SECURITY, SAFETY AND PRIVACY

With new technologies come new risks and threats, and the IoT is no exception.

These can take various forms, from device takeovers to the introduction of malicious software into an IoT network via its hardware. IoT devices and systems are vulnerable to these types of attacks for a number of reasons. Device power constraints mean there is limited capacity to apply the types of security measures you would find on a computer, for example. IoT devices are often located in the environment, giving systems an increased ‘attack surface’. And when it comes to developing IoT devices for the mass market, manufacturers tend to focus on getting products to market cheaply and quickly, with security a lesser priority. The ubiquity of IoT systems also raises questions about the huge quantities of data they produce – how the reliability of data can be assured, and how consent and data privacy can be managed.

Dr Basel Halak Associate Professor in Cyber Security

Southampton is a leading hub for cyber security research in the UK, recognised by the National Cyber Security Centre as an Academic Centre of Excellence for Cyber Security Research6 Our researchers are contributing to new developments in this area, focusing on the specific challenges posed by distributed, cyber-physical systems.

At the hardware level, one stream of research is developing energy-efficient authentication and security protocols that take the low ‘power budget’ of IoT devices into account. These enable systems to detect whether an adversary has infiltrated the network and deployed a malicious device.

The protocols use a type of hardware security primitive known as physically unclonable functions. This harnesses the tiny variations inherent in every IoT device, which are created by variability in the integrated circuit manufacturing process and can be detected by observing the device’s behaviour in the network traffic. These variations create a unique fingerprint for each device, which the protocol identifies and authenticates. The system can then spot anything incongruent by observing the network traffic, applying machine learning to identify any unexpected behaviour. And because the fingerprint is generated from the underlying hardware, it is much harder for an attacker create a forged device to mimic it.

As the interface between the physical and cyber world, it’s necessary for IoT devices to be located in the environment, making them susceptible to physical or invasive attacks. Supported by Arm and the Royal Academy of Engineering, our researchers are developing new techniques to remotely detect whether a device has been tampered with, with a focus on safety-critical or sensitive applications such as power infrastructure and defence.

Based on data from physical experiments, they are using machine learning to classify these types of attacks and differentiate them from non-malicious environmental changes that may affect a device, so that the system can respond accordingly.

Like commercial software, malware evolves over time – as security controls are improved, malware developers will release new versions of their malware to attempt to bypass them. The different versions, similar but with variants, are seen as part of a malware ‘family’, which evolves and grows over time. From the malware analyst’s point of view, it’s important to work out whether a new malware is part of an existing family, as this offers a better understanding of how to deal with it.

To provide this information, our researchers are developing techniques to understand whether new android malware is part of an existing family. Using existing malware datasets, the malware is executed on a device and metrics are collected, such as how much battery, memory and processing capacity is used.

By applying machine learning the researchers can identify whether this pattern of resource usage resembles those of existing malware families. Ultimately this information could be used to build protection into devices more quickly and give forensic analysts more knowledge to deal with infected devices.

IoT systems are vulnerable to spatial-temporal propagation – where, by accessing one device, a hacker can set off a cascade of failure across a network of devices over time. What seems like a minor attack, if not caught quickly, can introduce major problems.

Our researchers are working on techniques to define, identify and defend against these types of attacks, looking at a range of applications including smart energy meters, vehicle-tovehicle communications and sensors in offshore oil systems.

IoT devices generate vast amounts of data, and our researchers are investigating questions around data ownership, use and privacy, and human interaction with the data system. For example, how do you balance the trade-off between making personal data more private by adding ‘noise’ or aggregating and summarising it, while retaining its usefulness for its intended application?

One project is looking at privacy in relation to a future ‘internet of vehicles’ (IoV), where connected vehicles will generate data about people’s location data, other road users and devices observed by the vehicle, and communication between vehicles. The research is exploring the balance between collecting the minimum personal data while still enabling the IoV to operate efficiently and safely, how more transparency about data use could incentivise people’s participation where personal data is needed, and the design of automated interactions to negotiate data use agreements, giving people more control over what they share.

Automated negotiation was the focus for another study which tackled issues around meaningful consent for the digital economy. Our researchers looked at how an intelligent agent that understood a user’s preferences could negotiate on their behalf about finegrained data control, balancing user privacy with service providers’ need to gather data for their service, and allowing the wider system to work at an economic level. Other streams of research in the field of data privacy include work on decentralised data architectures to reduce the security and privacy risks associated with central data stores.

IoT systems Southampton is a partner in the PETRAS IoT Hub, a programme funded by UK Research and Innovation which is investigating different aspects of IoT safety and security. Our researchers are working alongside Web Science colleagues on projects examining at the reliability of IoT system data, how secure data sharing can be enabled, and users’ perception of the trustworthiness of the system.

Other projects on the topic of trust and the IoT include designing mechanisms to promote trust among industry stakeholders to enable mutually beneficial data sharing and data provenance techniques to establish the trustworthiness of IoT data.