Are there hackers hiding in your office?

13 Jul 2018

Image: Diego Cervo/Shutterstock

TechWatch’s Emily McDaid talks to Prof Máire O’Neill about the vulnerability of IoT devices and the security of smart cities.

Prof Máire O’Neill, a leading cryptography expert, has long been at CSIT and is now heading up the new Research Institute in Secure Hardware and Embedded Systems (RISE).

“The institute involves research projects from different universities – Queen’s, Cambridge, Birmingham and Bristol – four leading universities in cybersecurity research,” she said.

Statistics show that CSIT helped create 1,200 jobs in cybersecurity in Belfast in the timespan of 2009 to 2017.

‘Security is an afterthought, or not even considered at all, in the race to market’

What kind of research are you undertaking in the area of smart cities?

O’Neill said: “Hardware security is becoming a key area in cybersecurity with the growth of IoT [internet of things].”

She explained: “It’s easier to secure the hardware than the software. Although you need both, a hardware root of trust can provide the inherent security necessary for IoT devices.”

O’Neill discussed how the IoT is essentially a three-tiered stack that begins with devices, moves up to the communications layer between those devices and, at the top, the data storage at the back-end.

“Security is needed in all layers. If you secure the devices, that’s a good starting point in fundamentally securing the whole IoT system.”

What’s cutting-edge in this?

“One new area is homomorphic encryption – this allows you to perform operations on encrypted data without decrypting it. So, you can do big-data analysis on encrypted data instead of needing it to be decrypted back to plain text,” she said.

Historically, this area of cybersecurity hasn’t been practical because of the vast computational resources it requires, making any operation too slow to be useful.

But, O’Neill said that “theoretical breakthroughs” are needed and that it would “be a game-changer for cloud security if we can achieve practical fully homomorphic encryption”.

Are the stakes higher for attacks on smart cities? Do hackers have more to gain?

“I don’t know if you’ll have a city where absolutely everything is connected. More realistic is a series of smart connected infrastructures. That makes it more secure than a situation where everything is in one network,” explained O’Neill. “As you increase the surface of connectivity, that increases the attack surface.”

Where are the areas of concern?

“Mundane objects can be used as a point of attack. As an example, the office coffee pot, connected to the office Wi-Fi, can be used as a point of entry for hackers,” she said.

Is every connected device a point of vulnerability?

“Anything that’s connected – so, for instance, smart TVs, smart video conferencing units – if it’s connected to the IoT, it’s vulnerable.”

Are these devices coming off the shelf without any security?

O’Neill said: “Security is an afterthought, or not even considered at all, in the race to market. A key aim of RISE is to educate the world about this.”

And in the home?

“The interactive Cayla doll has become infamous for having zero security features. It’s an interactive toy for kids, and YouTube demos show that you can easily break into the doll and talk to children.

“Children’s toys were on TechRepublic’s list of least secure connected devices, released in Feb 2018.”

If you knew an 18-year-old who was interested in smart cities, what career path or academic degree would you advise?

Security analytics would be a great career path right now, as there is demand from industry for this skillset. This involves the application of analytic tools for security monitoring and threat detection,” said O’Neill.

“One example is using deep-learning approaches for mobile malware detection, and to uncover vulnerabilities in websites.”

She continued: “For smart cities to flourish, security needs to be built in from the outset. Novel wireless approaches are needed, analytics and big data (and video surveillance would be in that group as well) – those are the lack of skillsets that companies are pointing to.”

Is a smart city inherently a surveillance city?

“It could be, but it depends on how you deal with privacy issues. For example, in previous research we looked at video security, which would allow a scene to be monitored while ensuring faces are blurred – this is called selective encryption. One interesting area is when you combine selective encryption approaches in video with trying to track anomalous activity – something that’s out of the ordinary, such as a bag left on a bus.

“There is always a trade-off between the benefits of these advanced technologies and what you may lose in terms of privacy.”

By Emily McDaid, editor, TechWatch

A version of this article originally appeared on TechWatch

TechWatch by Catalyst covered tech developments in Northern Ireland