/1250565

[36]

Mike Ryan. 2013. Bluetooth: With Low Energy Comes Low Security. In 7th USENIX Workshop on Offensive Technologies, WOOT '13, Washington, D.C., USA, August 13, 2013.

Digital Library

[37]

Katharina Sammer and Rolf Wüstenhagen. 2006. The Influence of Eco-Labelling on Consumer Behaviour -- Results of a Discrete Choice Analysis for Washing Machines. Business Strategy and the Environment 15, 3 (2006), 185--199.

[38]

Muhammad Shahzad, Muhammad Zubair Shafiq, and Alex X. Liu. 2012. A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles. In 34th International Conference on Software Engineering, ICSE 2012, June 2-9, 2012, Zurich, Switzerland. 771--781.

Digital Library

[39]

Vishal Sharma, Kyungroul Lee, Soonhyun Kwon, Jiyoon Kim, Hyungjoon Park, Kangbin Yim, and Sun-Young Lee. 2017. A Consensus Framework for Reliability and Mitigation of Zero-Day Attacks in IoT. Security and Communication Networks 2017 (2017), 4749085:1--4749085:24.

[40]

Jon G. Udell and Evan E. Anderson. 1968. The Product Warranty as an Element of Competitive Strategy. Journal of Marketing 32, 4 (1968), 1--8.

[41]

Kami Vaniea, Emilee J. Rader, and Rick Wash. 2014. Betrayed by Updates: How Negative Experiences Affect Future Security. In CHI Conference on Human Factors in Computing Systems, CHI'14, Toronto, ON, Canada - April 26--May 01, 2014. 2611--2614.

Digital Library

[42]

Paul Waide. 2001. Monitoring of Energy Efficiency Trends of Refrigerators, Freezers, Washing Machines and Washer-Driers Sold in the EU, Final Report. PW Consulting for ADEME on behalf of the European Commission (SAVE). PW Consulting: Manchester (2001).

[43]

Qi Wang, Wajih Ul Hassan, Adam Bates, and Carl Gunter. 2018. Fear and Logging in the Internet of Things. In Network and Distributed Systems Symposium, NDSS'18, San Diego, CA, USA, February 19-21, 2018.

[44]

John Winward, Pernille Schiellerup, and Brenda Boardman. 1998. Cool Labels: The First Three Years of the European Energy Label. Energy and Environment Programme, Environmental Change Unit, Univ. of Oxford.

[45]

Eric Zeng, Shrirang Mare, and Franziska Roesner. 2017. End User Security and Privacy Concerns with Smart Homes. In Thirteenth Symposium on Usable Privacy and Security, SOUPS 2017, Santa Clara, CA, USA, July 12-14, 2017 65--80.

Digital Library

[46]

Tobias Zillner and Sebastian Strobl. 2015. ZigBee exploited -- The Good, the Bad and the Ugly. (2015). https://www.blackhat.com/us-15/briefings.html#zigbee-exploited-the-good-the-bad-and-the-ugly Black Hat USA.

Cited By

Caven PGopavaram SDev JCamp L(2023)SoK: Anatomy of Effective Cybersecurity Label DevelopmentSSRN Electronic Journal10.2139/ssrn.4591786Online publication date: 2023
https://doi.org/10.2139/ssrn.4591786
Caven PCamp L(2023)Towards a More Secure Ecosystem: Implications for Cybersecurity Labels and SBOMsSSRN Electronic Journal10.2139/ssrn.4527526Online publication date: 2023
https://doi.org/10.2139/ssrn.4527526
Railean AReinhardt D(2021)Improving the Transparency of Privacy Terms UpdatesPrivacy Technologies and Policy10.1007/978-3-030-76663-4_4(70-86)Online publication date: 19-May-2021
https://doi.org/10.1007/978-3-030-76663-4_4
Show More Cited By

Index Terms

Opinion: Security Lifetime Labels - Overcoming Information Asymmetry in Security of IoT Consumer Products
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy
  2. Systems security
    1. Distributed systems security

Recommendations

Exploring How Privacy and Security Factor into IoT Device Purchase Behavior
CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems

Despite growing concerns about security and privacy of Internet of Things (IoT) devices, consumers generally do not have access to security and privacy information when purchasing these devices. We interviewed 24 participants about IoT devices they ...
Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the IoT ...
SecureSense

Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '18: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

June 2018

317 pages

ISBN:9781450357319

DOI:10.1145/3212480

General Chair:
Panos Papadimitratos
KTH, Sweden
,
Program Chairs:
Kevin Butler
University of Florida, USA
,
Christina Pöpper
New York University Abu Dhabi, UAE

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WiSec '18

Sponsor:

SIGSAC

WiSec '18: 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks

June 18 - 20, 2018

Stockholm, Sweden

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
198
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Caven PGopavaram SDev JCamp L(2023)SoK: Anatomy of Effective Cybersecurity Label DevelopmentSSRN Electronic Journal10.2139/ssrn.4591786Online publication date: 2023
https://doi.org/10.2139/ssrn.4591786
Caven PCamp L(2023)Towards a More Secure Ecosystem: Implications for Cybersecurity Labels and SBOMsSSRN Electronic Journal10.2139/ssrn.4527526Online publication date: 2023
https://doi.org/10.2139/ssrn.4527526
Railean AReinhardt D(2021)Improving the Transparency of Privacy Terms UpdatesPrivacy Technologies and Policy10.1007/978-3-030-76663-4_4(70-86)Online publication date: 19-May-2021
https://doi.org/10.1007/978-3-030-76663-4_4
Radovici ACulic IRosner DOprea F(2020)A Model for the Remote Deployment, Update, and Safe Recovery for Commercial Sensor-Based IoT SystemsSensors10.3390/s2016439320:16(4393)Online publication date: 6-Aug-2020
https://doi.org/10.3390/s20164393

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents