Analyzing and Understanding the Internet of Insecure Things

The ever-increasing popularity of Smart TVs and support for the Hybrid Broadcast Broadband TV (HbbTV) standard allow broadcasters to enrich content offered to users via the standard broadcast signal with Internet-delivered apps, e.g., ranging from quizzes during a TV show to targeted advertisement. HbbTV works using standard web technologies as transparent overlays over a TV channel. Despite the number of HbbTV-enabled devices rapidly growing, studies on the protocol's security and privacy aspects are scarce, and no standard protective measure is in place.

We fill this gap by investigating the current state of HbbTV in the European landscape and assessing its implications for users' privacy. We shift the focus from the Smart TV's firmware and app security, already studied in-depth in related work, to the content transmission protocol itself. Contrary to traditional "linear TV" signals, HbbTV allows for bi-directional communication: in addition to receiving TV content, it also allows for transmitting data back to the broadcaster. We describe techniques broadcasters use to measure users' (viewing) preferences and show how the protocol's implementation can cause severe privacy risks by studying its deployment by 36 TV channels in five European countries (Italy, Germany, France, Austria, and Finland). We also survey users' awareness of Smart TV and HbbTV-related risks. Our results show little understanding of the possible threats users are exposed to. Finally, we present a denylist-based mechanism to ensure a safe experience for users when watching TV and to reduce the privacy issues that HbbTV may pose.

This thesis addresses the pervasive security challenges in the Internet of Things (IoT) ecosystem through an interdisciplinary methodology that combines system-level analysis, large-scale Internet measurement, and user-centered studies. First, we present IoTFlow, a static analysis technique that examines nearly 10,000 Android IoT companion apps to reconstruct device communication endpoints and reveal insecure practices such as hardcoded credentials and exposed test interfaces. Next, building on IoTFlow’s findings, we conduct a large-scale assessment of IoT backends across various communication protocols (MQTT, CoAP, and XMPP), uncovering widespread vulnerabilities that include data leaks, weak authentication schemes, and denial-of-service threats. In response, we initiate a coordinated vulnerability disclosure procedure with the Dutch National Cyber Security Centre, notifying thousands of operators and tracking remediation outcomes. This effort exposes critical gaps in current IoT security oversight.

Beyond technical infrastructure, we examine privacy risks in Hybrid Broadcast Broadband TV (HbbTV) across five European countries, revealing pervasive tracking and policy non-compliance in smart TV channels. Finally, we bridge the technical and human perspectives through a two-part user study on IoT risk perceptions and security behaviors. We perform an expert-driven categorization of IoT devices, followed by a large-scale user survey of 213 participants, which exposes significant mismatches between perceived risk and actual security practices across device categories. Our findings underscore the pressing need for effective security solutions. By combining systems security, Internet measurement, and user-centered approaches, our work not only extends technical understanding of IoT vulnerabilities but also suggests regulatory policy.