IU researchers receive $1.8 million NSF grant to advance ‘internet of things’ security
BLOOMINGTON, Ind. — Is your webcam attacking the internet? Indiana University School of Informatics and Computing researchers have received $1.8 million from the National Science Foundation to ensure that door locks, lightbulbs, cameras and other common household items, which are increasingly connected to the internet, remain secure.
IU School of Informatics and Computing professors L. Jean Camp, Steve Myers and Ryan Henry will use the support from NSF to advance cybersecurity of the "internet of things," a term that describes integration of online connectivity into a growing list of everyday items that also includes refrigerators, washers and dryers, waste and water monitoring systems, and home security systems.
The support is part of an award totaling $3 million to IU and the University of Washington. Camp, Myers and Henry are the primary investigators on the study. Collaborators are Tadayoshi Kohno and Shwetak Patel of the University of Washington.
"The privacy issues in an 'internet of things' environment are numerous," Camp said. "It creates a world where many people may interact with the same technology, and technology may interact with many other technologies. Even in traditional digital environments, like the web, privacy can be extremely challenging; users often aren't even aware it's been compromised."
Among the topics under investigation, Camp and colleagues will explore ways to ensure that the growing sector of connected home technology does not compromise the privacy of unintended users of these devices, such as children, home visitors and homebuyers.
For example, Henry points out that a child's friend may pay a visit to a connected home and unintentionally interact with internet-of-things technology, such as getting their image captured on a video camera, or bring new technology into the home that affects the home's integrated technology. Or unwanted interactions may occur between members of the same family, such as a teenager who purchases entertainment from a smart television using a parent's account.
"A house with numerous built-in technologies may have many people living in it, like parents, children and grandparents, or visitors who temporarily introduce another device into the technological ecosystem," Myers added. "Or, when a family sells a house, they may leave behind their internet-connected devices for the next occupants.
"We're seeking to provide a privacy structure in this environment that will allow people — users and bystanders — to interact with internet-of-things devices, and to enjoy their benefits, but also not suffer unknown information compromises."
The researchers on the project represent a wide range of expertise, including risk perception, risk communication, usable security and human-centered computing.
In the first year of the project, the researchers will assess the current internet-of-things landscape to ensure they're looking "beyond the cutting edge as perceived by industry." They will then work to ensure their findings line up with concerns about privacy among both businesses and consumers, as well as review the technical specs and protocols used to develop the current generation of connected devices, including an analysis of their logic systems, information architecture and code.
A review of public concerns about personal privacy will take place through surveys and interviews, among other methods. IU researchers will also oversee testing of internet-of-things devices with volunteers who aren't experts on technology through "in-situ" testing, or testing in real-life environments, and "cognitive walkthroughs," in which a user is led through a series of specific tasks.
Some of these user tests will be conducted at a Bloomington, Indiana, house owned by the IU School of Informatics and Computing that has been renovated to provide a real-life environment for interaction with "smart home" technologies.
In the last year of the study, the researchers will construct prototype internet-of-things devices that match the requirements revealed through earlier phases of the project. These efforts will feature sessions in which IU students attempt to hack prototype devices developed by the project's collaborators at the University of Washington.
The researchers added that it's critical to explore privacy and security considerations in depth prior to the explosion of the internet of things on the consumer marketplace, as the design, construction and coding of these technologies are tightly interwoven threads. Even a software engineer with advanced cryptographic programming skills cannot repair fundamentally unreliable code after these products are designed and built.
"This work isn't about individual users, it's about considering everyone who might be touched by this coming technology," Camp said. "We're not interested in studying privacy and security as an idealistic goal, but rather in addressing the privacy needs of real people in the real world."
Kevin D. Fryling