Amidst graduation preparations, packing, and summer internship planning, IU Capstone students have the additional work of winding up their year of research. Three Capstone teams proudly demonstrated the work they did at IU’s Internet of Things (IoT) House for the Security and Privacy in Informatics, Computing, and Engineering (SPICE) center in the 2018 Research Symposium.

This year’s Capstone teams worked on IoT toy security, consumer safety education, and phishing research.  All teams worked as a part of the IU Capstone course which pairs fourth year undergraduate students with clients who provide research needs and goals. The students then have the space of one academic year in which to accomplish these goals.

Team “Unicorn” worked with the CloudPets line of internet connected toys that allow small children to send and receive messages to a parent who is far away on work or deployment. Targeted at military families, this toy was chosen because of its potential threat to parent and child safety. The team’s research found not only previously discovered threats to cloud data security that exposed user credentials and recordings, but it also found that the children’s toy could be used to find a child’s location and communicate with the child directly without authorization. Furthermore, they found that this significant threat was challenging to explain to policymakers and parents.

Their project became building a demonstration proof-of-concept which demonstrates the threat the toy presents to children. “Toy Finder” is an application that finds, takes over, and controls the toy from a distance. This has a visceral effect on observers, as exemplified by one workshop attendee who reacted with, “That’s terrifying!”  The application also educates parents and teachers how very simple at-home mitigation practices can make IoT toys far less dangerous.

Team “Goldilocks” took their name from the fact that they originally intended to steal data from Fisher-Price’s Smart Toy Bear. The popular line of smart toys has seen previous security updates, as problems with insecure data transfer were found in earlier security examinations. The team was assigned to support the research of Olivia Kenny and Joshua Streiff who both proved the previous holes had been fixed, and examined new holes. Over the year the team helped find a new security hole that allowed users to take over the toy and stream video and audio from the bear’s always-on camera.

Recognizing that many parents simply do not have the necessary information to make fully-informed purchase decisions, or take mitigation strategies post purchase, the team also piloted a test threat modeling tool. “IoT Threat Modeler” is a web application intended to help parents search for known security holes in devices, as well as evaluate new, untested devices, for purchase. Their tool will be implemented in SPICE outreach events.

Team “Phish” worked with Ph.D Tim Kelly and CRANE Naval Warfare Center to make improvements to an eCrime tool developed by SPICE Professor L. Jean Camp. Studying phishing attacks at IU, the tool identifies how people evaluate web pages. Using data from a previous SPICE study, they tracked mouse usage and time spent on pages as well as accuracy in communication. Communicating with APWG, the team prepared the project for future work in global e-crime response.

Capstone students gained skills and experience which had immediate value for them. One student, Joshua Cannon, said that his work changed his job interviews.

He asked me about my classwork. I told him that I hack teddy bears and steal camera feeds. He was surprised and excited saying, ‘Really?’ It was a good interview.

The Capstone students for 2018 were:

• Team Unicorn: John Krieger, Wyatt Gaweda, Michael Ferry, and James Bennett
• Team Goldilocks: Joshua Cannon, Joseph Wethern, and Avery Siebert.
• Team Phish: Kevin Danik, Jack Arnold, and Hugh Walshe.