User compliance and remediation success after IoT malware notifications

Internet Service Providers (ISPs) are getting involved in remediating Internet of Things (IoT) infections of end users. This endeavor runs into serious usability problems. Given that it is usually unknown what kind of device is infected, they can only provide users with very generic cleanup advice, trying to cover all device types and remediation paths. Does this advice work? To what extent do users comply with the instructions? And does more compliance lead to higher cleanup rates? This study is the first to shed light on these questions. In partnership with an ISP, we designed a randomized control experiment followed up by a user survey. We randomly assigned 177 consumers affected by malware from the Mirai family to three different groups: (i) notified via a walled garden (quarantine network), (ii) notified via email, and (iii) no immediate notification, i.e. a control group. The notification asks the user to take five steps to remediate the infection. We conducted a phone survey with 95 of these customers based on communication–human information processing theory. We model the impact of the treatment, comprehension, and motivation on the compliance rate of each customer, while controlling for differences in demographics and infected device types. We also estimate the extent to which compliance leads to successful cleanup of the infected IoT devices. While only 24% of notified users perform all five remediation steps, 92% of notified users perform at least one action. Compliance increases the probability of successful cleanup by 32%, while the presence of competing malware reduces it by 54%. We provide an empirical basis to shape ISP best practices in the fight against IoT malware.

[1]  Kat Krol,et al.  Don't work. Can't work? Why it's time to rethink security warnings , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[2]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[3]  Samaneh Tajalizadehkhoob,et al.  Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  Mohammad Maifi Hasan Khan,et al.  Why Do They Do What They Do?: A Study of What Motivates Users to (Not) Follow Computer Security Advice , 2016, SOUPS.

[5]  Oscar Wilde The Importance of ‘ Being Earnest , 1997 .

[6]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[7]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[8]  Michael S. Wogalter,et al.  WARNING! Sign and Label Effectiveness , 1996 .

[9]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[10]  Johannes M. Bauer,et al.  Economics of Fighting Botnets: Lessons from a Decade of Mitigation , 2015, IEEE Security & Privacy.

[11]  Qiang Huang,et al.  IoT device fingerprinting for relieving pressure in the access control , 2019, ACM TUR-C.

[12]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[13]  Rajarshi Gupta,et al.  All Things Considered: An Analysis of IoT Devices on Home Networks , 2019, USENIX Security Symposium.

[14]  Daisuke Inoue,et al.  Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai , 2019, NDSS.

[15]  Michael Smithson,et al.  A better lemon squeezer? Maximum-likelihood regression with beta-distributed dependent variables. , 2006, Psychological methods.

[16]  Michel van Eeten,et al.  Post-Mortem of a Zombie: Conficker Cleanup After Six Years , 2015, USENIX Security Symposium.

[17]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[18]  Michael Backes,et al.  Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications , 2018, NDSS.

[19]  Tyler Moore,et al.  Do Malware Reports Expedite Cleanup? An Experimental Study , 2012, CSET.

[20]  Jason Livingood,et al.  Recommendations for the Remediation of Bots in ISP Networks , 2012, RFC.

[21]  Rick Wash,et al.  Betrayed by updates: how negative experiences affect future security , 2014, CHI.

[22]  Angelo Spognardi,et al.  Analysis of DDoS-capable IoT malwares , 2017, 2017 Federated Conference on Computer Science and Information Systems (FedCSIS).

[23]  Harald P. E. Vranken,et al.  The Role of Internet Service Providers in Botnet Mitigation , 2016, 2016 European Intelligence and Security Informatics Conference (EISIC).

[24]  Ralph E. Droms,et al.  Manufacturer Usage Description Specification , 2019, RFC.

[25]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[26]  Elissa M. Redmiles "Should I Worry?" A Cross-Cultural Examination of Account Security Incident Response , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[27]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[28]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[29]  Nicolas Christin,et al.  Please Continue to Hold: An Empirical Study on User Tolerance of Security Delays , 2010, WEIS.

[30]  A. Zeileis,et al.  Beta Regression in R , 2010 .

[31]  Tyler Moore,et al.  Understanding the Role of Sender Reputation in Abuse Reporting and Cleanup , 2015, WEIS.

[32]  Michael Richardson,et al.  Manufacturer Usuage Description for quarantined access to firmware , 2019 .

[33]  Natalija Vlajic,et al.  IoT as a Land of Opportunity for DDoS Hackers , 2018, Computer.

[34]  Michael S. Wogalter,et al.  A Communication–Human Information Processing (C–HIP) approach to warning effectiveness in the workplace , 2001 .

[35]  Samaneh Tajalizadehkhoob,et al.  Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens , 2018, SOUPS @ USENIX Security Symposium.

[36]  Vern Paxson,et al.  Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension , 2016, WWW.

[37]  Heshan Sun,et al.  The role of moderating factors in user technology acceptance , 2006, Int. J. Hum. Comput. Stud..