D2.2 Methodology, tools, and results of testing security and privacy risks of connected devices


This deliverable is included in Work Package 2, “Technology assessment and IT threat landscape”. Specifically, this deliverable is the result of the work carried out in Tasks 2.2., 2.3 and 2.4, namely “Vulnerability tests and risk assessment of security issues linked to connected devices”, “IT threat landscape: identification of most common online threats for children and young adults”, and “Accounting for the rise of cybercrime-as-a-service models exploiting IoT vulnerabilities” respectively. Thus, the main objective of this document is to describe and explain a methodology for the evaluation of security and privacy risks in IoT devices, as well as a catalogue of vulnerabilities in IoT devices frequently used by children and young people and some recommendations for risk mitigation. In addition, to support the methodology, this document exposes a set of interesting tools for testing security and privacy vulnerabilities in the context of the Internet of Things (IoT). Furthermore, next to purely technological aspects, this methodology will consider human factors affecting such vulnerabilities and their exploitation in new CaaS models. 

The results show that generic and more affordable devices are more prone to attack due to security and privacy vulnerabilities. The fact that these devices are cheaper is also, partly, because they use third-party applications to manage the information collected. These applications are often hosted in countries with dubious or less restrictive data protection policies. This, together with the human factors that have the highest correlation with possible cybersecurity attack vectors (External locus of control, Learned Helplessness, Careless Privacy Attitude or Low Perception of Risk), has been reflected in the creation of a socioeconomic framework for the provision of tools and applications to offer personalized services for taking advantage of cybercrimes (CaaS).