SPICE Presents on IoT Threat Modeling at AI and Connected Campus

November 14, 2019

How can educational institutions use teddy bears, toy unicorns, and light-up turtles to instruct students on the risks brought by the proliferation of Internet of Things (IoT) devices?  The Security and Privacy in Informatics, Computing, and Engineering (SPICE) Center’s own Project Manager, Joshua Streiff, demonstrated how to transform these seemingly innocuous objects into educational material at the AI and Connected Campus Conference in Orlando, Florida.  The 2019 conference ran from November 3rdto November 5thand welcomed distinguished IT education experts from all over the country.  Most of the speakers represented educational institutions, but the program also featured representatives from industry and government in an effort to encourage diverse professional cooperation.

Streiff’s presentation, “Bears, Unicorns, & Crockpots, Oh My! An Introduction to Internet of Things (IoT) Threat Modeling Education,” introduced a hands-on approach to introducing the dangers seemingly innocent household devices can present if compromised. On example on hand was the infamous CloudPet unicorn toy which was marketed to military families as an endearing device meant to let children communicate with their parents from a distance through an embedded recording device. Due to a design failures, the toy enables unauthenticated Bluetooth pairing from a distance of up to 50ft away.  As Streiff demonstrated in his presentation, an attacker can easily pair with the device from outside the child’s home and manipulate the toy’s settings in order to surveil or even communicate with the child.  Despite the good intentions of its’ designers, the toy’s  vulnerabilities facilitate extreme invasion of privacy and child endangerment.  Additional items examined ranged from toys, to lights to home appliances.

According to Streiff,

“We are at a time when the devices we buy and put in our homes present risks that families aren’t able to evaluate because they have not been given the fundamental skills to do so. With a small amount of helpful instructions they are able to quickly evaluate risk, consider how items need to be mitigated, and enjoy their technologies without fear of danger.”

During the interactive session, participants worked with individual items which were setup as a simulated smart home. They were given commercial home products to evaluate. Using a simplified threat modeling system, they were able to discover vulnerabilities in safes, hijack lighting systems, and remotely control childrens’ toys.

Looking toward future innovations in securing these devices, the presentation also introduced novel IoT tools that could be used to combat these attacks and protect its users.  The Securtle, a small, light-up turtle, acts as an alarm that conveys real time ambient risk to the user – letting them know if someone is trying to connect to or attack their home.  Color changes in the shell indicate risk level so that users can opt to change networks, limit their activity, or disconnect completely.

In addition to his IoT presentation, Streiff participated in a panel addressing the introduction and integration of AI & digital assistance into university life.  As higher education institution adapt to the coming wave of IoT and AI innovation, issues of privacy and privacy.  Representatives from Arizona State University and Northeastern University were also on the panel to report on their integration of Alexas into dorm rooms, as well as being used around campuses as informational bots drawing a lively discussion with Streiff over a variety concerns ranging from data leakage to unauthorized access. As greater number of schools follow the lead – the ideas, and concerns, presented at conferences like AI and Connected Campuses become critical in shaping the future of student life and campus interactions with students.