privacy

My Final Seminar

/ bugejajoseph / Leave a comment

On September 18, I had the opportunity to present my PhD work to my fellow colleagues at Malmö University.  I had a 25 minutes slot, over Zoom, where essentially I summarized my research topic and presented my main contributions to the scholarly and industry community.

The discussion was led by Assoc. Prof. Martin Boldt from Blekinge Institute of Technology.  We had a very detailed and insightful 90 minutes conversation about smart homes, IoT, security and privacy.  After the meeting, I also received detailed written feedback about my work.

Some interesting points raised during our exchange are how homes are evolving and becoming more interconnected to different networks and services (whether it is the entertainment providers, healthcare providers, smart grids, and more).  With this evolution, the role and function of our home but as well our expectations of privacy are changing.  What if our intimate data gets in the hands of criminals? What if companies providing our services get hacked? What if our home technology is covertly spying on our children? These are some of the topics we talked about.

You can take a look at a redacted version of my presentation here.  A full version of the presentation will be uploaded in due time.

Interesting Book Showed Up In My Mailbox

/ bugejajoseph / Leave a comment

Today, I am happy to have received a hardcopy of the book – Privacy and Identity Management. Data for Better Living: AI and Privacy. There is a chapter in this book, which I have authored together with my academic advisor titled: “On the Design of a Privacy-Centered Data Lifecycle for Smart Living Spaces.” In that article, I have identified how the software development process can be enhanced to manage privacy threats, amongst other things.

Privacy and Identity Management

Hardcopy of the book “Privacy and Identity Management. Data for Better Living: AI and Privacy”

All the articles included in the book are certainly worth a read covering various aspects of privacy ranging from a technical, compliance, and law perspective.

Investigating Privacy Threats in Smart Homes

/ bugejajoseph / Leave a comment

On Tuesday, I gave a presentation at PerCom 2020. This was the first time, the conference was held completely online (due to the global pandemic of COVID-19), and speakers were asked to deliver their presentations remotely over Zoom.

In my case, I gave two live presentations in the Work In Progress (WiP) session being chaired by Diane Cook.  During this time, I discussed how smart connected homes can be formally modeled so that privacy threats can be systematically identified and analyzed.  Take a look at my short teaser clip below.

In case you are interested in the accompanying poster for my presentation, you can access it either from my Presentations menu tab or otherwise by clicking here.  Also, I have uploaded the slides for the video which you can access here.

As always, please feel free to contact me in case you want to know more about this paper, and about security and privacy in general. Finally, I want to remind and encourage you to submit to PerCom or its workshops. You can get some high-quality feedback on your work that can help you improve it and more.

The Current State of IoT Security and a Glimpse Into The Future

/ bugejajoseph / Leave a comment

On Tuesday 10th March, I  was invited to give a guest lecture about IoT security in Blekinge Tekniska Högskola (BTH) in Karlskrona, Sweden. Karlskrona is approximately 3 hours away from Malmö.

During my lecture, I gave realistic examples of attacks that targeted IoT systems. For instance, attacks targeting consumer drones, electric cars, and IP cameras. I also discussed the technical, procedural, and human challenges involved in securing IoT and some safeguards.

Blekinge Tekniska Högskola.

In the future, I will work to automate IoT security.  Similar to smart devices acting autonomously to perceive and act on their environment, IoT security should evolve towards greater autonomy in detecting threats and reacting to attacks. This evolution relates to the autoimmunity of smart devices allowing for the prevention and containment of attacks in hostile environments.

You can access a condensed version of my lecture here.

 

Presenting my research project at LTH

/ bugejajoseph / Leave a comment

On 4 March 2020, I had the opportunity to present my PhD research project at Lund University.  My presentation titled “Security and privacy in smart connected homes” was held in front of a mixed audience, consisting of key industry professionals and well-established academics.  Many interesting questions were raised after each presentation. Two questions directed to me were about updates concerning attacks targeting smart speaker systems, and another one whether secure regions within the home area network can be configured to have parts of the home or the entire home offline.

The workshop opening slide by Prof. Per Runeson.

Moving on to the discussion part of the workshop there were different takeaways. One of the main ones was the difficulty of instilling security awareness, especially to the general consumer when purchasing and using IoT products. One can have a lot of security features embedded in his product but if the customer is not aware of those or does not know how to enable them then that is a challenge. Another key point that was shared across multiple presentations and raised as a discussion item,  was the huge spike of vulnerabilities being reported, especially during the past 3 years.  Here, it is interesting to investigate what is actually being targeted and the causes of that.  Perhaps, this is not only related to the digitization of ‘everything’ but as well to the constant reuse of software code, including the heavy reliance on software frameworks (including some operating systems that may have not been properly audited).  Organizations should remember that in addition to the tangible benefits you gain from building your software from reusable modular and perhaps opensource components you automatically inherit security vulnerabilities and risks.

My presentation at LTH.

I highly encourage you to attend this quarterly workshop especially if you are into software engineering but even if you are not. Certainly, you can learn about what’s happening from the research side but as well from industry professionals. Besides, it is a good opportunity to network and share ideas with other likeminded people!

Check the workshop agenda: https://www.lth.se/digitalth/events/?event=softwarelth-workshop-internet-of-things-and-security

My Presentation at FHNW

/ bugejajoseph / Leave a comment

This week, between August 19-23 2019, I was in Switzerland attending the International Federation for Information Processing (IFIP) Summer School at the University of Applied Sciences Northwestern Switzerland (FHNW) in Brugg/Windisch.  Attending this school is of great benefit to strengthen your network of professional and academic contacts, especially for those working on Information Privacy.  Topics covered in the jam-packed schedule included:  the ethics of Artificial Intelligence, sensors and biometrics, privacy by design (PbD), identity management, users and usability, and more.

On Tuesday 20, I presented my paper therein titled: “On the Design of a Privacy-Preserving Data Lifecycle for Smart Living Spaces” in the “Privacy by Design” track. I had a 30 mins presentation slot and following that a 10 mins critical review from two pre-assigned paper discussants including questions from the attendees. I have to say that I have received very positive and constructive feedback. Hereunder, is a photo of myself presenting some of the related work in PbD, threat analysis, and threat modeling.

Explaining the related research work before positioning my contribution.

Overall, I can say that there were some fantastic keynotes and excellent presentations from diverse Phd students.  Especially, I liked the keynote “Privacy as Innovation opportunity” by Marc van Lieshout from Radboud University.  In particular, I enjoyed his mentioning of Alan Westin’s privacy dimensions: reserve, intimacy, anonymity, and solitude; and how these are to different extents being hampered by privacy-evasive technologies, affecting the physical, individual, collective, and virtual dimensions of human beings. At the same time, I like his take on the increasing market of privacy, in particular with privacy service features such as activity monitoring, assessment manager, data mapping, etc.

My advice, if you are a doctoral student or interested in learning information privacy from a computer science or informatics standpoint, then I highly recommend you to attend the IFIP school at some point. Typically, there are ECTS credits for this course, (possibly 1.5 HP – 3 HP) if you attend and/or present your paper. In the meantime, check out my presentation (redacted version). The full version will be uploaded after the paper gets published.

Talk about my Research Topics at Vetenskapens Dag

/ bugejajoseph / Leave a comment

Today, I was invited to speak about my research topics at Vetenskapens Dag (Science Day).  Here, I did a short talk to IT and Economics students in Malmö University where I touched on the following topics:

  • What is a smart connected home?
  • Why it is important to study smart homes?
  • What data are being collected by connected devices?
  • What risks to security and privacy are introduced by such IoT devices?
  • Who are the threat agents interested in gaining a foothold in our lives?
  • What can we do as consumers to protect ourselves?

Below is a screenshot of my presentation cover:

Please feel free to get in touch if you want to know more about this and related!

Password reuse in different smart home products

/ bugejajoseph / Leave a comment

Researchers from Ben-Gurion University of the Negev have found that smart home devices can be easily hacked and then used to spy on their users. Omer Shwartz et al. in their research paper analysed the practical security level of 16 popular IoT devices ranging from high-end to low-end manufacturers.

Amongst other things, they discovered that similar products under different brands share the same common default passwords. In some instances, the authors claimed that such passwords were found within minutes and sometimes simply by a web search for the brand. Devices in their study included baby monitors, home security and web cameras, doorbells, and thermostats.  Using such devices in their lab, they were then able to for example, play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely.

Exactly as I talked today in my PerCom’18 presentation in Greece, manufacturers should avoid using easy, hard-coded passwords, and should be held more accountable for their products and services. At the same time, the end-user as a countermeasure should try to change default passwords or to disable privileged accounts on the device. But, ultimately, security should never be an afterthought but bolted-in from the beginning of the development lifecycle.

In our work, we have identified hundreds of insecure smart connected cameras deployed on the Internet in different places in the world. Similarly, we observed that most of the vendors left their default passwords inside the devices, or had banner information with sensitive data, e.g., firmware version, ports numbers, manufacturer names, that can be used to compromise the security and privacy of householders, business owners, and more.

Risks to Consider Before Buying a Smart Home Device

/ bugejajoseph

People are increasingly buying voice-activated speakers (also called digital voice assistants or intelligent personal assistants) and other smart devices for added convenience, enhancing security, and also for entertainment purposes. But doing so blindly, without assessing risks involved with such technologies, can give intruders an accessible window into our homes and personal lives. Here are some risks that you may want to consider before purchasing a smart device for your house:

Listening In: Many new devices are being manufactured with built-in microphones. New generation devices falling in this category include for instance smart speaker systems such as Amazon Echo and Google Home,  and as well smart TVs, TV streaming devices, and Internet-connected toys. Many of these devices are constantly listening in for your commands and when they receive them they connect to corporate servers (can be located anywhere in the world) to satisfy your request.  What if you are having private conversations at home? Are these getting sent to the Internet without your awareness? Indeed, some devices just do that (yes, you may have unknowingly already accepted the vendor’s privacy policy or terms-of-use if that exists!). What can you do then? Well, devices typically have a mute function that disables the device microphone(s). But the question remains, can we actually verify what the manufacturer promises? Further to that, if data is sent over the Internet can it really be removed? I highly doubt that.

Watching You: Cloud security cameras let you check in on your pets, children, and your home status, when you are away, typically through your smartphone, tablet, and other handheld computing devices. Some devices routinely send video footage to online storage automatically while others do so when triggered, example by a motion sensor (typically signalling that an intruder or an unauthorized visitor is nearby). Reputable brands are likely to take security seriously, but no system is bulletproof. If you want to stay extra vigilant then you might want to turn the camera to face the wall or just unplug it altogether when you do not intend to use it. However, this is not a viable solution for many. Thus, my suggestion is that you should carefully inspect the device technical specification and assess whether the company is taking security and privacy seriously!

Digital Trails: Smart locks let you unlock doors from anywhere with an application installed on your digital devices. With this, you can let in guests even when you are away or when you have your hands full with other things (yes you can also connect your smart lock with a digital voice assistant). Similarly, landlords can automatically disable your digital key when you move out, and parents can keep an attentive eye on the time their beloved teens are coming back home. At the same time, intruders might try to hack the system not only forcibly with hardware tools but also through software hacking tools. Smart locks also pose a risk to privacy as usage of such keys leaves a digital trail. This trail can also be used in forensic investigation. This is an added attack surface that these digital devices bring into our lives, into our homes.

In this article, we scratched the surface of risks brought forth by smart devices. If you want to learn more about risks when purchasing smart home devices and as well about the different types of intruders spying on your home take a look at my paper.