Abstract
With the rapid technology evolution of the Internet of Things (IoT) and increasing user needs, IoT device re-using becomes more and more common nowadays. For instance, more than 300,000 used IoT devices are selling on Craigslist. During IoT re-using, sensitive data such as credentials and biometrics residing in these devices may face the risk of leakage if a user fails properly dispose of the data. Thus, a critical security concern is raised: do (or can) users properly dispose of the sensitive data in used IoT? To the best of our knowledge, it is still an unexplored problem that desires a systematic study.In this paper, we perform the first in-depth investigation on the user-data disposal of used IoT devices. Our investigation integrates multiple research methods to explore the status quo and the root causes of the user-data leakages with used IoT devices. First, we conduct a user study to investigate the user awareness and understanding of data disposal. Then, we conduct a large-scale analysis on 4,749 IoT firmware images to investigate user-data collection. Finally, we conduct a comprehensive empirical evaluation on 33 IoT devices to investigate the effectiveness of existing data disposal methods.Through the systematical investigation, we discover that IoT devices collect more sensitive data than users expect. Specifically, we detect 121,984 sensitive data collections in the tested firmware. Moreover, users usually do not or even cannot properly dispose of the sensitive data. Worse, due to the inherent characteristics of storage chips, 13.2% of the investigated firmware perform "shallow"deletion, which may allow adversaries to obtain sensitive data after data disposal. Given the large-scale IoT re-using, such leakage would cause a broad impact. We have reported our findings to world-leading companies. We hope our findings raise awareness of the failures of user-data disposal with IoT devices and promote the protection of users' sensitive data in IoT devices.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 3365-3381 |
Number of pages | 17 |
ISBN (Electronic) | 9781665493369 |
DOIs | |
State | Published - 2023 |
Event | 44th IEEE Symposium on Security and Privacy, SP 2023 - Hybrid, San Francisco, United States Duration: May 22 2023 → May 25 2023 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Volume | 2023-May |
ISSN (Print) | 1081-6011 |
Conference
Conference | 44th IEEE Symposium on Security and Privacy, SP 2023 |
---|---|
Country/Territory | United States |
City | Hybrid, San Francisco |
Period | 5/22/23 → 5/25/23 |
Bibliographical note
Publisher Copyright:© 2023 IEEE.