TY - GEN
T1 - “The thing doesn't have a name”
T2 - 17th Symposium on Usable Privacy and Security, SOUPS 2021
AU - Bouwmeester, Brennen
AU - Turcios Rodriguez, E.R.
AU - Gañán, Carlos
AU - van Eeten, Michel
AU - Parkin, Simon
PY - 2021
Y1 - 2021
N2 - Many consumer Internet-of-Things (IoT) devices are, and will remain, subject to compromise, often without the owner's knowledge. Internet Service Providers (ISPs) are among the actors best-placed to coordinate the remediation of these problems. They receive infection data and can notify customers of recommended remediation actions. There is insufficient understanding of what happens in peoples' homes and businesses during attempts to remediate infected IoT devices. We coordinate with an ISP and conduct remote think-aloud observations with 17 customers who have an infected device, capturing their initial efforts to follow best-practice remediation steps. We identify real, personal consequences from wide-scale interventions which lack situated guidance for applying advice. Combining observations and thematic analysis, we synthesize the personal stories of the successes and struggles of these customers. Most participants think they were able to pinpoint the infected device; however, there were common issues such as not knowing how to comply with the recommended actions, remediations regarded as requiring excessive effort, a lack of feedback on success, and a perceived lack of support from device manufacturers. Only 4 of 17 participants were able to successfully complete all remediation steps. We provide recommendations relevant to various stakeholders, to focus where emergent interventions can be improved.
AB - Many consumer Internet-of-Things (IoT) devices are, and will remain, subject to compromise, often without the owner's knowledge. Internet Service Providers (ISPs) are among the actors best-placed to coordinate the remediation of these problems. They receive infection data and can notify customers of recommended remediation actions. There is insufficient understanding of what happens in peoples' homes and businesses during attempts to remediate infected IoT devices. We coordinate with an ISP and conduct remote think-aloud observations with 17 customers who have an infected device, capturing their initial efforts to follow best-practice remediation steps. We identify real, personal consequences from wide-scale interventions which lack situated guidance for applying advice. Combining observations and thematic analysis, we synthesize the personal stories of the successes and struggles of these customers. Most participants think they were able to pinpoint the infected device; however, there were common issues such as not knowing how to comply with the recommended actions, remediations regarded as requiring excessive effort, a lack of feedback on success, and a perceived lack of support from device manufacturers. Only 4 of 17 participants were able to successfully complete all remediation steps. We provide recommendations relevant to various stakeholders, to focus where emergent interventions can be improved.
UR - http://www.scopus.com/inward/record.url?scp=85114464267&partnerID=8YFLogxK
UR - https://www.usenix.org/conference/soups2021/technical-sessions
M3 - Conference contribution
AN - SCOPUS:85114464267
T3 - Proceedings of the 17th Symposium on Usable Privacy and Security, SOUPS 2021
SP - 493
EP - 512
BT - Proceedings of the 17th Symposium on Usable Privacy and Security, SOUPS 2021
PB - USENIX Association
Y2 - 9 August 2021 through 10 August 2021
ER -