From left to right: Ishan Mehta, Karl Grindal and Karim Farhat
We all know that allaying security and privacy concerns is decisive if the IoT is ever to deliver on all its hype. Georgia Tech’s Institute for Information Security & Privacy (IISP) is the collaborative focal point behind 11 separate initiatives addressing critical cybersecurity issues. As part of IISP’s 2017 Cyber Security Summit, IGP’s team of graduate students entered a poster competition intended to push ideas to market. That day, security experts met to discuss the latest trends and threats in cyber and later voted for the three most promising projects. We were thrilled to be selected to advance to the Final when we will be eligible for further funding through the National Science Foundation’s Innovation Corps (I-Corps) program and Create-X Startup LAUNCH. Our project consists of implementing a collaborative web-based registry of IoT devices (with a focus on orphaned devices i.e., no longer supported).
There are many characteristics that make IoT security so daunting. The techniques and processes pre-dating IoT in the software industry have significant differences when scaled and cyber-physical interdependencies are introduced. When it comes to constrained devices on a network, the ability to do checksums and signatures is limited. This usually results in master-slave relationships between (weak and/or dumb) devices and smart gateways. This is just one example of where a simple security asymmetry creates vulnerabilities on an unprecedented scale.
There is a multitude of protocols and initiatives in the works aimed to address these concerns.
Lightweight cryptographic primitives and novel methods to manage secure key infrastructure come to mind. Further, as the ratio of IoT devices to security practitioners well exceeds 200:1, there is no question that security will be increasingly automated and incorporate machine-learning going forward. University of Maryland’s Tudor Dumitras explains how malware detection is made possible by mining IEEE security literature in this paper.
From a usability standpoint, however, the problem of coordinating updates across different devices from different vendors remains. Consider that some devices may be geared for industrial automation but are fairly straightforward in their administration while others may look ‘consumer’ but are deployed in a context (say medical) where a third party is managing and administering updates. Interdependencies coupled with no clear information on a manufacturer’s commitment to security support, means the end-user will be left in the dark in all security-related matters.
That is why creating a collaborative registry of IoT devices would be very useful. Think of the Common Vulnerabilities and Exposures (CVE) identifier which provides a public registry of standardized descriptions for each vulnerability or exposure. As with CVE, a registry of IoT devices would speed up the process of information dissemination between responsible disclosure and patching in cases of known vulnerabilities. Otherwise, a registry would reduce the information asymmetry by communicating timely security information to the end user. The end product we envisioned would allow this registry to power an IoT network management dashboard that focuses on security. Regardless of how our project evolves between October and April after VentureLab’s coaching sessions, we hope that our work will contribute towards bridging the needs of essential IoT stakeholders meaning industry, regulators, and the end-user.