SoK: Security Evaluation of Home-Based IoT Deployments Omar Alrawi * , Chaz Lever * , Manos Antonakakis * , Fabian Monrose † * Georgia Institute of Technology {alrawi, chazlever, manos}@gatech.edu † University of North Carolina at Chapel Hill fabian@cs.unc.edu Abstract—Home-based IoT devices have a bleak reputation regarding their security practices. On the surface, the insecurities of IoT devices seem to be caused by integration problems that may be addressed by simple measures, but this work finds that to be a naive assumption. The truth is, IoT deployments, at their core, utilize traditional compute systems, such as embedded, mobile, and network. These components have many unexplored challenges such as the effect of over-privileged mobile applica- tions on embedded devices. Our work proposes a methodology that researchers and practitioners could employ to analyze security properties for home-based IoT devices. We systematize the literature for home- based IoT using this methodology in order to understand attack techniques, mitigations, and stakeholders. Further, we evaluate 45 devices to augment the systematized literature in order to identify neglected research areas. To make this analysis transparent and easier to adapt by the community, we provide a public portal to share our evaluation data and invite the community to contribute their independent findings. I. I NTRODUCTION Security problems involving Internet of Things (IoT) con- tinue to cause severe operational issues with high-profile attacks [1], mass exploitation of devices [2], and eye-catching headlines about “exotic” device hacking [3]. The demand for IoT devices — especially in the multi-billion-dollar residential market [4] — has created a modern-day gold rush. New and established companies are rushing to grab a piece of the IoT market. As time-to-market and production costs take priority over prudent security practices, the all-too-familiar sight of compromised IoT devices is numbing. Researchers and vendors are playing catch-up to address IoT insecurities, but much of the efforts are indistinct and ad-hoc. Several working groups and market leaders have proposed standardizations for IoT devices [5]–[12], but unfortunately, they have not agreed on a solution. Additionally, the het- erogeneity of home-based IoT devices contributes to these insecurities because although core functionalities are alike, specific features based on the device type can be vastly different. For example, an IoT vacuum cleaner and a home assistant device may use an embedded Linux operating system, but the running services on the device will be different. These differences make it difficult to analyze diverse home-based IoT products. State-sponsored adversaries are well aware of these predica- ments, and they have taken advantage to run sophisticated cyber operations [1]. To make matters worse, some vendors leave service backdoors in their devices that are later dis- covered and exploited by botnets [13]. Even unsophisticated criminal groups are taking advantage of the rampant insecu- rities to run distributed denial-of-service (DDoS) attacks [2]. Unfortunately, cleanup efforts and vulnerability patching are far from perfect, and as additional devices come online, the threats that target them become versatile, which enables them to spread even further [14]. To systematically address these security issues, researchers need to understand the landscape by conducting measurements and in-depth studies to classify and address the vulnerabilities. There are ample research efforts for home-based IoT security, but they are scattered. Our community needs an understanding of the current literature, a derivation of insights, and an identification of security gaps. The insights would allow the research community to formalize what insecurities are perpetuated, what are the proposed mit- igations, and what responsibilities stakeholders bear. Further, these in-depth studies and classifications of literature can guide the community to help prioritize their efforts. In this work, we propose a modeling methodology to study home-based IoT devices and evaluate their security posture based on component analysis, namely: the IoT device, the companion mobile application, the cloud endpoints, and the associated communication channels. Leveraging our approach, we systematize the research literature for home-based IoT devices to understand attack techniques, proposed mitigations, and stakeholder responsibilities. We use the knowledge to derive insights and identify research opportunities for our com- munity. Additionally, we evaluate 45 home-based IoT devices that are available on the market today and provide an overview of their security properties across the IoT components. Based on the systematization and evaluation, we compare the insights found between both approaches showing the commonalities and differences. We provide a list of mitiga- tions for each component and propose strategies for different stakeholders to address the issues found. Most importantly, we establish a portal 1 where we invite our fellow researchers, vendors, and power-users to contribute new device evaluations and to reproduce our results using the published dataset and proposed methodology. 1 The evaluation portal is available online at: https://yourthings.info.