IoT

My talk in Japan

/ bugejajoseph / Leave a comment

On Monday 11th March, I attended IEEE PerCom in Kyoto, Japan.  PerCom is regarded as a top scholarly venue in the areas of pervasive computing and communications. It is my third year participating in this conference. This year, I presented a paper titled: “IoTSM: An End-to-end Security Model for IoT Ecosystems”, in PerLS’19 – Third International Workshop on Pervasive Smart Living Spaces.

My presentation, live demos, and paper awards at the International Conference Center in Kyoto (2019).

In my presentation, I talked about how most of the reviewed security frameworks and maturity models, tend to focus more on securing web applications and services, but have not evolved particularly to cater for the additional complexities and challenges that IoT technologies bring to the table. While most of the security practices remain similar, IoT requires additional checks and balances to implement effective security.  Some reasons for this, is that IoT applications by their nature tend to be Internet-connected, deal with highly personal data, and feature complex interdependencies involving multiple stakeholders and third-party systems.

Reviewing the existing scholarly literature and interviewing various IoT security experts based in Sweden, we especially observe the need for continuous processes rather periodical processes. For instance, when it comes to risk assessment in IoT it is especially preferred if it is “continuous” in order to deal with the highly dynamic nature of IoT systems. Unfortunately, there is a shortage of methodologies for that and most of the related research work is still in its early stages.  Moreover, we note the lack of security awareness common across the industry, e.g., with regards to “threat modelling”, but as well its applications to model data flows, in particular to deal with information privacy.  Finally, we recognise the diversity of IoT security requirements. While for a traditional application, one needs to ensure service, network, and physical security for IoT one might need as well other to consider other requirements, e.g., that of ensuring resilience, data security, cloud security. Likewise, IoT may require to cater for additional threat agent goals. Such goals may not necessarily be related to confidentiality, integrity, and availability.

Take a look at my presentation: IoTSM: An End-to-end Security Model for IoT Ecosystems

Information Security – Kick-off Lecture

/ bugejajoseph / 1 Comment

Yesterday, on 23rd January 2019, I delivered my first lecture (titled: “Course Overview”) between 8:15 am – 10:00 am part of the Information Security course at Malmö University.  This is the third academic year that I am running this exciting course at Bachelor’s level.

Different to the previous years, this time the course material will be published on Canvas (instead of itslearning), officially I am the course responsible, and the amount of students enrolled on this course exceeds 150 students! This is almost double the amount of students I had two years ago! Indeed, this is very satisfying as a tutor to have so many students that recognise the increasing importance of information security!

ed6a47d0-6d51-4445-87c4-dd2b859dcb21 (1)

Lecture at the “Faculty of Odontology” part of Malmö University.

One of the key points, I mentioned is how the sophistication of attacks is increasing especially since the introduction of Internet of Things (IoT) enabled technologies.

A particular instance of this are attacks being carried out remotely, for instance through the help of drones (war-flying). As a demonstration of this in the clip below, researchers exploit a ZigBee vulnerability (by delivering a malicious Over The Air update) forcing smart Hue light bulbs to flash S.O.S in distress.

What attacks should we expect in the future? Certainly, I would expect to see more of the above and increasingly more autonomous attacks potentially targeting SCADA/ICSs and smart cities causing blackouts and more. Possibly such attacks can be permanent and have irreversible consequences.

Meeting with E.ON

/ bugejajoseph / Leave a comment

On Friday 23rd November 2018, I had a meeting with E.ON in Malmö. E.ON is one of the major public utility companies in Europe and the world’s largest investor-owned energy service provider.

I was impressed by their hardware (in particular their ectogrid system that decreases pollution and energy consumption in a city) and their advanced software platform (in particular their ectocloud that gathers and assimilates data on user’s behavior and weather conditions to make forecasts on electricity availability). Truly, it was interesting to see world-class implementations of AI, Machine Learning algorithms, and network-enabled technologies, to achieve efficient energy management.

There, I did a mini-presentation, similar to a 5-minutes pitch, of my Phd project. The below, is a slide representing some of the challenges surrounding the field I am researching.

Screen Shot 2018-11-25 at 17.32.09.png

You can always keep updated about my research by checking my ResearchGate profile.

Keynote that made me reflect…

/ bugejajoseph / Leave a comment

On October 24-25 2018, I attended a conference about Counterterrorism and Criminology (EISIC 2018) at Blekinge Institute of Technology in Karlskrona, Sweden. Among, the keynotes was Dr. Dieter Gollman professor of security in distributed applications at Hamburg University of Technology. Among his wide repertoire of contributions, his textbook “Computer Security” is a household name among Information Security students. Personally, I have used it for my Masters and am using it now for my students.

Two key points that Dr. Gollman mentioned and that me reflect on are: i) that the Internet of Things (IoT) especially when it comes to network security “is a new balloon for floating ideas”, and ii) that better models than the CIA triad may be needed for IoT systems.

IMG_5199.jpg

Photo of Prof. Dieter Gollman taken at Blekinge Institute of Technology on 24-Oct-2018.

On i) it was emphasised that especially when it comes to working on IoT security one should not only coin something as state-of-the-art without having done a proper review of literature. For doing so, one must not simply search for IoT and security, but should also consult the literature for WSN and MANET security as otherwise 15-20 years of relevant results may be lost.

In terms of ii), it was suggested to replace the CIA model with a new model – the Control Triad (CO2).  In the new model, there are three dimensions: Controllability, Observability, and Operability. These dimensions are important because in a control system, as is the IoT, a threat agent may not be keen on CIA but instead wants to control the system, to put it in a state that the actor wants it to be in or to operate it according to the agent liking, etc.

I hope that this short post will somewhat make you reflect on stuff you may be working on.

Talk about my Research Topics at Vetenskapens Dag

/ bugejajoseph / Leave a comment

Today, I was invited to speak about my research topics at Vetenskapens Dag (Science Day).  Here, I did a short talk to IT and Economics students in Malmö University where I touched on the following topics:

  • What is a smart connected home?
  • Why it is important to study smart homes?
  • What data are being collected by connected devices?
  • What risks to security and privacy are introduced by such IoT devices?
  • Who are the threat agents interested in gaining a foothold in our lives?
  • What can we do as consumers to protect ourselves?

Below is a screenshot of my presentation cover:

Please feel free to get in touch if you want to know more about this and related!

Data Collected by Smart Home Devices

/ bugejajoseph / Leave a comment

What type of data smart home devices collect? This is exactly what I talked about last week in Seattle (USA) at the Services Conference Federation (SCF 2018). Understanding the data smart home systems collect is useful to assess what is at stake if a device is compromised and as a precursor for conducting privacy analysis.

Image result for data privacy

By analysing the privacy policies of different smart home and IoT device manufacturers we observed that all investigated devices collect instances of personal data. This in the worst case can include biometric data. Such data is used for instance in smart TVs for authentication purposes and sometimes to support advanced interaction features.

However, there are many other instances of non-personal data which when aggregated can truly paint a detailed coarse-grained model of an individual’s lifestyle preferences, habits, and history.

Read more: https://www.springerprofessional.de/an-empirical-analysis-of-smart-connected-home-data/15852434

Password reuse in different smart home products

/ bugejajoseph / Leave a comment

Researchers from Ben-Gurion University of the Negev have found that smart home devices can be easily hacked and then used to spy on their users. Omer Shwartz et al. in their research paper analysed the practical security level of 16 popular IoT devices ranging from high-end to low-end manufacturers.

Amongst other things, they discovered that similar products under different brands share the same common default passwords. In some instances, the authors claimed that such passwords were found within minutes and sometimes simply by a web search for the brand. Devices in their study included baby monitors, home security and web cameras, doorbells, and thermostats.  Using such devices in their lab, they were then able to for example, play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely.

Exactly as I talked today in my PerCom’18 presentation in Greece, manufacturers should avoid using easy, hard-coded passwords, and should be held more accountable for their products and services. At the same time, the end-user as a countermeasure should try to change default passwords or to disable privileged accounts on the device. But, ultimately, security should never be an afterthought but bolted-in from the beginning of the development lifecycle.

In our work, we have identified hundreds of insecure smart connected cameras deployed on the Internet in different places in the world. Similarly, we observed that most of the vendors left their default passwords inside the devices, or had banner information with sensitive data, e.g., firmware version, ports numbers, manufacturer names, that can be used to compromise the security and privacy of householders, business owners, and more.

Risks to Consider Before Buying a Smart Home Device

/ bugejajoseph

People are increasingly buying voice-activated speakers (also called digital voice assistants or intelligent personal assistants) and other smart devices for added convenience, enhancing security, and also for entertainment purposes. But doing so blindly, without assessing risks involved with such technologies, can give intruders an accessible window into our homes and personal lives. Here are some risks that you may want to consider before purchasing a smart device for your house:

Listening In: Many new devices are being manufactured with built-in microphones. New generation devices falling in this category include for instance smart speaker systems such as Amazon Echo and Google Home,  and as well smart TVs, TV streaming devices, and Internet-connected toys. Many of these devices are constantly listening in for your commands and when they receive them they connect to corporate servers (can be located anywhere in the world) to satisfy your request.  What if you are having private conversations at home? Are these getting sent to the Internet without your awareness? Indeed, some devices just do that (yes, you may have unknowingly already accepted the vendor’s privacy policy or terms-of-use if that exists!). What can you do then? Well, devices typically have a mute function that disables the device microphone(s). But the question remains, can we actually verify what the manufacturer promises? Further to that, if data is sent over the Internet can it really be removed? I highly doubt that.

Watching You: Cloud security cameras let you check in on your pets, children, and your home status, when you are away, typically through your smartphone, tablet, and other handheld computing devices. Some devices routinely send video footage to online storage automatically while others do so when triggered, example by a motion sensor (typically signalling that an intruder or an unauthorized visitor is nearby). Reputable brands are likely to take security seriously, but no system is bulletproof. If you want to stay extra vigilant then you might want to turn the camera to face the wall or just unplug it altogether when you do not intend to use it. However, this is not a viable solution for many. Thus, my suggestion is that you should carefully inspect the device technical specification and assess whether the company is taking security and privacy seriously!

Digital Trails: Smart locks let you unlock doors from anywhere with an application installed on your digital devices. With this, you can let in guests even when you are away or when you have your hands full with other things (yes you can also connect your smart lock with a digital voice assistant). Similarly, landlords can automatically disable your digital key when you move out, and parents can keep an attentive eye on the time their beloved teens are coming back home. At the same time, intruders might try to hack the system not only forcibly with hardware tools but also through software hacking tools. Smart locks also pose a risk to privacy as usage of such keys leaves a digital trail. This trail can also be used in forensic investigation. This is an added attack surface that these digital devices bring into our lives, into our homes.

In this article, we scratched the surface of risks brought forth by smart devices. If you want to learn more about risks when purchasing smart home devices and as well about the different types of intruders spying on your home take a look at my paper.