How the Internet of Things Can Actually Protect Your Data
Stevens Ph.D. Student Designs Open-Source Cybersecurity Solution Using All Your Devices
Ioannis Agadakos wants to keep you—and your stuff—safe.
Agadakos is a third year Ph.D. student at Stevens Institute of Technology. Studying in the Department of Computer Science under assistant professor Georgios Portokalidis, Agadakos’ research area is cybersecurity. His focus is on using the internet of things as a basis for security systems.
The internet of things is the interconnection of computing devices embedded in everyday objects via the internet. Most people have a computer, smartphone, smartwatch, fitness tracker and other devices all connected to each other. All of them share information. All of them have different security protocols.
Agadakos’ research involves using the internet of things in two ways: safely identifying users, and safely tracking their stuff. His projects are "two sides of the same coin," he explains, in that they’re a tool that can be used in both good and bad ways. The kind of cybersecurity systems he’s building are in the crowd-sensing category, which is technology used by smart cities to mitigate traffic and monitor water quality. But the technology can also be used to steal identities online and violate users’ privacy. Agadakos is working to maximize the technology's potential for good.
Using Your Devices to Identify Your Patterns
Identifying users in the internet of things has great potential for harm. Many people use radio-frequency identification (RFID) cards to access their offices and other locations with potentially sensitive information. When they touch the card to the reader, "the lock assumes that the person using the card is the right person," Agadakos says.
There is no way to guarantee that right now.
His solution? An implicit authentication smart system that monitors your behavior and learns from it. It will use "collected information from all the devices you own, not just your smartphone," Agadakos explains, listing identifiers like the way you walk and the way you type, when you unlock your phone, when you charge it, when you’re walking with it in your pocket and even when you’re driving. All of those patterns were drawn from Agadakos’ phone and Fitbit over the course of a year. All of them are unique identifiers, as he and his team discovered:
My schedule is that around 2:00 I go for lunch. I tend to be repetitive around work days. If my phone sees that pattern, and matches that pattern with my normal schedule, it would know that the phone has a high probability of being with me, the correct user.
"All of that information will be aggregated to a service," he says, laying out the end goal of his project. That service will weigh the data it would aggregate from you and assign it a score based on how similar the patterns are to yours. It’ll check that data every five minutes. If the device doesn’t receive any new data—say, because you lost it—it’ll lock automatically. If not, it’ll generate a key for you. "If the key from that service matches your profile, the system provides you a unique card" that only you can use, he explains.
Achieving Security Through Publicity
The second part of Agadakos research revolves around low-power Bluetooth tracking tags, the kind you put on devices to track their location if they go missing. As helpful as those tags are, they are unsettlingly easy to hack—as Agadakos discovered while researching. "I was able to attack the server and rip information from all users," he says of one company. "I could receive tag information [whatever nickname people used to distinguish different tags]. I could even query people’s whereabouts if I wanted to."
Agadakos informed the company of the leaks and they fixed it, but it took them over a year. "I did it silently, without any logs from the server," he says, meaning the company had no way to track him—which is the same way a hacker would do it. "If I were malicious, it would be too easy to get all that information and track and harm people. One could simply rob someone while they're away at work while monitoring their whereabouts."
Agadakos and his team came up with a cryptography-based solution that sounds more low-tech than you’d expect: "Can we build something that would require no security from a central service, like a huge bulletin board?" he says, summarizing the team’s approach. "A bulletin board, by definition, is visible to all and requires no security. We felt that would be a good option without leaking sensitive information, like your location."
It would work like this, as he explains:
Each tag broadcasts a signal, which gets reported to a server. Each tag has two parts: a public and a private part. Only the owner has the private part of the key, and that's a distinct signifier that lasts a lifetime. The public tag broadcasts a matching encryption key to the private tag. If you lose something and want to locate it, you go on the bulletin board using cryptographic protocols, anonymously contact the person who observed your tagged item and securely retrieve the location of your item. Only the true owner of the tagged device, who possesses the private part of the key, may ask for the device. The owner can’t lose the private part because it’s linked to a web account. For added safety, the key changes every five minutes. If you lose your wallet, you’ll know exactly when you lost it because you won’t be able to update the key. But you can go to the bulletin board, contact a user directly using services in your phone, prove your identity by sending a plain text key unique to you, and the user of the tag attached to your wallet will send you its location.
All of this happens automatically. Without user interaction. In public.
That design has gotten good feedback from the community. "Anyone can verify if we have flaws," Agadakos says. "I believe we will have very good impact.”
This approach would also mitigate any leaks and secure user data on the company’s side, allowing them to pay less for security personnel or infrastructure since "you can be secure without it," as Agadakos puts it.
"We achieve security through publicity," Agadakos says. "Everything is in the clear. If you use obscurity, you’re just praying someone won’t use it for ill."
Pursuing Security Solutions
He’ll present his bulletin board system at the upcoming Mobisys conference. He’s also working on a third paper on control flow integrity, and will even be headed to Stanford as a summer associate researcher. "They contacted me after my first paper was published," Agadakos says. "The lack of security in the plethora of new devices and gadgets in the market is a serious problem, for simple users and government installations alike. The company, as a frequent government contractor, is tasked to bring light to this unexplored area. We will look for metrics and classify threats that stem from the adoption of these new technologies." It’s an open contract, but he’ll initially be there until September.
So why the focus on security? Because Agadakos is a "very private person," he says. "I value privacy extremely. That’s what steeped my interest in security and privacy. Security has given me a unique perspective in how to improve everything. It’s taught me how to find flaws… and [while] security people take flaws and use them as stepping stones to find something else, those flaws can have other uses."