…and a proposed risk assessment matrix.
My dissertation project didn’t go smoothly as it was a tough year, but I did finish it somehow, spelling mistakes and all, and so it might as well be online somewhere.
In this post I link to it directly, and provide a summary. Eventually I will also try and put the sections into individual online posts, for ease of access.
As the number of IoT devices continues to increase exponentially, the leakage of personal information from them has become more of a concern for the consumer, particularly since so many children’s toys are being marketed as ‘smart’ and connected and children are ill-equipped to understand what is safe to disclose.
The available security studies of IoT devices range from rigorous but confusing for consumers, to journalistic hyperbole, making it difficult to truly assess risk. There is a gap which can be filled by testing a good methodological approach and coupling it with a usable privacy risk assessment.
The selected project makes a comparison of security and privacy risks between three commonly available IoT toys for young children, examining the different methods they use to transmit and store information, and connect to other devices.
This will provide a tested methodology for use in other children’s IoT projects and a privacy methodology designed with these in mind.
It will also provide rudimentary testing of three IoT Toy devices used as examples.
The rest of this paper is organised as follows: an overview of several previous IoT toy scandals precedes a brief review of some of the literature on possible attacks on IoT devices, and a review of some examinations of IoT devices from others in the field. The aims of the study are then more clearly set forth, and the methodology laid out in detail. The three device examinations follow, and then a discussion of the findings, including an analysis of the methodology, a discussion of the privacy risk assessment matrix, some suggested future work and research challenges, and finally some suggested mitigations for the consumer and manufacturer.
There were plenty of problems along the way and I was just a student so as with most of life, I wish there had been more investigation time, scope to put in the more detailed logs while keeping the flow, and more people to learn from.
If you don’t wish to read the full PDF future posts may be linked as follows, when time allows:
- Key Issues/Background
- Aims & Objectives, The Methodology
- ToyFi Device Examination
- Freddy Device Examination
- NuNu Device Examination
- Conclusions, Assessing Privacy Risk, Future Work
- Mitigations for the Consumer, Mitigations for Manufacturers