SPICE had a visit from a renowned logistics and product specialist on Friday, December 8th. Speaking in Informatics East, the jingling master of toys and home products gave a funny, yet serious talk spilling the beans on just how he makes his infamous list of who is naughty and who is nice. Santa laid out the secret that he no longer uses human or elven resources to make his definitive demographic determinations - instead he relies on the eyes and ears of unsecured IoT devices.
Invited to speak by IU Chief Information Privacy and Security Officer Mark Napier, Santa presented to an audience of academics, security professionals and students a three part message of understanding IoT, selecting for security, and having a mitigation mindset. The framework of the presentation followed a family of five and how four out of five were “busted” by Santa’s exploitation of toys and home IoT devices. Only one member of the family, the youngest, was able to use her threat modeling skills and mitigation mindset to thwart Santa’s tricks leaving her on the “nice” list.
It is no surprise that St. Nick chose to divulge his secrets to a SPICE audience. IU’s Security & Privacy in Informatics, Computing, and Engineering is a premier research center dedicated to improving the security of users through an interdisciplinary team covering cryptography, system security, human computing interface, and its Internet of Things research house. Santa’s secrets are no secrets to SPICE’s researchers - especially when it comes to toys like the CloudPets Unicorn or Fisher-Price's SmartBear.
SPICE currently sponsors three Capstone teams with IU Undergraduate students researching IoT toy exploits and building sample demonstration attacks for industry for both educational outreach as well as proof of concepts for manufacturers to improve their products against. Additionally, SPICE has a range of Post Doc, Ph.D, and Master's students who are dedicated to security, privacy, product improvement, and human interaction research with partnerships ranging from the University of Washington to CRANE Naval Warfare Center. SPICE’s IoT research is funded by a five year National Science Foundation grant.
With SPICE’s hard work to improve user privacy, Santa’s job of separating the “naughty” from the “nice” will become increasingly difficult as he comes up against targets who have been hardened against IoT insecurity through research, education, and outreach. Santa may just have to go back to his old ways, especially after two attendees said they had presents that they planned to take back to the store to exchange for safer ones.