On Security Best Practices, Systematic Analysis of Security Advice, and Internet of Things Devices

While Internet of Things (IoT) security best practices have recently attracted considerable attention from industry and governments, academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We begin by investigating a surprising lack of consensus, and void in the literature, on what (generically) best practice means, and provide a technical examination of related terminology. We use iterative inducting coding to design an analysis methodology for categorizing security advice and measuring its actionability. We use this methodology to analyze three datasets: a set of 1013 IoT security best practices, recommendations, and guidelines, and two formally recommended IoT security advice documents. We find all three sets to be largely non-actionable. Through design and use of this methodology, we identify the characteristics of actionable security advice. We also analyze recent work on IoT device identification based on three identification objectives (distinguish device instances, distinguish device classes, and authenticate device identity), and the technical approaches by which they are reached: device fingerprinting, classification, and authentication. We differentiate the role of these objectives and approaches in IoT security, and develop a model relating them.