D2.3 Open Report on Methodology, tools and results of testing security and privacy risks of connected devices

Published:

This deliverable is included in a work package based on the technology assessment and IT
threat landscape. Specifically, this deliverable is the result of work carried out in other tasks.
These tasks are mainly related to three aspects:

  • Conducting vulnerability tests and risk assessment of security issues linked to
    connected devices;
  • Study of the IT threat landscape, focusing on the identification of most common online
    threats for children and young adults; and
  • Accounting for the rise of CaaS models exploiting IoT vulnerabilities.

Thus, the main objective of this document is to describe and explain a methodology for the
evaluation of security and privacy risks in IoT devices, as well as a catalogue of vulnerabilities
in IoT devices frequently used by children and young people and some recommendations for
risk mitigation. In addition, to support the methodology, this document exposes a set of
interesting tools for testing security and privacy vulnerabilities in the context of the IoT.
Furthermore, next to purely technological aspects, this methodology will consider human
factors affecting such vulnerabilities and their exploitation in new CaaS models.
The results show that generic and more affordable devices are more prone to attack due to
security and privacy vulnerabilities. The fact that these devices are cheaper is also, partly,
because they use third-party applications to manage the information collected. These
applications are often hosted in countries with dubious or less restrictive data protection
policies. This, together with the human factors that have the highest correlation with possible
cybersecurity attack vectors (External locus of control, Learned Helplessness, Careless Privacy
Attitude or Low Perception of Risk), has been reflected in the creation of a socioeconomic
framework for the provision of tools and applications to offer personalized services for taking
advantage of CaaS.