Over six billion connected devices in the so-called Internet of Things (IoT) will be in use by the end of 2016, according to a recent Gartner forecast. While the explosion of IoT has the power to transform society, many are concerned as security experts have exposed vulnerabilities in everything from Internet-connected Barbie dolls to SUVs.
“The problem is that these are really low-end, cheap commercial devices with little to no incentive for anyone to build with security,” says CyLab faculty Vyas Sekar, an assistant professor in the department of Electrical and Computer Engineering, “and this is a huge problem because these are things actually interacting with your physical environment. There are serious security and privacy risks.”
The National Science Foundation (NSF) has awarded Sekar $1.1 million over four years to help develop a software-based solution to the problem of IoT security. Sekar is collaborating with two other CyLab faculty members: professors Yuvraj Agarwal and Srinivasan Seshan from the School of Computer Science.
Traditional security solutions like antivirus programs or software patches are fundamentally at odds with the realities of the IoT ecosystem because of the huge diversity of platforms these devices run on—in IoT, it’s not as simple as Windows or Mac. Other challenges include poor security practices by the devices’ vendors, as well as hardware constraints.
To combat these challenges, the team is taking a network-based approach to a solution.
“All bad things happen on the network,” Sekar says. “If you intercept that point of entry—the network—you can envision applying a software-defined shield around each device.”
Sekar likens the proposed software-defined shield to a micro-Kevlar vest that fits any device under any conditions. This “vest” will then act as a gateway for each device, intercepting any illegitimate traffic entering (e.g., malware or malicious commands) or exiting (e.g., sensitive data) the device.
“In some sense, we are starting from the premise that these so-called ‘things’ are fundamentally fragile and unfixable,” Sekar says. “These things will be broken—they have vulnerabilities.”
Any security infrastructure, not just IoT, can be broken down to three components, Sekar says. First, there is the point of enforcement where the infrastructure must distinguish between good and bad traffic. Second, policy abstractions specify the definitions of good and bad, and lastly, the infrastructure must be able to learn what traffic is good and what is bad in an evolving environment.
“IoT is a game changer in the sense that we need to fundamentally rethink how we have been doing each of these tasks in traditional security solutions, because of the cyber-physical interactions and the diversity of these platforms,” Sekar says. “The hope is, even though you have these fundamental flaws in these devices, you will still have a resilient, functional IoT system that keeps the bad guys away.”