Building secure and private IoT systems
The Internet of Things (IoT) is reaching critical mass in many sectors of the economy, with the prevalence of IoT devices creating significant challenges for the safety, security, reliability, and privacy of consumers and enterprises that use them. Companies currently spend billions on enterprise IoT lifecycle management, but still struggle with security and privacy vulnerabilities, service disruptions, and costly, inefficient, and ineffective remediation methods. Consumers love the convenience of IoT devices, but are increasingly concerned that personally identifiable information is being collected, and that this information may be stolen or misused.
It is increasingly evident that current approaches are ill-equipped to address the security and privacy challenges that will arise in IoT deployments on several dimensions:
Scalability: Manual security approaches that work for a few hundred IT devices will not scale to billions of IoT devices.
Speed and Cost: Identifying and remediating security vulnerabilities remains largely based upon human effort, thus operates at human-speed of days / months / years – and at human cost. This needs to be automatic, autonomous – taking only seconds or minutes.
Safety and Security: Existing IoT devices may be in service for years, while new greenfield devices are continually being added. New approaches are required to enable ongoing safety and security updates to existing devices without assuming a homogeneous ecosystem.
Uptime and Reliability: IoT devices have specialized functions that require strict uptime (e.g. 24/7 operation) and reliability (low-latency response) guarantees. Unfortunately, they lack management, monitoring and user-interfaces (e.g. keypad and screen) to meet these goals.
Compliance: IoT devices collect large volumes of raw data, but do not deal with compliance and privacy requirements that arise in deployments. Consumers and enterprises need effective ways to ensure data is collected appropriately, responsibly, and disclosed only as necessary and only to authorized parties.
IoT labels will help consumers figure out which devices are spying on them
A team of CyLab researchers have developed a prototype security and privacy “nutrition label” that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.
Apps are rife with privacy compliance issues, and here’s some evidence
A team of researchers from Carnegie Mellon University and Fordham University recently created the Mobile App Privacy System (MAPS), a tool that uses natural language processing, machine learning, and code analysis to identify potential privacy compliance issues by inspecting apps’ privacy policies and code.
NSF awards $1.2M to create a digital assistant to answer people’s privacy questions
The National Science Foundation (NSF) has awarded a $1.2 million grant to a team of researchers from Carnegie Mellon University, Fordham University, and Penn State University to develop a tool—a “privacy assistant”—that will allow users to simply ask questions about the privacy issues that matter to them.
BUYER UNAWARE: Security and privacy rarely considered before buying IoT devices
In a study presented at the ACM CHI conference in Glasgow earlier this month, researchers from Carnegie Mellon University’s CyLab found that security and privacy risks may not be on the list of considerations when consumers purchase new IoT devices.
First round of Secure and Private IoT Initiative funded projects announced
CyLab’s Secure and Private IoT Initiative (IoT@CyLab) has broken ground as the first round of funded proposals have been announced. Twelve selected projects will be funded for one year, and results will be presented at the IoT@CyLab annual summit next year.
CyLab study: Romantic couples are sharing online accounts in security-compromising ways
A CyLab research team surveyed 195 participants about their relationship status and account-sharing behavior across a multitude of popular websites. The survey revealed users engaging in unsafe security practices.