A cybersecurity application framework for consumer IoT devices

Abstract: In recent years, there is an increasing use of smart Internet of Things (IoT) devices in our everyday lives. Cyberattacks on consumer IoT devices are also increasing. IoT certification is an active topic of research with many proposed frameworks for IoT cybersecurity certification and also proposing labels that can be used to represent the security and privacy levels of consumer IoT devices. The research problem that this thesis tried to solve was first, to understand why certification for consumer IoT devices was less used than expected, and second, define robust and complete processes for security and certification on consumer IoT devices, that will be used to broadly raise their security level. From a literature review performed, we became aware that the reason why little progress towards consumer IoT cybersecurity certification is not that research and frameworks do not exist, but there are multiple other responsible factors. Such factors are the lack of a universal cybersecurity framework and the fact that the consumers are not involved in the certification process of the frameworks. The framework that was designed in this thesis project tries to address all of the above factors. Design Science Research (DSR) was used as the methodology for developing and evaluating the artifact of this work, which is a framework that describes how to properly apply and certify cybersecurity on consumer IoT devices, building on top of existing cybersecurity procedures, frameworks and tools. During the design of the framework, further literature searches were performed for identifying important steps that need to be carried out. The framework proposed in this project, does not limit itself to the vendor of such devices as the only involved actor, but consumers and cybersecurity regulating authorities are also involved in the process. The evaluation of the framework showed that, if applied, it could adequately improve the cybersecurity of existing consumer IoT products by detecting and solving all of the common vulnerabilities and security weaknesses, as it was demonstrated on one use case selected. The significance of this work is that it is the first step towards a universal cybersecurity certification for consumer IoT devices.