IoT is Everywhere: Improving Security and Privacy of Smart Technologies and Internet of Things Systems

An informal but often used measure of a researcher’s success and significance is the number of times their work has been cited by other researchers.

As of this writing, Stevens Institute of Technology electrical and computer engineering Anson Wood Burchard Endowed-Chair Professor James Xiaojiang Du has been cited, per Google Scholar, more than 22,000 times.

Du’s research focuses on security and privacy issues related to a variety of systems, including mobile devices, wireless and computer networks, artificial intelligence and machine learning, and cyber-physical systems, which combine sensors and algorithms to control physical objects. Du has been elected as both an Association of Computing Machinery Distinguished Member and an Institute of Electrical and Electronics Engineers (IEEE) Fellow for his outstanding scientific contributions to computing and wireless security respectively. He has been awarded more than $8 million in research grants from the National Science Foundation (NSF), U.S. Army, U.S. Air Force, the Commonwealth of Pennsylvania and Amazon.

Most recently, Du has been studying security and privacy concerns relating to Internet of Things (IoT) systems — all those automated speakers, locks, thermostats, TVs and other smart technology devices networked via the internet that are now widely used in many homes, buildings and offices. His most recent development, an IoT security system called Home Automation Watcher, can detect anomalies in smart home technology systems with over 97% accuracy.

Estimated at $800 billion worldwide, the IoT market has attracted such major players as Apple, Google, Amazon and Samsung. But with more than 100 different smart technology platforms attempting to work in tandem, along with their continual transmission of data back and forth to internet-based cloud servers, IoT devices are especially vulnerable to errors, malicious disruptions and cyberattacks that can threaten personal privacy, safety and security.

Du notes that addressing such issues is not merely an academic exercise. In what is now an unavoidably connected world, improving the security and privacy protections of IoT systems and smart technologies are a concern for literally everyone, whether they personally use a smart device or not.

“Most of us either use IoT devices or will be soon in our daily life and work,” Du explained. “But the security and privacy protection of IoT systems is relevant for everybody because IoT systems and devices are widely used in many areas — the smart home, smart office, smart factories, smart grid — even smart military bases and, in the near future, smart healthcare and smart hospitals. Basically smart everything. IoT is everywhere. So this research has a big impact on our lives and society.”

Improving IoT anomaly detection

Anson Wood Burchard Professor James Xiaojiang DuIn an ideal world, one’s suite of smart technologies would all perform together harmoniously like a well-tuned orchestra. When a user left for work and closed their smart garage door, for example, this action would automatically turn on their smart security system, trigger the smart lock on their front door to close and adjust the temperature on their smart thermostat. When the user returned home later and triggered their smart garage door to open, the smart security system would disarm, the smart front door would unlock and the smart thermostat would again change the ambient temperature for the user’s optimal comfort.

Many unexpected things can go wrong to disrupt, damage or conflict with this process, however, creating anomalies that have the potential for creating safety and security issues.

In collaboration with researchers from Temple University and the University of South Carolina, Du has designed and developed an IoT security system called Home Automation Watcher (HAWatcher) that can detect anomalies in a smart home technology system’s chain of events, notify the user of the anomaly and take measures to correct the problem.

“For example, anomalies could be caused by malicious cyberattacks. When you're not at home, an attacker could remotely open your door, and then someone could get in and steal your belongings. Or they could remotely turn on the smart oven and cause a fire and burn the house down,” Du explained. But with the HAWatcher system in place, he said, “if the door is found open while there's nobody at home, our system can close it. If the smart oven gets turned on without anybody there, then we can turn it off.”

Existing methods for anomaly detection rely on mining data from a smart home’s event logs alone, which Du says misses a large amount of information and results in a high number of false alarms while overlooking many genuine anomalies. HAWatcher, in contrast, uses both event logs and semantic information (such as apps, device types, device relationships and installation locations) to develop hypothetical simulations of a smart home’s normal behaviors. Inconsistencies between the smart devices' real-world states and their simulated states are reported to the user as anomalies. 

Using off-the-shelf smart devices and their accompanying app software, Du and team evaluated their system against 62 different anomaly cases in four real-world testbeds: a two-story house, two one-bedroom apartments and one two-bedroom apartment. HAWatcher’s results were stellar, significantly outperforming other existing approaches, said Du.

“We can detect the various kinds of anomalies with over 97% of accuracy,” he said.

Addressing cross-platform (lack of) communication

According to a survey conducted by Du, most users install multiple IoT devices from multiple different companies for use in the same space, such as a smart lock from August, a smart speaker from Google and a smart light from Philips all running in their home simultaneously. But because these different IoT platforms don’t have the ability to talk to each other, automation rules programmed on one platform can counteract or conflict with those set on another platform.

Say, for example, a rule is set on Platform A to lock the front door at 11 p.m., and a different rule is set on Platform B to unlock the door when the user is detected in close proximity to the door (suggesting that the person either wants to enter or leave).

“The rules are on two different platforms, and each platform individually looks fine,” said Du. “The problem is, when the user gets back from being away, Platform B is supposed to open the door. But if it’s after 11 p.m., Platform A says the door should remain locked. That will prevent the other rule from running.”

Instances of multiple platforms acting at cross purposes can also put the safety of people or property at risk.

For example, Platform A might have a rule set to turn on the heat when the temperature inside the house falls below 68 degrees. Platform B, meanwhile, might have a rule set that says to open a window when the temperature inside reaches 70 degrees.

If the user is home, such rules could help maintain the internal environment to the user’s liking. If the user is not home, however, such rules could expose their house to burglary as the rising heat initiated by Platform A triggers Platform B to open a window despite no one being present.

“If you only have one platform, these things would not happen or you could easily see the problem. But if it’s two different rules that are set up in two different platforms, the platforms don't see the conflict, and it's difficult for users to see as well,” said Du.

With grant funding from the NSF, Du and researchers from the University of South Carolina have designed a solution to detect and address such conflicts while requiring minimal change to the existing platforms.

“Our system sits in the middle between the smart home and the cloud platforms. It detects conflicts and tells the user, ‘You have two rules — one in the Google platform, one in the Samsung platform — and they have a potential conflict.’ It then suggests a way to fix it.

Protecting privacy

IoT devices collect and transmit a great deal of data in order to function, much of it sensitive or privacy-related. For example, to turn on lights or change the temperature in the appropriate room, smart sensors must be continually monitoring where a user is and sending that information to the cloud.

The majority of data collected and flowing out to a cloud platform is not needed to trigger automation actions, however.

In fact, Du’s analysis of more than 200 of the most popular apps available on the Samsung platform found that the vast majority of data collected by IoT systems is not necessary for or relevant to the system’s function.

“We determined you only need about 3% of the data collected sent to the cloud,” Du said. 

The more data that is transmitted, the more chance that such data could be intentionally or unintentionally circulated beyond the user’s desired purpose, such as stolen via a cyberattack or shared with a third party for advertising purposes.

To protect against the unnecessary sharing of sensitive data, Du has designed and developed PFirewall, a customizable data-flow control system that minimizes the amount of data flowing between IoT devices and the cloud platform that collects it. This project is in collaboration with Temple University and the University of South Carolina.

“When there's a new IoT event generated, the system will look at whether this event is useful for the IoT platform for the user’s purpose. If it is, we'll let that data go to the cloud. If not, we will block the data because it's not useful from the user's point of view,” Du said.

By reducing the amount of data transferred to only what is necessary for the desired automation to successfully function, he said, “our system significantly reduces the risk of privacy leaking, interference and other privacy risks.”

Making smart technology smarter

Du’s research, including his anomaly detection system, has been published by the top computer security conferences in the world, including the USENIX Security Symposium, the IEEE Symposium on Security and Privacy, and the Network and Distributed Systems Security Symposium. He has authored more than 500 papers during his 20-year career and joined the Stevens faculty in Fall 2021.

In addition to bipedal robots and the more than 100 IoT devices installed in his research lab, Du uses numerous smart technology devices in his personal life and home, including smart speakers, locks, TVs and lights.

But does knowing what he knows as a cybersecurity expert about the security issues associated with these devices make him any more concerned about using them?

“Not really, because I know where the vulnerabilities come from, and I know how to prevent or detect those kinds of things,” Du said. “So at least for me, it makes me actually have more confidence.”

“In general, most of the commercial products are pretty safe and secure,” he added. “But once in a while there's some new vulnerability, or because these devices must work together, there's some new issue that comes up. That is what we’re studying.”