SETIT Project: Security Enhancing Technologies for the Internet of Things

The Internet has grown beyond a network of laptops, PCs, and large servers: it also connects millions of small embedded devices. This new trend is called the Internet of Things, or IoT in short, and it enables many new and exciting applications. At the same time, however, it also creates a number of new risks related to information security. Indeed, several recent attacks on IoT devices and systems illustrate that they are notoriously insecure.

One potential risk to consider is that embedding computers into everyday objects and connecting them to the Internet exposes our physical world to attacks originating from the cyber space. This means that cyber attacks on IoT systems may have physical consequences: depending on the nature of the system, they may lead to damage of physical equipment (e.g., in case of industrial IoT) or even loss of human life (e.g., in case of cyber attacks on road vehicles).

Another problem is that embedded devices with no or weak protection, when connected to the Internet, can put Internet based services and the Internet infrastructure itself at risk. Indeed, weakly protected WiFi routers, web cameras, and other smart devices connected to the Internet are low hanging fruits for attackers that they can compromise easily and use to build a massive attack infrastructure. An example for this is the Mirai botnet, which consisted in millions of compromised IoT devices that were used in the largest DDoS attack ever targeting the Domain Name System of the Internet and making popular Internet based services unavailable.

In the SETIT project, our goal is to improve the security of IoT systems. For this purpose, we work on security enhancing technologies (mechanisms, tools, and methods) applicable in the IoT context. More specifically, we focus on 3 research areas within the project:

1. Application level security for embedded devices used in IoT systems

IoT application logic is implemented in software running on embedded devices and servers, and it is well-known that software vulnerabilities are the primary enablers of successful attacks on many system. Therefore, in this part of the project, we work on detecting software vulnerabilities using different program analysis techniques. This includes detecting vulnerabilities in the applications themselves, as well as in third party software components and libraries used by the applications. Besides advancing some static and dynamic program analysis methods, we develop new statistical and machine learning algorithms for predicting errors in application source code.

2. Platform level security for embedded devices used in IoT systems

Platform level security is concerned with the security of the embedded computing platform on which applications actually run on IoT devices. This is important, because compromising the platform enables an attacker to take full control over the device, including all applications running on it. We work on securing the boot process, hardening the OS, and continuously monitoring the integrity of the software running on the device. We also work on secure remote software update, as well as implementing trusted services on the device such as secure data storage and communications. In addition, we develop a penetration testing (ethical hacking) methodology customized for IoT systems.

3. Algebraic background and cryptographic algortihms that support areas 1 and 2.

In this part of the project, we design and analyze cryptographic algorithms and protocols for IoT applications that fit better the resource constrained environment of IoT systems than traditional cryptographic mechanisms used on the Internet. We also aim at better understanding the algebraic properties underlying some of those cryptographic tools.

Project partners

The project is carried out by a consortium of 3 partners:

Budapest University of Technology and Economics

Coordinator of the consortium and responsible for research on platform level security of embedded devives. Principal Investigator: Levente Buttyán from the CrySyS Lab

University of Szeged

Responsible for research on application level security of embedded devices and involved in research on algebraic background of cryptographic algorithms. Principal Investigators: Tibor Gyimóthy and Rudolf Ferenc from the Department of Software Engineering, and Gábor Nagy from the Department of Geometry

University of Debrecen

Responsible for research on algebraic background and cryptographic algortihms. Principal Investigators: Attila Pethő and Andrea Pintér-Huszti from the Department of Computer Science

Duration

The SETIT project was started in October 2018 and it will end in September 2022 (4 years).

Funding

The SETIT Project has been implemented with the support provided from the National Research, Development and Innovation Fund of Hungary, financed under the 2018-1.2.1-NKP funding scheme (project no. 2018-1.2.1-NKP-2018-00004).

Publications and presentations

Journal papers

Conference and workshop papers

Student scientific conference (TDK) papers

BSc and MSc theses

PhD theses

Patents

Talks