Cybersecurity concerns are nothing new, but as our lives become increasingly digitized and connected, new threats continue to emerge.
By 2025, an estimated 41.6 billion devices will be online and in active use, according to the International Data Corporation. These are the kind of devices you might find in your home — smart televisions, speakers, security cameras, appliances, etc.
While these devices provide great conveniences, they also collect mountains of data and can communicate with each other and the outside world in ways that pose a threat to a user’s privacy and safety.
Northeastern University professor David Choffnes and other computer scientists will use a $3.4 million National Science Foundation grant to shed light on the vulnerabilities and shortcomings of these technologies as part of an initiative called SPHERE.
“We think of our home networks as a private space—what happens in our home stays in our home. But it ends up that our devices are designed to interoperate with each other, Choffnes says. “They’re quite chatty, to the extent that they are revealing sensitive information, including names, geo-locations and other unique identifiers that can be used to track individuals and tell when they’re home or not.”
Short for Security and Privacy Heterogeneous Environment for Reproducible Experimentation, the project will make an Internet of Things lab on Northeastern’s Boston campus accessible to outside researchers, who will access hundreds of IoT devices remotely through an online portal.
The remotely accessible IoT lab will be the first of its kind, says Choffnes, executive director of the Cybersecurity and Privacy Institute at Northeastern.
Cybersecurity and privacy research can be expensive and time consuming, he says, and a major barrier of entry for many is purchasing the devices themselves.
“This lab will eventually have 500 IoT devices,” Choffnes says. “The idea is that anyone around the world can schedule time to configure these devices in different ways to simulate different deployments—such as in a home and business—and be able to interact with them in automated ways to reveal security and privacy issues that could cause harm.”
The NSF grant, Choffnes says, will allow a lot more research to be done on IoT devices than can currently only be done in person.
“The infrastructure democratizes research on cybersecurity and privacy for IoT systems, allowing any researcher to run experiments, identify problems, and help make our IoT systems safer,” he says.
Daniel Dubois, an associate research scientist at Northeastern University’s Khoury College of Computer Sciences, says the devices will be accessed through an online portal.
“They will have access to an interface similar to an Amazon Web Services interface,” he says. “There will be a list of IoT devices they can reserve and they can choose when and for how long to reserve them.”
The research will help “increase awareness of the security and privacy risks of IoT devices, help create new mitigation strategies for such risks and improve the quality of existing devices through responsible disclosure,” Dubois adds.
“The lab’s mission is to directly benefit its users (not just Northeastern, but the entire global research community) as a tool to access IoT security and privacy research without the need to build and run an in-house IoT lab,” he says.
If a researcher is thousands of miles away, how could they possibly press buttons on an IoT device?
The NSF grant will help researchers at Northeastern find a solution, Dubois says.
One potential solution is by placing all kinds of automated systems like robotic button pushers people can remotely task, he says.
“Let’s say a researcher reserves a smart speaker,” Dubois says. “Using remotely-controlled robotic interfaces, they can press a button on a smart speaker, record their voice and capture whatever the speaker is saying.”
That’s just one of the many innovative solutions the team is exploring.
“We have a combination of sensors and actuators so we can make the remote experience feel like a physical one,” Dubois says.