More and more people interact with the Internet of Things (IoT) in daily life.
IoT includes the devices and appliances in homes – such as smart TVs, virtual assistants like Amazon’s Alexa or learning thermostats like Nest – that connect to the Internet.
IoT also includes wearables such as the Apple Watch or Bluetooth chips that keep track of car keys. On top of that, cars, if equipped with sensors and computers, are also part of the IoT.
“Traditionally, when you think about the Internet, it’s someone on a computer communicating with something out in the world – usually someone else on a computer,” said Perry Alexander, AT&T Foundation Distinguished Professor of Electrical and Computer Science and director of the Information and Telecommunication Technology Center at the University of Kansas. “The Internet of Things is called that because now we have things talking to other things on the Internet without human intervention.”
But in an age where data theft and cyberattacks are increasingly routine, the IoT has security vulnerabilities that must be addressed as the popularity of IoT devices grows.
“These devices are characterized by being low-capability,” said Alexander. “The security story with the IoT is pretty awful. Because these devices are cheap and small, you can’t add much capability to achieve the level of security you might want to achieve.”
Alexander is leading a multidisciplinary team at KU, including computer scientists, electrical and computer engineers, psychologists, sociologists and philosophers, to tackle the fundamental science underpinning the security of the IoT. The team has just received funding from the National Security Agency (NSA) to shore up the cybersecurity of the IoT, developing the technology that could be integrated into consumer technology in the coming few years.
“The NSA for the last seven years has had a collection of universities they call ‘lablets’ that execute a collection of projects for them – we were able to compete this year and were one of six selected to host these lablets,” Alexander said. “These are places where the NSA contracts foundational research in the style of the National Science Foundation – big-thinking research. Lablets are centered around the NSA hard problems, specific problems the agency feels they need to solve if they’re going to make progress toward solving our cybersecurity problems.”
One aspect of the research at KU will investigate solutions to “side-channel attacks,” which include Spectre and Meltdown, vulnerabilities revealed to exist in central processor computer chips manufactured in the past two decades.
“A side-channel attack is a way of communicating that’s unintended,” Alexander said. “When you go on your web browser to a website, that path is intended. Unfortunately, in any computer system there are ways to communicate that are unintended. Those are side-channel attacks. A bad guy can use these vulnerabilities in everything from a state-sponsored attack to taking credit card numbers.”
Other efforts will focus on securing information in the cloud, where data is saved on remote servers instead of a personal or local machine.
“Almost all IoT devices share or store their information in the cloud,” said Alexander. “If you have an IoT in your house, you probably have a hub that talks to the cloud. How do you protect the information coming from your house, take it into the cloud and protect it while it’s there?”
The team also plans to find ways to enhance resilience, improving IoT devices’ ability to withstand unforeseen interruptions, or come back online as soon as interruptions are solved.
“If you think about a car hitting a telephone pole or a switch going bad or a lightning strike – this pulls part of your network offline,” Alexander said. “Resilience means understanding what capabilities you still have when part of your system goes down and making sure your network can recover once the problem is fixed. You as a human being are very resilient. When you cut your finger making dinner, you don’t collapse. Your skin grows back – in a week you don’t even know it happened. What properties does your skin exhibit that we could take and put in computer systems that would allow them to behave in a similar way?”
Perry and his colleagues also hope to improve trust between computers that theoretically could scale upward to encompass all the computers on the Internet.
“When my computer accesses another computer, how do I trust that computer to be in a good state?” he asked. “If you and I wanted our computers to talk, and I wanted to trust your computer hadn’t been damaged or compromised in some way, that’s doable. Now, think about all the computers on a college campus — that’s still tiny. Now think about all the computers in the world, that’s different. Originally, you could draw all the nodes for the entire Internet on the back of a napkin. Now we don’t even know how big it is, it’s so expansive and pervasive.”
Much of the work under the new contract combines expertise in computing and communications with multidisciplinary expertise in human behavior and thinking.
“A lot of cybersecurity is related to human behavior – things as simple as are you using strong passwords, or how are you using the internet?” Alexander said.