Security and privacy of software-driven IoT systems.
The Internet of Things (IoT) is an integral part of our everyday lives. IoT devices are everywhere: heart pacemakers, smart home appliances, baby monitors, fitness armbands, and cars. There are also industrial and military use cases such as surveillance cameras, industrial and military robots, and large-scale IoT systems like smart cities.
By connecting internet-connected components to different online services, IoT services help users manage their digital lives. Unfortunately, the power of IoT tools can be abused by attackers and users often lack sufficient control to prevent attacks.
IoT apps access sensitive user location, fitness information, the content of private files, or private feeds from social networks, as depicted in Figure 1. This sensitive information can be compromised by insecure or buggy apps. A major challenge is addressing the security and privacy of IoT apps. This is the focus of the CyberSecIT project.
CyberSecIT will develop a practical, secure and privacy-enhancing solution regaining control for end-users and companies over their IoT ecosystems while enjoying all the benefits that come from automated data analysis and autonomous privacy-preserving security monitoring.
CyberSecIT’s ambition is to result in both long-term and impactful benefits for the research community and direct benefits for the Swedish industry in general and the project’s industrial partners. The impact will include:
- Research impact via publications in top-tier scientific venues, keynotes at prestigious forums, and international collaborations with top universities;
- Educational impact via courses in popular PhD summer schools, MOOCs, and the project’s own summer school;
- Industrial impact via real-life demonstrators and standardization activities on the IoT security within W3C and IRTF; and
- Societal impact in line with the strategic need for securing computing systems is identified in Sweden’s national cybersecurity strategy
- WASP impact via high-entropy hotspot activities, strengthening the WASP Cluster on Security for Autonomous Systems, and offering a CyberSecIT summer school to the WASP Graduate School.
The CyberSecIT project addresses two core challenges at the heart of IoT security:
- Automation, enabled by software
- Autonomy, enabled by machine learning technologies
This approach will result in a novel decentralized platform for automated validation and secure deployment of IoT applications based on fine-grained access control, multi-party computation, and confidential computing.
This project aims at protecting IoT services from breaches, enabling rich functionality and utility without compromising security and privacy. The aim is to enable practical and secure solutions while enjoying the benefits of third-party code integration and intelligent use of data analytics.
The project is lead by the main PI, Prof. Andrei Sabelfeld, Chalmers University of Technology. The co-PIs are Prof. Simone Fischer-Hübner, Chalmers University of Technology, Prof. Vicenç Torra, Umeå University, and Prof. Musard Balliu, KTH. The industrial/public-sector partners are Ericsson AB, ICA Gruppen AB, City of Stockholm.
CyberSecIT’s multi-disciplinary nature will trigger valuable synergies with related projects and activities across the focus areas and WASP sites.
Possessing complementary expertise in the disciplines of security, privacy, IoT, software, AI, and Human-Computer Interaction, CyberSecIT is in a unique position to leverage principles of programming languages, software security, applied cryptography, and big data privacy for practical and usable IoT applications.
CyberSecIT will result not only in novel and high-impact research but also in innovative and utilizable platforms for software-driven IoT. CyberSecIT will result in high-entropy hotspot activities available to the entire WASP-affiliated research community. These activities will boost the WASP Cluster on Security for Autonomous Systems in a variety of ways, by organizing joint workshops and seminars and opening up for new collaborations.
In collaboration with the cluster and the WASP graduate school, we will organize a summer school for WASP PhD students in the multi-disciplinary areas of CyberSecIT. Moreover, we will cooperate with the Swedish IT Security Network for PhD students (SWITS), led by Fischer-Hübner, by holding joint research seminars and inviting WASP researchers.
Unfortunately, the power of IoT applications can be exploited by attackers. IoT applications access sensitive user location, fitness information, the content of private files, or private feeds from social networks. This sensitive information can be compromised by insecure or buggy applications. For example, third-party application makers can publish malicious applications to exfiltrate the users’ private information images, videos, SMSes, emails, contact numbers, voice commands, and locations.
Since the interaction between services is materialized on the cloud-based IoT platform via the Internet, IoT applications are susceptible to attacks by the cloud attacker and malicious platforms. Moreover, a malicious user or service may have access to the services of an IoT application, by being part of the user’s audience of a social media post or simply by being able to send emails to the user.
CyberSecIT’s overarching objective is to develop a practical, secure and privacy-enhancing solution regaining control for end-users and companies over their IoT ecosystems while enjoying all the benefits that come from automated data analysis and autonomous privacy-preserving security monitoring.
The chosen approach consists of multiple tracks.
- We will develop a novel decentralized platform for automated validation and secure deployment of IoT applications based on fine-grained access control, multi-party computation, and confidential computing.
- We will design usable, secure, and privacy-enhancing user permission management systems empowered by machine-learning technologies.
- We will enable secure aggregation in mutually distrusting environments and boost autonomy through machine learning technologies.
- We will build demonstrators showcasing the potential of these technologies in real-life contexts, in collaboration with Ericsson, ICA Gruppen, and the City of Stockholm.
CyberSecIT’s multi-disciplinary nature will trigger valuable synergies with related projects and activities across the focus areas and WASP sites. This project will collaborate with the SSF Framework Project WebSec: Securing Web-driven Systems (lead by Sabelfeld) on leveraging the web platform for securing IoT applications.
The project will benefit from Fischer-Hübner’s participation in the EU H2020 PAPAYA and EU H2020 CyberSec4Europe projects on privacy-enhancing ML, usable privacy, and security, as well as the SSF SUR-PRISE project on IoT security and privacy solutions.
The work on secure and private AI will be a catalyst for WASP-related activities led by Prof. Torra, Wallenberg Chair in AI, Umeå University, on privacy and information security. There will be a collaboration with Torra’s projects on data privacy (2 PhDs) and federated learning (2 PhDs).
The project will leverage Balliu’s involvement in the research centers CASTOR, CDIS, and Digital Futures at KTH Royal Institute of Technology, to collaborate on the topics of WP1 and WP4. Three PhDs, funded by these centers and VR, will contribute with their research on secure IoT orchestration and software security.