A&S Graduate Studies

Location

Abstract:
Regulators and standards bodies have recently proposed several security compliance initiatives for Internet of Things (IoT) products. These emerging standards and regulations seek to bring security assurance to IoT products by way of compliance certification. The industry has begun adopting the traditional enforcement model for software compliance to the IoT domain, wherein Commercially Licensed Evaluation Facilities (CLEFs) certify vendor products on behalf of regulators (and in turn consumers). As IoT standards are in their formative stages, it is unknown yet whether the traditional compliance model works for IoT security.  We aim to investigate this as rethinking compliance enforcement for IoT is feasible.

To investigate the current state of product security certification in IoT, we systematically perform the vulnerability analysis of 11 certified mobile-IoT apps, along with an analysis of 5 popular compliance standards. Our analysis demonstrates that certified apps with significant vulnerabilities indicate gaps in certification, which do not violate the standards due to ambiguity and discretionary language in existing IoT compliance standards.  Further, we conduct a user study with 173 IoT users to explore how consumers perceive compliance enforcement. We find that even though users are not aware of compliance certification, they overwhelmingly trust that certified IoT products are secure, which contradicts our finding of vulnerability analysis.

This compliance failure suggests the presence of latent challenges in the certification ecosystem. Next, we aim to uncover the latent factors and challenges obstructing effective IoT product certification. Therefore, we conduct in-depth interviews with 17 IoT practitioners from diverse backgrounds to study their perspectives and experiences regarding compliance standards and certification in the context of IoT products. We find that while practitioners overwhelmingly support certification for IoT products and certify IoT products using existing non-IoT-specific security standards, in practice, there is a significant reluctance to adopt IoT-specific security certification, often on account of valid reasons that tie closely with the organizational context.

Finally, we outline our research plan aimed at investigating the liability in IoT product security compliance. We qualitatively analyze a set of user agreement documents from IoT vendors and conduct an expert study with legal professionals to explore their perceptions of liability.
Bio:
Prianka Mandal is a Ph.D. Candidate in the Department of Computer Science at William & Mary. Her Ph.D. advisor is Prof. Adwait Nadkarni. Her research investigates compliance in IoT security by analyzing artifacts and understanding how stakeholders perceive IoT compliance enforcement. Her Ph.D. research has been published at top-tier security venues, such as USENIX’24, IEEE S&P’24, and IEEE S&P’25. Prianka is also a 2024 COVES Policy Fellow and worked with the Office of Recovery Services (ORS) at the Virginia Department of Behavioral Health and Developmental Services. Previously, she received her Bachelor’s and Master’s in Software Engineering from the Institute of Information Technology, University of Dhaka, Bangladesh.

Sponsored by: Computer Science

This Event Appears On

• W&M Featured Events
• A&S Graduate Studies