security

Special Issue on Privacy and Trust

/ bugejajoseph / Leave a comment

We are guest editing a Special Issue on Privacy and Trust in IoT-Based Smart Homes and Buildings, and would like to personally invite you to contribute a paper.

For this Special Issue we are looking for high-quality original contributions including, but not limited to, the topical areas listed below:

  • Novel architectures, concepts, and models for trustworthy smart homes and smart buildings;
  • Privacy-enhancing and transparency-enhancing technologies for smart homes and smart buildings;
  • Privacy-by-design mechanisms for smart homes and buildings;
  • Vulnerability discovery and analysis for smart homes and buildings;
  • Threat modeling and risk assessment for smart homes and buildings;
  • Attack and attacker simulation for smart homes and buildings;
  • Trust and identity management for smart homes and buildings;
  • Access control models for smart homes and buildings;
  • Human factors in privacy and security of smart homes and buildings.

Please spread the word!

More info: https://www.mdpi.com/journal/sensors/special_issues/PT_SM

Keeping Your Smart Home Secure

/ bugejajoseph / Leave a comment

Smart homes are increasingly being subjected to attacks. The motives for this range from pranking users, causing chaos, cyberstalking, and more nefarious purposes. In spite of that, there are various strategies that residents can use to keep their home secure from intruders. In my latest article, I identify and discuss five of these strategies.

Check out the full article (in Swedish) by clicking here.

A full transcript in English is available to any interested reader.

Some initiatives to help secure smart home devices

/ bugejajoseph / Leave a comment

Smart home devices make people’s lives more efficient. However, implementing cyber security of smart home devices is just as important as the physical security of our homes. Below are three popular initiatives by governments to help secure consumer IoT, particularly smart home devices.

  • The Department for Digital, Culture, Media, and Sport (DCMS) published a Code of Practice titled “Code of Practice for Consumer IoT Security” to support all parties involved in the development, manufacturing, and retail of consumer IoT. Essentially DCMS guidelines are proposed to ensure that IoT products are secure-by-design and to make it easier for people to stay secure in a digital world.
  • The Federal Trade Commission (FTC) proposed in a detailed report on the IoT concrete steps that businesses can take to enhance and protect consumers’ privacy and security. Additionally, it introduced further guidance for companies to implement “reasonable security” in order to actively enhance and protect consumers’ IoT privacy and security.
  • The European Union Agency for Cybersecurity (ENISA) in their publication titled “Security and Resilience of Smart Home Environments” present examples of actions for users to perform in order to: choose a smart home device securely, operate a smart home device securely, and use online services for smart home securely.  ENISA later introduced good practices guidelines for securing IoT products and services throughout their lifetime.

There are a number of measures and practices identified by the three bodies above that apply to different IoT stakeholders. The stakeholders can range from device manufacturers to service providers to mobile application developers, and more. One core recommendation that applies, especially to the device manufacturers, is that of having no default passwords. The recommendation of changing the device’s password, and potentially have a unique password for every device, is something that I emphasize.

In case you want to know more about how to secure your smart home or are simply curious about IoT security and privacy, you are welcome to get in touch.

Initiatives being brewed by governments to strengthen the IoT privacy and security

/ bugejajoseph / Leave a comment

Last week, I have been asked by several news reporters what can be done to have more secure and privacy-preserving smart home technologies. In this post, I focus on some of the more recent and upcoming regulations and initiatives that are affecting, and likely to affect it more in the future, the IoT world. Purposely, I exclude the EU GDPR  and its US counterpart the CCPA, as I will talk about those in a separate post.

  • The EU ePrivacy Regulation. This  EU regulation aims to ensure privacy in all electronic communications – including instant messaging apps and VoIP platforms, and machine-to-machine communications such as the IoT. Also, it carries an identical penalty regime for non-compliance as the GDPR.
  • The EU Cybersecurity Act. This establishes an EU-wide cybersecurity certification framework for digital products, services, and processes. This includes the IoT, cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in healthcare, and qualified trust services.
  • The IoT Cybersecurity Improvement Act of 2020. This new US law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, it requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines.

In the future, I will talk about some of the standards and best practice frameworks that can help organizations develop secure and privacy-preserving IoT technologies. Also, I will suggest some guidelines that consumers can adopt to secure their home devices.

Lecturing about security and blockchain in a Masters course

/ bugejajoseph / Leave a comment

On 24 November, I was invited to deliver a guest lecture to Masters students in Computer Science at Malmö University.  The lecture’s main topic was IoT security and the application of blockchain as a security-enhancing technology.  It was fun doing this 2-hour lecture over Zoom, and especially I was pleased to see some former students attending my lecture.

When introducing blockchain, I focused on a  use-case where this technology is used for securing drone communication. In particular, I referenced the paper titled “Towards data assurance and resilience in IoT using blockchain” which uses some of the properties of blockchain for providing instant and permanent data integrity, trusted accountability, and a resilient backend for drones.  Blockchain has several uses including also in smart homes (e.g., as discussed in the paper titled “Blockchain for IoT Security and Privacy: The Case Study of a Smart Home”) and in many other domains.

Recently, I also co-authored a paper with some of my colleagues where we explored the use of blockchain for countering adversarial attacks in incremental learning.

Online Lecture about IoT Security

/ bugejajoseph / Leave a comment

On 01 October, I was invited to deliver an online lecture about the topic of securing the Internet of Things (IoT) to Lund University Bachelors students. I have been researching security and privacy on a full-time time basis for the past five years and working on information security for well over a decade.

My lecture consisted of a two-hour presentation, where I focused on some key attacks targeting consumer and industrial IoT applications. Denial-of-service attacks, routing attacks, and service attacks of which we have been talking about for many years have become even more serious. For instance, think about Mirai, the botnet which broke out in 2016, and other malware targeting unsecured IoT devices such as webcams. This is partly happening due to the interconnectedness of the devices, but especially due to a lack of inbuilt security measures. In this regard, Vint Cerf, one of the computer scientists hailed as a founding father of the Internet, said in an ACM panel in 2017:

“The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or operating system and just jam it into the device and send it out into the wild without giving adequate thought and effort to securing the system and providing convenient user access to those devices.”

Although plugging any device to the Internet is becoming the trend especially with the rise of the IoT, I believe that companies should put in more effort into securing their devices prior to releasing them to the consumer market. Unfortunately, it is still common to run simple attacks, such as SQL injections, on IoT devices, and finding them vulnerable to that.

My Final Seminar

/ bugejajoseph / Leave a comment

On September 18, I had the opportunity to present my PhD work to my fellow colleagues at Malmö University.  I had a 25 minutes slot, over Zoom, where essentially I summarized my research topic and presented my main contributions to the scholarly and industry community.

The discussion was led by Assoc. Prof. Martin Boldt from Blekinge Institute of Technology.  We had a very detailed and insightful 90 minutes conversation about smart homes, IoT, security and privacy.  After the meeting, I also received detailed written feedback about my work.

Some interesting points raised during our exchange are how homes are evolving and becoming more interconnected to different networks and services (whether it is the entertainment providers, healthcare providers, smart grids, and more).  With this evolution, the role and function of our home but as well our expectations of privacy are changing.  What if our intimate data gets in the hands of criminals? What if companies providing our services get hacked? What if our home technology is covertly spying on our children? These are some of the topics we talked about.

You can take a look at a redacted version of my presentation here.  A full version of the presentation will be uploaded in due time.

The Current State of IoT Security and a Glimpse Into The Future

/ bugejajoseph / Leave a comment

On Tuesday 10th March, I  was invited to give a guest lecture about IoT security in Blekinge Tekniska Högskola (BTH) in Karlskrona, Sweden. Karlskrona is approximately 3 hours away from Malmö.

During my lecture, I gave realistic examples of attacks that targeted IoT systems. For instance, attacks targeting consumer drones, electric cars, and IP cameras. I also discussed the technical, procedural, and human challenges involved in securing IoT and some safeguards.

Blekinge Tekniska Högskola.

In the future, I will work to automate IoT security.  Similar to smart devices acting autonomously to perceive and act on their environment, IoT security should evolve towards greater autonomy in detecting threats and reacting to attacks. This evolution relates to the autoimmunity of smart devices allowing for the prevention and containment of attacks in hostile environments.

You can access a condensed version of my lecture here.

 

Presenting my research project at LTH

/ bugejajoseph / Leave a comment

On 4 March 2020, I had the opportunity to present my PhD research project at Lund University.  My presentation titled “Security and privacy in smart connected homes” was held in front of a mixed audience, consisting of key industry professionals and well-established academics.  Many interesting questions were raised after each presentation. Two questions directed to me were about updates concerning attacks targeting smart speaker systems, and another one whether secure regions within the home area network can be configured to have parts of the home or the entire home offline.

The workshop opening slide by Prof. Per Runeson.

Moving on to the discussion part of the workshop there were different takeaways. One of the main ones was the difficulty of instilling security awareness, especially to the general consumer when purchasing and using IoT products. One can have a lot of security features embedded in his product but if the customer is not aware of those or does not know how to enable them then that is a challenge. Another key point that was shared across multiple presentations and raised as a discussion item,  was the huge spike of vulnerabilities being reported, especially during the past 3 years.  Here, it is interesting to investigate what is actually being targeted and the causes of that.  Perhaps, this is not only related to the digitization of ‘everything’ but as well to the constant reuse of software code, including the heavy reliance on software frameworks (including some operating systems that may have not been properly audited).  Organizations should remember that in addition to the tangible benefits you gain from building your software from reusable modular and perhaps opensource components you automatically inherit security vulnerabilities and risks.

My presentation at LTH.

I highly encourage you to attend this quarterly workshop especially if you are into software engineering but even if you are not. Certainly, you can learn about what’s happening from the research side but as well from industry professionals. Besides, it is a good opportunity to network and share ideas with other likeminded people!

Check the workshop agenda: https://www.lth.se/digitalth/events/?event=softwarelth-workshop-internet-of-things-and-security

2020 academic semester kickoff

/ bugejajoseph / Leave a comment

Today, was the kick-off to the new academic (Spring) semester.  I took the opportunity to present an overview of what is expected to be covered in the Information Security course. During this lecture, I also motivated students why it is important to study information security, introduced the course syllabus, and talked about the learning outcomes of the course.

This year, I have about 150 students taking my course. This is a great achievement especially considering that the course is an elective course. Talking to such large groups is always exciting and fun! You can see me below testing the microphone and preparing my laptop before the students start heading to the class.  All the lectures are delivered in a classroom setting but all the material including slides, supplementary material, and any assignments are uploaded on the course portal.

Getting ready at Malmö university (2020)

In addition to inviting two external academics as guests, this year, I invited two speakers from the industry. The speakers have many years of experience working with real-life security use cases and are working with international companies TrueSec and Fingerprints.