The IoT promises substantive socioeconomic benefits, but the low margin on many IoT devices means that, like other markets focused on the first mover advantage of a minimal viable product, security is an afterthought. The result: a large number of insecure devices that are easily compromised, creating risks to consumers, enterprises, and the Internet’s infrastructure. Technical challenges include developing robust security features for low-margin, resource constrained devices. That said, many of the vulnerabilities in IoT devices are well-known—weak passwords, poor security management controls, long-known compromises in network services running on these devices. Despite understanding how to recognize and avoid these vulnerabilities, IoT devices with these flaws are abundant. Complementing the technical challenges, understanding the economic incentives, in particular how these incentives are distributed over the lifecycle of IoT devices, is also critical to ensuring IoT security is both technically sound and economically feasible.
This special issue also brings focus to the structure of the life cycle itself, encouraging articles that highlight how these challenges are interleaved into both ex ante security requirements at the design and pre-market testing phase, as well as in ex post analyses and reporting of vulnerabilities and exploits in that inevitably emerge in the wild. Once IoT devices are deployed, they fall under the purview of cybersecurity analysts who defend the surrounding networks. Compared to traditional computing devices, the IoT security lifecycle is particularly challenging: these “black boxes” have few options for visibility or interoperability, rarely conforming to common standards.
DTRAP aims to create a special issue focusing on the sociotechnical challenges of the IoT security lifecycle. Topics include:
- Commodity IoT chipsets
- Economics of security features for IoT manufacturers
- Security in the IoT supply chain
- IoT security standards and regulatory requirements
- IoT security management frameworks
- Validating IoT security standards compliance in the wild
- IoT device teardowns
- IoT threat hunting
- Insecure commodity IoT device OSes
- IoT compromise case studies
- Commodification of IoT botnets
- Monitoring IoT devices for malicious behavior
- Mitigation and response to IoT compromise in the ISP, enterprise, and/or infrastructure
- IoT device identification, authentication, and authorization
- Signaling IoT security features
- Orphaned IoT devices
- IoT compromise mitigation, recovery, and remediation strategies
- Malware targeting common embedded operating systems
- Approaches to protect devices from post deployment exploits
DTRAP invites both academics and practitioners to submit papers for consideration in the journal. Extended conference papers are welcome, provided they have been revised to include at least 25% new content (and the previously published proceedings paper is submitted along with the research paper). Practitioners are welcome to submit a journal style research paper or a “Field Notes” paper. A “Field Notes” paper is a short case report about emerging threats and developments, emphasizing a particular development or application over a rigorous study or proof of security.
To submit to this special issue, please visit ACM Manuscript Central at mc.manuscriptcentral.com/dtrap and select paper type “Special Issue on the Lifecycle of IoT (In)security.” Details of the author guidelines for DTRAP are available at dtrap.acm.org/authors.cfm.
Paper submission due: 15 January 2021