-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
443 lines (387 loc) · 23.4 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
<!DOCTYPE html>
<html lang="en">
<!--
project
$$$$$$\ $$$$$$$$\
\_$$ _| \__$$ __|
$$$$$$\ $$ | $$$$$$\ $$ |
$$ __$$\ $$ | $$ __$$\ $$ |
$$ | \__|$$ | $$ / $$ |$$ |
$$ | $$ | $$ | $$ |$$ |
$$ | $$$$$$\\$$$$$$ |$$ |
\__| \______|\______/ \__|
quantifying consumer costs of
insecure internet of things devices
-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>rIoT</title>
<link href="static/img/favicon.ico" type="image/x-icon" rel="icon">
<!-- Bootstrap core CSS -->
<link href="static/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom fonts for this template -->
<link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Catamaran:100,200,300,400,500,600,700,800,900" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Muli" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="static/css/style.css" rel="stylesheet">
<!-- Theme Copyright 2013-2018 Blackrock Digital LLC. Code released under the [MIT](https://github.com/BlackrockDigital/startbootstrap-new-age/blob/gh-pages/LICENSE) license. -->
</head>
<body id="page-top">
<!-- Navigation -->
<nav class="navbar navbar-expand-lg navbar-light fixed-top" id="mainNav">
<div class="container">
<a class="navbar-brand js-scroll-trigger" href="#page-top">Project rIoT</a>
<button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
Menu
<i class="fa fa-bars"></i>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ml-auto">
<li class="nav-item">
<a class="nav-link js-scroll-trigger" href="#summary">Summary</a>
</li>
<li class="nav-item">
<a class="nav-link js-scroll-trigger" href="#calculator">Cost Calculator</a>
</li>
<li class="nav-item">
<a class="nav-link js-scroll-trigger" href="#download">Download Report</a>
</li>
</ul>
</div>
</div>
</nav>
<header class="masthead">
<div class="container h-100">
<div class="row h-100">
<div class="col-lg-7 my-auto">
<div class="header-content mx-auto">
<div class="mb-8 center">
<img src="static/img/logo.png" class="title-logo center">
</div>
<h2 class="mb-5 center">Quantifying Consumer Costs of<br> Insecure Internet of Things Devices</h2>
<h5 class="mb-8 center">Kim Fong, Kurt Hepler, Rohit Raghavan, Peter Rowland</h5>
<div class="sponsor-logos center">
<a href="https://www.ischool.berkeley.edu/" target="_blank">
<img src="static/img/logo-ischool-white.svg" class="img-logo" alt="UC Berkeley School of Information">
</a>
<a href="https://cltc.berkeley.edu/" target="_blank">
<img src="static/img/logo-cltc.png" class="img-logo" alt="Center for Long-Term Cybersecurity">
</a>
</div>
</div>
</div>
<div class="col-lg-5 my-auto">
<div>
<h5 class="mb-5">
Internet of Things devices are everywhere. Unfortunately, many Internet-connected devices are built with inadequate security measures, making them easy targets for cybercriminals. Hackers enlist these insecure devices in “botnet” armies to launch massive cyberattacks on governments, infrastructure, and businesses, causing millions of dollars in lost revenue, damaged brand reputation, and degraded service.
<br><br>
But what happens to the owners of the devices? What costs do they bear as a result of their devices being hacked? Do their electricity and bandwidth bills increase when their devices are used in attacks? And what can consumers and regulators do to ensure that manufacturers improve device security to prevent these attacks in the future?
</h5>
</div>
</div>
</div>
</div>
</header>
<section class="features bg-primary text-center" id="summary">
<div class="container">
<div class="row">
<div class="col-md-8 mx-auto">
<h2 class="section-heading">Quantifying IoT Insecurity Costs</h2>
</div>
</div>
<div class="row" style="text-align:left;">
<p>
As consumers incorporate “Internet of Things” (IoT) devices in their homes, we must grapple with the consequences of the proliferation of inexpensive, difficult-to-secure products. Malicious actors may use vulnerable IoT devices to snoop on consumers, to cause devices to malfunction, or to degrade or deny access to services. Violations of consumer confidentiality and integrity are problematic, but the problems do not end with invasions of privacy. Cybercriminals also exploit vulnerabilities in IoT products to build “botnets” of thousands of devices that can attack and shut down governments, infrastructure providers, and businesses. Focusing on such availability attacks, understanding the full spectrum of consequences is difficult because the victims who are easiest to observe are not the owners of the devices. While quantifying the direct costs of such attacks to the most visible victims is relatively straightforward (e.g., Company A’s website was offline for 7 hours, leading to X% decrease in sales, and recovering from the attack cost Y dollars), it is not as easy to uncover the costs borne by the consumers who own the devices. Because these consumer costs are elusive, regulators have struggled to enact policies that could prompt manufacturers to design more secure IoT devices. We address this issue by exploring the harms to consumers who own the hacked devices that are used in botnet attacks.
</p>
<p>
We infected several consumer IoT devices with the Mirai malware and measured how devices use electricity and bandwidth resources in non-infected and infected states. We observed only small increases in electricity consumption of infected devices but significant increases in bandwidth usage in infected devices when compared with non-infected devices operating nominally. We also found that infected devices cause a degraded user experience for the device owner, as devices that are involved in attacks can interfere with the owner’s use of both the device and the network to which it is connected.
</p>
<p>
Based on these increased resource consumptions costs, we then examine the costs to consumers of insecure IoT devices through the lens of three case studies. We first investigate the consumer costs of large-scale distributed denial of service attacks on Dyn, Inc. resources and the KrebsOnSecurity website that were caused by IoT botnets in 2016. We also present a hypothetical worst-case scenario attack to uncover potential damages that could arise given a large pool of insecure IoT devices. Finally, we explore potential implications of these issues and discuss regulations that could be used to promote more a secure IoT ecosystem in the future.
</p>
</div>
</div>
</section>
<section class="features" id="calculator">
<div class="container">
<div class="section-heading text-center">
<h2>IoT DDoS Consumer Cost Calculator</h2>
<p class="text-muted">Explore the Costs to Consumers of IoT DDoS Attacks</p>
<br>
</div>
<div class="row">
<div class="cost-calculator effect8">
<p style="text-align:center;">
<small class="calc-col-header">Adjust the calculator to compute costs, or select a preset attack profile</small>
</p>
<div class="row">
<span class="btn btn-outline btn-xl calc-btn" onclick="krebsAttack()">
KrebsOnSecurity Attack
</span>
<span class="btn btn-outline btn-xl calc-btn" onclick="dynAttack()">
Dyn, Inc. Attack
</span>
<span class="btn btn-outline btn-xl calc-btn" onclick="worstCaseAttack()">
Worst-Case Attack
</span>
</div>
<div class="bg-red" id="cost-total" >
TOTAL CONSUMER RESOURCE COST <br>
<b>$<span id="totalCost">x</span></b>
</div>
<!-- ATTACK CHARACTERISTICS -->
<div class="row">
<div class="calc-col">
<p class="calc-col-header">
Total Number of devices
</p>
<p class="calc-col-body subtotal">
<input type="number" name="Distribution of devices" class="input-box" id="numDevices" value="55000" onchange="calculateTotalCost()">
</p>
</div>
<div class="calc-col">
<p class="calc-col-header">
attack duration
</p>
<p class="calc-col-body">
<input type="number" name="attack-duration" class="input-box narrow" id="duration" value="4" onchange="calculateTotalCost()"> hours
</p>
</div>
<div class="calc-col">
<p class="calc-col-header">
attack type
</p>
<div class="dropdown center ">
<button class="btn btn-outline dropdown-toggle calc-dropdown-btn bg-none calc-col-body no-outline" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<span id="attackType" class="input-box narrow bg-none">TCP</span>
</button>
<div class="dropdown-menu dropdown-menu-right" aria-labelledby="dropdownMenuButton">
<li><span class="dropdown-item">TCP</span></li>
<li><span class="dropdown-item">UDP</span></li>
<li><span class="dropdown-item">Scan</span></li>
</div>
</div>
</p>
</div>
</div>
<!-- ELECTRICITY SLIDER -->
<br>
<div class="row">
<div class="calc-col wide">
<p class="calc-col-header">
Distribution of devices in Low, Medium, and High Cost Electricity Zones
</p>
<section class="range-slider elec_range-slider center">
<input value="33" min="0" max="100" step="1" type="range" class="slider-input elec_slider-input" id="slider-left">
<input value="66" min="0" max="100" step="1" type="range" class="slider-input elec_slider-input" id="slider-right">
</section>
<br>
<div class="row device-composition short">
<div class="calc-col bg-none ">
<p class="calc-col-body percent-total">
<span id="elec_lowCostPct">x</span>%
</p>
<p class="calc-col-header">
low-cost zone <small>($<span id="elec_lowCostPrice">x</span> per kWh)</small><br>
<small><i><span id="elec_numLowCost">x</span> devices</i></small>
</p>
</div>
<div class="calc-col bg-none ">
<p class="calc-col-body percent-total">
<span id="elec_medCostPct">x</span>%
</p>
<p class="calc-col-header">
med-cost zone <small>($<span id="elec_medCostPrice">x</span> per kWh)</small><br>
<small><i><span id="elec_numMedCost">x</span> devices</i></small>
</p>
</div>
<div class="calc-col bg-none ">
<p class="calc-col-body percent-total">
<span id="elec_highCostPct">x</span>%
</p>
<p class="calc-col-header">
high-cost zone <small>($<span id="elec_highCostPrice">x</span> per kWh)</small><br>
<small><i><span id="elec_numHighCost">x</span> devices</i></small>
</p>
</div>
</div>
</div>
</div>
<!-- BANDWIDTH CONSUMPTION SLIDERS -->
<br>
<div class="row">
<div class="calc-col wide">
<p class="calc-col-header">
Distribution of devices in Low, Medium, and High Cost Bandwidth Zones
</p>
<section class="range-slider band_range-slider center">
<input value="10" min="0" max="100" step="1" type="range" class="slider-input band_slider-input light" id="slider-1">
<input value="30" min="0" max="100" step="1" type="range" class="slider-input band_slider-input light" id="slider-2">
<input value="60" min="0" max="100" step="1" type="range" class="slider-input band_slider-input light" id="slider-3">
<input value="70" min="0" max="100" step="1" type="range" class="slider-input band_slider-input light" id="slider-4">
<input value="90" min="0" max="100" step="1" type="range" class="slider-input band_slider-input light" id="slider-5">
</section>
<br>
<div class="row device-composition short">
<div class="calc-col bg-none">
<!-- LOW COST BANDWIDTH -->
<p class="calc-col-header">
low-cost zone (<small>$<span id="band_lowCostPrice">x</span> per GB)</small>
</p>
<div class="row device-composition short">
<div class="calc-col slim bg-none">
<p class="calc-col-body percent-total">
<span id="band_lc-wifi">x</span>%
</p>
<p class="calc-col-header">
wifi<br>
<small><i><span id="band_numLowCostWifi">x</span> devices</i></small>
</p>
</div>
<div class="calc-col slim bg-none">
<p class="calc-col-body percent-total">
<span id="band_lc-eth">x</span>%
</p>
<p class="calc-col-header">
ethernet<br>
<small><i><span id="band_numLowCostEth">x</span> devices</i></small>
</p>
</div>
</div>
</div>
<!-- MED COST BANDWIDTH -->
<div class="calc-col bg-none">
<p class="calc-col-header">
med-cost zone (<small>$<span id="band_medCostPrice">x</span> per GB)</small>
</p>
<div class="row device-composition short">
<div class="calc-col slim bg-none">
<p class="calc-col-body percent-total">
<span id="band_mc-wifi">x</span>%
</p>
<p class="calc-col-header">
wifi<br>
<small><i><span id="band_numMedCostWifi">x</span> devices</i></small>
</p>
</div>
<div class="calc-col slim bg-none">
<p class="calc-col-body percent-total">
<span id="band_mc-eth">x</span>%
</p>
<p class="calc-col-header">
ethernet<br>
<small><i><span id="band_numMedCostEth">x</span> devices</i></small>
</p>
</div>
</div>
</div>
<!-- HIGH COST BANDWIDTH -->
<div class="calc-col bg-none">
<p class="calc-col-header">
high-cost zone (<small>$<span id="band_highCostPrice">x</span> per GB)</small>
</p>
<div class="row device-composition short">
<div class="calc-col slim bg-none">
<p class="calc-col-body percent-total">
<span id="band_hc-wifi">x</span>%
</p>
<p class="calc-col-header">
wifi<br>
<small><i><span id="band_numHighCostWifi">x</span> devices</i></small>
</p>
</div>
<div class="calc-col slim bg-none">
<p class="calc-col-body percent-total">
<span id="band_hc-eth">x</span>%
</p>
<p class="calc-col-header">
ethernet<br>
<small><i><span id="band_numHighCostEth">x</span> devices</i></small>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- SUBTOTALS -->
<div class="row device-composition">
<div class="calc-col bg-red">
<p class="calc-col-header">
total electricity cost per hour<br>
<small>(imposed on consumers in aggregate)</small>
</p>
<p class="calc-col-body subtotal">
$<span id="elec_increasedCostPerHour">x</span>
</p>
</div>
<div class="calc-col bg-red">
<p class="calc-col-header">
total bandwidth cost per hour<br>
<small>(imposed on consumers in aggregate)</small>
</p>
<p class="calc-col-body subtotal">
$<span id="band_increasedCostPerHour">x</span>
</p>
</div>
<div class="calc-col bg-red">
<p class="calc-col-header">
cost per device<br>
<small>(imposed on a consumer by each device)</small>
</p>
<p class="calc-col-body subtotal">
$<span id="increasedCostPerDevice">x</span>
</p>
</div>
</div>
</div>
</div>
</div>
</section>
<section class="features bg-secondary text-center" id="download">
<div class="container">
<div class="row">
<div class="col-md-8 mx-auto">
<h2 class="section-heading">Read the Full Report</h2>
<p>Learn more about our research design, methodology, and findings in the full report.</p>
<div class="badges">
<a href="https://drive.google.com/uc?id=1IivZwRbnQmEpIC6C3gYGPucxnxluIwuW&export=download" class="btn btn-outline btn-xl btn-clear js-scroll-trigger">Download the Report</a>
</div>
</div>
</div>
</div>
</section>
<footer>
<div class="container">
<ul class="list-inline">
<li class="list-inline-item">
<a href="mailto:">Contact</a>
</li>
<li class="list-inline-item">
<a href="https://www.ischool.berkeley.edu/">UC Berkeley School of Information</a>
</li>
<li class="list-inline-item">
<a href="https://cltc.berkeley.edu/">Center for Long-Term Cybersecurity</a>
</li>
</ul>
<hr>
<ul class="list-inline">
<li class="list-inline-item">
<p>© rIoT 2018. All Rights Reserved. Theme by Blackrock Digital used under <a href="https://github.com/BlackrockDigital/startbootstrap-new-age/blob/master/LICENSE" target="_blank">MIT License</a>.</p>
</li>
</ul>
</div>
</footer>
<!-- Bootstrap core JavaScript -->
<script src="static/vendor/jquery/jquery.min.js"></script>
<script src="static/vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- Plugin JavaScript -->
<script src="static/vendor/jquery-easing/jquery.easing.min.js"></script>
<!-- Custom scripts for this template -->
<script src="static/js/script.js"></script>
</body>
</html>