On Tuesday, 29th June, I did my last presentation before taking my Summer vacation. In the presentation, I talked about a potential research proposal concentrated on data poisoning attacks. Specifically, I discussed how this attack class could target an IoT-based system, such as a smart building, resulting in potentially severe consequences to a business. While poisoning attacks have been researched for a bit, they are relatively understudied especially in contexts involving online learning and interactive learning.
Here is a link to a redacted version of my presentation:
In case you want to know more about cyber security especially its application to the IoT and Machine Learning based systems you are welcome to drop me a message.
This week I attended the 36th IFIP TC-11 International Information Security and Privacy Conference. The conference was organized by the Department of Informatics at the University of Oslo. During the first day of the conference, there was a keynote on Security Engineering by the celebrated security expert Prof. Dr. Ross Anderson.
He discussed the topic involving the interaction between security engineering and machine learning. He warned us about the things that can go wrong with machine learning systems, including some new attacks and defenses, such as the Taboo Trap, data ordering attacks, sponge attacks, and more.
Outline of Ross Anderson’s keynote (IFIP TC-11).
I especially enjoyed the part of his talk where he mentions the human to machine learning interaction. Coincidentally, this is a topic that I am researching. He discusses cases when robots incorporating machine learning components start mixing with humans, and then some tension and conflict, e.g., robots trying to deceive and bully humans, arises. This is a scenario that we should expect to see more in the future.
I highly recommend you to consider purchasing his brilliant book titled: “Security Engineering: A Guide to Building Dependable Distributed Systems”. This book is filled with actionable advice and latest research on how to design, implement, and test systems to withstand attacks. Certainly, this book has an extremely broad coverage of security in general and absolutely worth the purchase!
On Wednesday, 2nd June, I attended an interesting online program about cybersecurity. This program was organized by the Research Institutes of Sweden (RISE). Its main theme was about the inauguration of RISE’s cyber range and cyber security in Sweden.
A cyber range is a virtual environment that companies can use typically for cyber warfare training. Sweden’s own cyber range was introduced as a multipurpose state-of-the-art cybersecurity research environment, test, and a demo arena. Using RISE’s cyber range it appears that real-world applications, for example, vehicles and automotive systems, could be tested, in a safe environment, against real-world attacks. This is done using a sandboxed virtualised network environment that is managed and operated by professionals.
In addition to cyber range, there were other topics presented from a variety of compelling speakers. Particularly, topics about the Swedish bug bounty, cyber security at the EU level, and cyber security investment opportunities. One delivery (in Swedish) that I think was riveting was an interview with an (unnamed) ethical hacker.
Carl Heath (RISE) interview an ethical hacker.
Cyber security is a topic that is becoming increasingly important, especially as more systems are getting interconnected. Unfortunately, there is a shortage of skilled and qualified individuals to fill the increasing demands for cyber security professionals.
From an academic perspective, we have been for years, and especially in recent years, developing and running courses about cybersecurity. However, this year, in Sweden, we are developing something that specifically is meant to help advance cyber security research and competence. More on that in a later post.
We are guest editing a Special Issue on Privacy and Trust in IoT-Based Smart Homes and Buildings, and would like to personally invite you to contribute a paper.
For this Special Issue we are looking for high-quality original contributions including, but not limited to, the topical areas listed below:
Novel architectures, concepts, and models for trustworthy smart homes and smart buildings;
Privacy-enhancing and transparency-enhancing technologies for smart homes and smart buildings;
Privacy-by-design mechanisms for smart homes and buildings;
Vulnerability discovery and analysis for smart homes and buildings;
Threat modeling and risk assessment for smart homes and buildings;
Attack and attacker simulation for smart homes and buildings;
Trust and identity management for smart homes and buildings;
Access control models for smart homes and buildings;
Human factors in privacy and security of smart homes and buildings.
Smart homes are increasingly being subjected to attacks. The motives for this range from pranking users, causing chaos, cyberstalking, and more nefarious purposes. In spite of that, there are various strategies that residents can use to keep their home secure from intruders. In my latest article, I identify and discuss five of these strategies.
Check out the full article (in Swedish) by clicking here.
A full transcript in English is available to any interested reader.
On Friday, 23th April, I attended an interactive event on the topic of digital ethics. This event was organised by RISE in collaboration with industry. Together, we explored and discussed the topic of data privacy, integrity, trust, and transparency in AI. Many interesting discussions followed in Zoom breakout rooms, especially after the presentation from “Sjyst data!” project.
We talked about the generic development and implementation of AI for emerging systems, and related ethical implications. An interesting point was raised about the passive collection of MAC addresses and whether these are considered personal data by the GDPR. On that note, over Zoom chat, someone also mentioned foot traffic data and the processing of that, especially during the pandemic of Covid-19. Data, even though, may appear to mean nothing particular or worrying to us at some point, when aggregated and linked with other data sources, it can paint a detailed profile about us.
Here is a screenshot showing the event hosts: Nina Bozic (senior researcher) and Katarina Pietrzak (educational strategist) along with RISE experts and guests.
On Thursday, 25th March, I was invited, along with 6 other universities and colleges, located in the south of Sweden, to deliver a presentation to Swedish companies. Each presentation highlighted the research profile, research areas, and the number of potential PhD students that each institution is seeking to recruit from the industry.
The presentation was in the form of a 2-minutes pitch. It was delivered online through Microsoft Teams. Fortunately, many companies attended this event, including, TrueSec, Ideon, Expisoft, and many others. Sweden’s research institute and innovation partner, RISE, and Karlstad University acted as the coordinators between the institutions and the industry.
You can click the Download button below to access my presentation.
Smart home devices make people’s lives more efficient. However, implementing cyber security of smart home devices is just as important as the physical security of our homes. Below are three popular initiatives by governments to help secure consumer IoT, particularly smart home devices.
The Department for Digital, Culture, Media, and Sport (DCMS) published a Code of Practice titled “Code of Practice for Consumer IoT Security” to support all parties involved in the development, manufacturing, and retail of consumer IoT. Essentially DCMS guidelines are proposed to ensure that IoT products are secure-by-design and to make it easier for people to stay secure in a digital world.
The Federal Trade Commission (FTC) proposed in a detailed report on the IoT concrete steps that businesses can take to enhance and protect consumers’ privacy and security. Additionally, it introduced further guidance for companies to implement “reasonable security” in order to actively enhance and protect consumers’ IoT privacy and security.
The European Union Agency for Cybersecurity (ENISA) in their publication titled “Security and Resilience of Smart Home Environments” present examples of actions for users to perform in order to: choose a smart home device securely, operate a smart home device securely, and use online services for smart home securely. ENISA later introduced good practices guidelines for securing IoT products and services throughout their lifetime.
There are a number of measures and practices identified by the three bodies above that apply to different IoT stakeholders. The stakeholders can range from device manufacturers to service providers to mobile application developers, and more. One core recommendation that applies, especially to the device manufacturers, is that of having no default passwords. The recommendation of changing the device’s password, and potentially have a unique password for every device, is something that I emphasize.
In case you want to know more about how to secure your smart home or are simply curious about IoT security and privacy, you are welcome to get in touch.
Last week, I have been asked by several news reporters what can be done to have more secure and privacy-preserving smart home technologies. In this post, I focus on some of the more recent and upcoming regulations and initiatives that are affecting, and likely to affect it more in the future, the IoT world. Purposely, I exclude the EU GDPR and its US counterpart the CCPA, as I will talk about those in a separate post.
The EU ePrivacy Regulation. This EU regulation aims to ensure privacy in all electronic communications – including instant messaging apps and VoIP platforms, and machine-to-machine communications such as the IoT. Also, it carries an identical penalty regime for non-compliance as the GDPR.
The EU Cybersecurity Act. This establishes an EU-wide cybersecurity certification framework for digital products, services, and processes. This includes the IoT, cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in healthcare, and qualified trust services.
The IoT Cybersecurity Improvement Act of 2020. This new US law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, it requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines.
In the future, I will talk about some of the standards and best practice frameworks that can help organizations develop secure and privacy-preserving IoT technologies. Also, I will suggest some guidelines that consumers can adopt to secure their home devices.
I am pleased to announce, that on Thursday, 11th February, I successfully defended my PhD dissertation in Computer Science, titled On Privacy and Security in Smart Connected Homes. This was a journey that has been incredible and exciting, to say the least. It took close to 6 years, including taking 12 PhD courses, writing 10 main publications, authoring and co-authoring 6 other supplementary publications, traveling to 8 different countries, and hundreds of hours of writing. A heartfelt thanks to all the people who have been part of my journey, especially to my academic advisors – Dr. Andreas Jacobsson and Prof. Paul Davidsson.
Here is a link to access my doctoral defence presentation.
Joseph Bugeja 