Hey Siri, secure my home: virtual security in the real world

Our lives are a constant dialogue with smart devices. Most of us are very aware of the advantages that a connected network brings; but do we truly understand the extent to which our devices make us vulnerable to attacks?

Four academics in front of a cybersecurity map – Some of the ECS cybersecurity team. From left: Dr Masood Mansoori, A/Prof Ian Welch, PhD candidate Junaid Haseeb, and Dr Harith Al-Sahaf.
Some of the ECS cybersecurity team. From left: Dr Masood Mansoori, A/Prof Ian Welch, PhD candidate Junaid Haseeb, and Dr Harith Al-Sahaf.

Smart devices, or Internet of Things (IoT), collate information about users’ environment, personal information and preferences, and often share them with other devices or third party agents. Besides leaving users exposed to hijacking and end-user violations, these devices are often used to illegally target other systems.

Now compare this scenario to one in the offline world. If there is a possibility of being attacked and it’s not known who the attacker is or where the attack could come from, the key to forming a defence strategy is understanding how the attacker behaves.

This is exactly what the cyber world is doing – leveraging deception techniques to understand how attackers behave. Deception systems are used to create attractive environments for attackers, enticing them to spend time with/on these devices. An elaborate exercise, the deception technique includes setting up devices that simulate a database of credit card numbers, a powerful computer to mine cryptocurrency or a system that allows attackers to send millions of spam emails. The system is intentionally left vulnerable, in an attempt to lure hackers to the site and spend time on it. The attackers are led to believe that they have stumbled upon something valuable, without realising that, in fact, they are the ones being spied on. Deception systems help collect data about attackers’ behaviours and the tools they use to exploit these devices.

However, the use of deception techniques is mainly focussed on large networks (like corporate environments). Homes continue to be vulnerable to attacks – particularly given the trend towards connected smart homes, with smart fridges, smoke detectors, TVs, cars and the like. This is the research gap – the need for a security framework for IoT devices in the home – that Junaid Haseeb from the Wellington Faculty of Engineering aims to address as part of his doctoral thesis, supervised by Ian Welch and Masood Mansoori.

Originally from Gujrat, Pakistan, Junaid moved to Wellington in 2018 to pursue his doctorate. “I was intrigued by the very nature of deception systems. The popularity and use of smart devices is constantly rising – this means that the current PC protection systems have to be re-designed and integrated into these devices. But incorporating deception techniques for smaller devices is challenging because for one, they have lesser processing power. Millions of smart devices have unique hardware and software, and designing specific protection systems is very complicated. Add to this, the fact these devices constantly collect user information, and the users aren’t even aware about the kind of risks that these devices pose.”

Further elaborating on his research, Junaid says “As part of designing deception techniques for household IoT devices, we started with an in-depth analysis of attacks on IoT devices and how they occurred. We need to understand the attack process to deploy adequate bait systems and services, which simulate actual devices. The research also includes applying a wide range of deception techniques to manipulate the attacker’s behaviour – these include confusing the attacker by simulating a large fake (non-existent) network of interesting devices, forcing them to waste their time and resources, and subtly manipulating their actions.”

One aspect that has surprised the researchers is the level of risk in the digital world. Studies by HP and Cisco has reported that each networking device has as many as 28 vulnerabilities – that’s 28 different ways that every single phone, tablet, laptop, washing machine and baby monitor can be attacked. “We deployed our resources to simulate smart devices and were amazed that the system has recorded more than 500,000 connection requests from more 7200 attackers with unique IP addresses across the world, in just a month. Attackers were trying to gain access to these devices by using common login credentials and also appeared to be interested in routing significant amounts of traffic to other websites, by using our system” says Junaid.

Speaking about using deception techniques to secure IoT devices, Masood Mansoori, Lecturer (Cyber Security), School of Engineering and Computer Science, says “There’s no doubt that we live in a connected yet an extremely vulnerable digital world. One of the main challenges we’re facing, as part of the research, is simulating the different types of devices and collating attack data, based on the nature of those devices. There are currently hundreds of different IoT devices with proprietary operating systems and services, and developing methods to simulate them and integrate deception techniques into them is a major challenge. The hypothesis is that the nature of the attack could vary depending on the nature of the service offered by the IoT device. So classifying data according to the type of device can be more helpful in understanding the attack process, which can lead to more effective defence systems.”

Discussing the potential impact of this project, Ian Welch, Associate Professor, School of Engineering and Computer Science, says “It is estimated that by 2025, there will be 50 billion IoT devices, at a time when world population is estimated to be around 8 billion. At the minimum, that’s more than 6 devices per person. The potential for such research is significant. We’re mapping the kind of attack processes that IoT devices are vulnerable to, and this will be of great value for manufacturers. It’ll help them create protocols that can alert users, Internet service providers or network administrators if their devices are attacked, early in the process. We also see a lot of opportunity for collaboration with a project like this – we’ll be looking to work with universities in other countries to pool our resources across our networks to deploy honeypot (deception) systems to collect detailed information about attackers’ behaviour.”