LAWRENCE -- Every day, more and more people interact with the Internet of Things (IoT) in daily life. The IoT includes the devices and appliances in our homes -- such as smart TVs, virtual assistants like Amazon's Alexa or learning thermostats like Nest -- that connect to the internet. The IoT also includes wearables such as the Apple Watch or Bluetooth chips that keep track of car keys. Our cars themselves, if equipped with sensors and computers, are also part of the IoT.
"Traditionally, when you think about the internet, it's someone on a computer communicating with something out in the world -- usually someone else on a computer," said Perry Alexander, AT&T Foundation Distinguished Professor of Electrical and Computer Science and director of the Information and Telecommunication Technology Center at the University of Kansas. "The 'Internet of Things' is called that because now we have things talking to other things on the internet without human intervention."
But in an age where data theft and cyberattacks are increasingly routine, the IoT has security vulnerabilities that must be addressed as the popularity of IoT devices grows.
"These devices are characterized by being low-capability," said Alexander. "The security story with the IoT is pretty awful. Because these devices are cheap and small, you can't add much capability to achieve the level of security you might want to achieve."
Now, Alexander is leading a multidisciplinary team at KU, including computer scientists, electrical and computer engineers, psychologists, sociologists and philosophers, to tackle the fundamental science underpinning the security of the IoT. The team has just received funding from the National Security Agency to shore up the cybersecurity of the IoT, developing the technology that could be integrated into consumer technology in the coming few years.
"The NSA for the last seven years has had a collection of universities they call 'lablets' that execute a collection of projects for them -- we were able to compete this year and were one of six selected to host these lablets," Alexander said. "These are places where the NSA contracts foundational research in the style of the National Science Foundation -- big-thinking research. Lablets are centered around the NSA hard problems, specific problems the agency feels they need to solve if they're going to make progress toward solving our cybersecurity problems."
One aspect of the research at KU will investigate solutions to "side-channel attacks," which include Spectre and Meltdown, vulnerabilities recently revealed to exist in central processor computer chips manufactured in the past two decades.
"A side-channel attack is a way of communicating that's unintended," Alexander said. "When you go on your web browser to a website, that path is intended. Unfortunately, in any computer system there are ways to communicate that are unintended. Those are side-channel attacks. A bad guy can use these vulnerabilities in everything from a state-sponsored attack to taking credit card numbers."
Other efforts will focus on securing information in the cloud, where data is saved on remote servers instead of a personal or local machine.
"Almost all IoT devices share or store their information in the cloud," said Alexander. "If you have an IoT in your house, you probably have a hub that talks to the cloud. How do you protect the information coming from your house, take it into the cloud and protect it while it's there?"
The team also plans to find ways to enhance resilience, improving IoT devices' ability to withstand unforeseen interruptions, or come back online as soon as interruptions are solved.
"If you think about a car hitting a telephone pole or a switch going bad or a lightning strike -- this pulls part of your network offline," Alexander said. "Resilience means understanding what capabilities you still have when part of your system goes down and making sure your network can recover once the problem is fixed. You as a human being are very resilient. When you cut your finger making dinner, you don't collapse. Your skin grows back -- in a week you don't even know it happened. What properties does your skin exhibit that we could take and put in computer systems that would allow them to behave in a similar way?"
Perry and his colleagues also hope to improve trust between computers that theoretically could scale upward to encompass all the computers on the internet.
"When my computer accesses another computer, how do I trust that computer to be in a good state?" he asked. "If you and I wanted our computers to talk, and I wanted to trust your computer hadn't been damaged or compromised in some way, that's doable. Now, think about all the computers on a college campus -- that's still tiny. Now think about all the computers in the world, that's different. Originally, you could draw all the nodes for the entire internet on the back of a napkin. Now we don't even know how big it is, it's so expansive and pervasive."
Much of the work under the new contract combines expertise in computing and communications with multidisciplinary expertise in human behavior and thinking.
"A lot of cybersecurity is related to human behavior -- things as simple as are you using strong passwords, or how are you using the internet?" said Alexander.
Researchers from KU participating in the new contract include ITTC and electrical engineering & computer science researchers Alexandru Bardas, Prasad Kulkarni, Fengjun Li, Bo Luo, Garrett Morris, James Sterbenz, Andrew Williams and Heechul Yun. Additionally, Michael Vitevitch from the Department of Psychology, William Staples from the Department of Sociology and John Symons from the Department of Philosophy will be involved in the work. Colleagues at Kansas State University, University of Oklahoma, Marquette University and Syracuse University will also participate in the investigation.
Perry attributes the presence of interdisciplinary centers at KU, such as ITTC, for bringing together investigators from such a wide spectrum of academic specialties around a common set of problems, such as security of the IoT.
"We have people in research centers who otherwise may not talk to each other," he said. "But when the NSA call for proposals came out, I had a team from departments across campus in my head in an hour -- I knew on a first-name basis the people who could help out. That's way ahead of most places. KU's prominence as a liberal arts institution made huge contribution."
The work builds on Alexander's decade-long experience working on projects with the NSA, as well as a Scholarship for Service program with the NSF. Much of the work under the new effort will help train the next generation of cybersecurity experts and extend their knowledge into the private sector in the region and nationally.
"The majority of our funding goes for research assistants," Alexander said. "That's typical for all of our awards. One objective for the NSA is building a cybersecurity community. We will hold a workshop once a year on the Edwards Campus that does outreach to companies that have an interest in the cybersecurity area. We want to bring in companies that we feel are underserved. Part of that will include tutorials and student presentations. Training graduate students and getting them out in the community is something the NSA wants us to do."