An ever increasing number of everyday objects from our homes, workplaces and even from our wardrobes, are getting connected to the Internet, creating the much discussed "Internet of Things" (IoT). With increased connectivity comes additional risk. These objects can be attacked and possibly hijacked, putting our privacy, data and safety in question.Setting personalized and "strong" passwords when connecting new devices to the Internet, e.g. through our home Wi-Fi networks, can mitigate such risks. However, many IoT devices have very limited interfaces: just a few buttons (if any at all) and light indicators, making it challenging for users to configure them. If secure configuration becomes an excessive burden, then users may choose the path of least resistance and leave their Internet of Things vulnerable.
We have investigated a range of interaction techniques for the configuration of Internet of Things devices, looking for methods that allow security, but are quick and easy to use.Four interaction techniques were selected (based on existing IoT products currently on the market) and compared to each other through a formal lab study. All four techniques take advantage of the touchscreen available on smartphones, which are now very familiar and easily accessible to most of us, to let users enter secure passwords. The key question then becomes: how can we let the smartphone communicate the password to the IoT devices? There are different options, and each of them comes with inherent advantages and limitations, not only in terms of technicalities, but also in terms of ease of use — and that’s what our research has addressed.
Two of the techniques leveraged a more "traditional" approach: connect the smartphone and the IoT device through a cable: USB or audio (connecting to the smartphone’s headphone socket). Another technique used a "Wi-Fi-only" approach: the smartphone creates a special temporary Wi-Fi network (a so called "ad-hoc network"), to which the IoT device automatically connects before being redirected to the correct permanent network. The final option is for the smartphone and the IoT device to exchange information through light: the smartphone’s screen flashes black and white to mean binary ‘zero’ or ‘one'; the IoT device reads this light/binary pattern to learn the password from the smartphone.
The results indicate that two of the techniques are noticeably more usable than the others. The "good old" audio cable and the Wi-Fi-only mechanisms outperformed the other alternatives. These two enabled our study participants to configure the IoT devices most easily. We believe that our results can help designers and researchers make IoT devices, and especially their configuration, more usable and therefore secure. Moreover, we believe that not enough attention has been placed on how to make the IoT easy to use and to configure, so we hope that our results will motivate others in researching this topic.
More information can be found on our Ubicomp’15 paper.