Lecturing about security and blockchain in a Masters course

November 25, 2020November 25, 2020 / bugejajoseph / Leave a comment

On 24 November, I was invited to deliver a guest lecture to Masters students in Computer Science at Malmö University. The lecture’s main topic was IoT security and the application of blockchain as a security-enhancing technology. It was fun doing this 2-hour lecture over Zoom, and especially I was pleased to see some former students attending my lecture.

When introducing blockchain, I focused on a use-case where this technology is used for securing drone communication. In particular, I referenced the paper titled “Towards data assurance and resilience in IoT using blockchain” which uses some of the properties of blockchain for providing instant and permanent data integrity, trusted accountability, and a resilient backend for drones. Blockchain has several uses including also in smart homes (e.g., as discussed in the paper titled “Blockchain for IoT Security and Privacy: The Case Study of a Smart Home”) and in many other domains.

Recently, I also co-authored a paper with some of my colleagues where we explored the use of blockchain for countering adversarial attacks in incremental learning.

Memories of a Good Seminar

October 14, 2020October 14, 2020 / bugejajoseph / Leave a comment

It has been a bit more than 2 years ago I defended my Licentiate thesis. Here is a wonderful memory from that time! A lot of things have changed since then in the smart home world and also in the course of my research and academic career.

In case you have queries just feel free to get in touch! I am also very much involved in supervising theses on cutting edge technologies of the like of autonomous drones, smart cities, to more industry-oriented work such as measuring the effects of GDPR on IoT consumers.

Online Lecture about IoT Security

October 4, 2020October 4, 2020 / bugejajoseph / Leave a comment

On 01 October, I was invited to deliver an online lecture about the topic of securing the Internet of Things (IoT) to Lund University Bachelors students. I have been researching security and privacy on a full-time time basis for the past five years and working on information security for well over a decade.

My lecture consisted of a two-hour presentation, where I focused on some key attacks targeting consumer and industrial IoT applications. Denial-of-service attacks, routing attacks, and service attacks of which we have been talking about for many years have become even more serious. For instance, think about Mirai, the botnet which broke out in 2016, and other malware targeting unsecured IoT devices such as webcams. This is partly happening due to the interconnectedness of the devices, but especially due to a lack of inbuilt security measures. In this regard, Vint Cerf, one of the computer scientists hailed as a founding father of the Internet, said in an ACM panel in 2017:

“The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or operating system and just jam it into the device and send it out into the wild without giving adequate thought and effort to securing the system and providing convenient user access to those devices.”

Although plugging any device to the Internet is becoming the trend especially with the rise of the IoT, I believe that companies should put in more effort into securing their devices prior to releasing them to the consumer market. Unfortunately, it is still common to run simple attacks, such as SQL injections, on IoT devices, and finding them vulnerable to that.

That is a Wrap On Computing 2020

July 18, 2020 / bugejajoseph / Leave a comment

As a follow-up to my previous blog post, I can say that it was an honor to participate yesterday and on Thursday at the Computing Conference 2020. It was very well organized, professionally executed, and fun!

There was a wide range of presenters coming from different research areas covering computing, AI, security, IoT, and much more. It was also cool to have a Mindfulness and Yoga general session at the conference. This was something unique!

Here, is a screenshot of my presentation with feedback received. Also, I got private messages for collaboration work and I truly appreciate those!

My presentation with feedback received.

Once again thanks for the thumbs up and already looking forward to next year’s edition!

Talking about DoS Attacks at the Computing Conference

July 6, 2020 / bugejajoseph / Leave a comment

On Friday, 17 July 2020, I will be talking at the Computing Conference 2020. This conference going was going to be held in London but due to the COVID-19 pandemic, it is now going to be held fully online. I am especially excited to listen to the keynote of Vinton G. Cerf. He is widely known as a “father of the Internet”. Cerf is also the vice president and Chief Internet Evangelist for Google. During the conference, I will be talking about Denial of Service (DoS) attacks and how commercial devices are prone to severe forms of this attack.

DoS is a widely used attack vector by various malicious threat agents from hackers to nation-states. Its consequences range from a nuisance to loss of revenues to even loss of life. Think about for instance the effects of disabling medical devices such as pacemakers, drones and weapon systems, connected alarm systems, and so on. In the case of smart homes, DoS may be the first attack to remove a component from a network to exploit a vulnerability. In our study, we found devices manufactured by established commercial players prone especially to HTTP GET DoS attacks. This can result in the complete shutdown of the device, possibly remotely, by using a simple exploit with code available over the Internet.

DoS attacks targeting the smart connected home.

Take a look at the conference agenda and have a read of my conference paper. I will be uploading my presentation slides after the conference is held under my Presentations tab.

Feel free to drop me a message or get in touch if you want to know more about this topic or in case you are interested in information security.

The Current State of IoT Security and a Glimpse Into The Future

March 12, 2020March 12, 2020 / bugejajoseph / Leave a comment

On Tuesday 10th March, I was invited to give a guest lecture about IoT security in Blekinge Tekniska Högskola (BTH) in Karlskrona, Sweden. Karlskrona is approximately 3 hours away from Malmö.

During my lecture, I gave realistic examples of attacks that targeted IoT systems. For instance, attacks targeting consumer drones, electric cars, and IP cameras. I also discussed the technical, procedural, and human challenges involved in securing IoT and some safeguards.

Blekinge Tekniska Högskola.

In the future, I will work to automate IoT security. Similar to smart devices acting autonomously to perceive and act on their environment, IoT security should evolve towards greater autonomy in detecting threats and reacting to attacks. This evolution relates to the autoimmunity of smart devices allowing for the prevention and containment of attacks in hostile environments.

You can access a condensed version of my lecture here.

Presenting my research project at LTH

March 4, 2020July 5, 2020 / bugejajoseph / Leave a comment

On 4 March 2020, I had the opportunity to present my PhD research project at Lund University. My presentation titled “Security and privacy in smart connected homes” was held in front of a mixed audience, consisting of key industry professionals and well-established academics. Many interesting questions were raised after each presentation. Two questions directed to me were about updates concerning attacks targeting smart speaker systems, and another one whether secure regions within the home area network can be configured to have parts of the home or the entire home offline.

The workshop opening slide by Prof. Per Runeson.

Moving on to the discussion part of the workshop there were different takeaways. One of the main ones was the difficulty of instilling security awareness, especially to the general consumer when purchasing and using IoT products. One can have a lot of security features embedded in his product but if the customer is not aware of those or does not know how to enable them then that is a challenge. Another key point that was shared across multiple presentations and raised as a discussion item, was the huge spike of vulnerabilities being reported, especially during the past 3 years. Here, it is interesting to investigate what is actually being targeted and the causes of that. Perhaps, this is not only related to the digitization of ‘everything’ but as well to the constant reuse of software code, including the heavy reliance on software frameworks (including some operating systems that may have not been properly audited). Organizations should remember that in addition to the tangible benefits you gain from building your software from reusable modular and perhaps opensource components you automatically inherit security vulnerabilities and risks.

My presentation at LTH.

I highly encourage you to attend this quarterly workshop especially if you are into software engineering but even if you are not. Certainly, you can learn about what’s happening from the research side but as well from industry professionals. Besides, it is a good opportunity to network and share ideas with other likeminded people!

Check the workshop agenda: https://www.lth.se/digitalth/events/?event=softwarelth-workshop-internet-of-things-and-security

My talk in Japan

March 25, 2019March 25, 2019 / bugejajoseph / Leave a comment

On Monday 11th March, I attended IEEE PerCom in Kyoto, Japan. PerCom is regarded as a top scholarly venue in the areas of pervasive computing and communications. It is my third year participating in this conference. This year, I presented a paper titled: “IoTSM: An End-to-end Security Model for IoT Ecosystems”, in PerLS’19 – Third International Workshop on Pervasive Smart Living Spaces.

My presentation, live demos, and paper awards at the International Conference Center in Kyoto (2019).

In my presentation, I talked about how most of the reviewed security frameworks and maturity models, tend to focus more on securing web applications and services, but have not evolved particularly to cater for the additional complexities and challenges that IoT technologies bring to the table. While most of the security practices remain similar, IoT requires additional checks and balances to implement effective security. Some reasons for this, is that IoT applications by their nature tend to be Internet-connected, deal with highly personal data, and feature complex interdependencies involving multiple stakeholders and third-party systems.

Reviewing the existing scholarly literature and interviewing various IoT security experts based in Sweden, we especially observe the need for continuous processes rather periodical processes. For instance, when it comes to risk assessment in IoT it is especially preferred if it is “continuous” in order to deal with the highly dynamic nature of IoT systems. Unfortunately, there is a shortage of methodologies for that and most of the related research work is still in its early stages. Moreover, we note the lack of security awareness common across the industry, e.g., with regards to “threat modelling”, but as well its applications to model data flows, in particular to deal with information privacy. Finally, we recognise the diversity of IoT security requirements. While for a traditional application, one needs to ensure service, network, and physical security for IoT one might need as well other to consider other requirements, e.g., that of ensuring resilience, data security, cloud security. Likewise, IoT may require to cater for additional threat agent goals. Such goals may not necessarily be related to confidentiality, integrity, and availability.

Take a look at my presentation: IoTSM: An End-to-end Security Model for IoT Ecosystems

Keynote that made me reflect…

October 27, 2018 / bugejajoseph / Leave a comment

On October 24-25 2018, I attended a conference about Counterterrorism and Criminology (EISIC 2018) at Blekinge Institute of Technology in Karlskrona, Sweden. Among, the keynotes was Dr. Dieter Gollman professor of security in distributed applications at Hamburg University of Technology. Among his wide repertoire of contributions, his textbook “Computer Security” is a household name among Information Security students. Personally, I have used it for my Masters and am using it now for my students.

Two key points that Dr. Gollman mentioned and that me reflect on are: i) that the Internet of Things (IoT) especially when it comes to network security “is a new balloon for floating ideas”, and ii) that better models than the CIA triad may be needed for IoT systems.

Photo of Prof. Dieter Gollman taken at Blekinge Institute of Technology on 24-Oct-2018.

On i) it was emphasised that especially when it comes to working on IoT security one should not only coin something as state-of-the-art without having done a proper review of literature. For doing so, one must not simply search for IoT and security, but should also consult the literature for WSN and MANET security as otherwise 15-20 years of relevant results may be lost.

In terms of ii), it was suggested to replace the CIA model with a new model – the Control Triad (CO2). In the new model, there are three dimensions: Controllability, Observability, and Operability. These dimensions are important because in a control system, as is the IoT, a threat agent may not be keen on CIA but instead wants to control the system, to put it in a state that the actor wants it to be in or to operate it according to the agent liking, etc.

I hope that this short post will somewhat make you reflect on stuff you may be working on.

Talk about my Research Topics at Vetenskapens Dag

September 12, 2018September 23, 2018 / bugejajoseph / Leave a comment

Today, I was invited to speak about my research topics at Vetenskapens Dag (Science Day). Here, I did a short talk to IT and Economics students in Malmö University where I touched on the following topics:

What is a smart connected home?
Why it is important to study smart homes?
What data are being collected by connected devices?
What risks to security and privacy are introduced by such IoT devices?
Who are the threat agents interested in gaining a foothold in our lives?
What can we do as consumers to protect ourselves?

Below is a screenshot of my presentation cover:

Please feel free to get in touch if you want to know more about this and related!

Joseph Bugeja

Security, Privacy, and Trust

IoT