Handling smart devices wisely

Smart lamps, a smart doorbell, thermostat, smoke alarm or smart toothbrush. More and more devices are being linked to the internet – also known as the Internet of Things (IoT) – so you can operate them with your smartphone.

How convenient to be at work yet able to tell the delivery person standing on your doorstop where the package can be left, or to have a toothbrush that changes its brushing program to suit you, based on facial recognition. They promise to make your life easier but smart devices also involve very real risks. What happens to all that data they are generating and sharing? And what is the manufacturer doing with all your personal information?

Last year it was announced that TU/e will be leading a national research project designed to make the Internet of Things more secure. Taking part in this project ‘An Internet of Secure Things – INTERSCT.’ are forty-five bodies: universities, companies, civic organizations and government agencies.

Together with Harold Weffers, coordinator of external partnerships, TU/e professor of Cybersecurity Sandro Etalle is the driving force behind INTERSCT. “It’s a very good thing that we work with a highly multidisciplinary team”, says Weffers. “We depend entirely on services on the internet these days. But this convenience has a downside. Imagine that a hacker gains access via the solar panels on your roofs to other devices on the network. While this is certainly damaging, it’s a problem that as an individual user you could shrug off. But what if this were to happen to a large group of users at the same thing, making it a Distributed Denial of Services (DDos) attack?”

“The huge increase in smart devices and the lightning fast developments related to the IoT are forcing us to look at cybersecurity in a different way”, Etalle explains. “This isn’t a problem we can lay wholly at the consumer’s door. There are already some twenty billion smart devices coupled to the IoT and this number is increasing rapidly. A system like this is very complex and dynamic, and we are now seeing that little control is being excercised over how it develops. This has consequences for security and privacy issues. With the INTERSCT. project, we want to keep the IoT manageable and secure, and this requires a systematic approach.”

Whole chain approach

For a couple of years now, Etalle has been one of the authors of the National Security Research Agenda (NSRA), an agenda for national research on digital security. The NSRA is divided into five pillars: design, defense, attacks, organization and privacy. The meetings to develop the NSRA gave rise to a new partnership between various cybersecurity experts, and the realization that for the IoT the ‘pillar approach’ is not efficient.

Etalle says: “To ensure security, we must address the whole chain and we are taking a broad approach; involved in our project we have technicians as well as business owners, criminologists and lawyers. It starts right back at the product design stage. A product must be high quality not just in terms of functionality but also regarding the processes related to security. Just stop and think what happens after a manufacturer goes bankrupt: the company’s devices remain in use and they still need security, to be monitored and patched. Unfortunately, the importance of this is often underestimated. We hope to make companies more aware of the need to market secure products.”

In view of this, the fact that the Netherlands has both a strong manufacturing industry and many important suppliers to the international market is a big plus for the project.

“As well as awareness-raising among trade and industry, INTERSCT. hopes to bring about a change in society”, says Weffers. “It would be nice if people who are currently inclined to buy a cheap device of some kind imported from who knows where – to name no names – were to stop and think about their own security and pick a different product instead. As an individual, use your common sense. The government should also be paying more attention to this change of behaviour.”

With a Dutch slogan akin to ‘Don’t get hacked, check your updates’ the Ministry of Economic Affairs kicked off a campaign last spring to keep smart devices secure, not just in theory but also in practice. For although the majority of users know that their devices can be hacked, only half carry out an update in good time, one of the easiest ways to increase security. “So there is still considerable room for improvement here”, Weffers concludes.

IoT lab

As became evident when INTERSCT. was set up, ever more companies are recognizing the importance of cybersecurity. It was not hard to find partners in industry who were keen to cooperate. At the various universities, twenty-seven doctoral candidates have been recruited, and universities of applied sciences and TNO are also providing staff who will contribute to the project. Together, over the next eight years, they will develop building blocks for the design, security and administration of IoT systems, with Etalle in the role of scientific leader. “We’ll be setting up a IoT lab here, where we want to foster cross-fertilization. It is important that knowledge is used. We have plenty of experiences in this area, thanks in part to our digital security company Security Matters (cofounded by Etalle and acquired by US company ForeScout in 2018, ed.). With the affiliation of parties like Brainport, not only do companies in the consortium benefit from existing knowledge, but the project will be rolled out further in the region. And in this way we all hope to take major steps towards making the IoT secure, in a sustainable, long-term way.”

Written by Nicole Testerink (Cursor)