EECS is leading a multidisciplinary effort at KU that will tackle the fundamental science underpinning the security of the Internet of Things (IoT), through a prestigious designation from the National Security Agency.
“For the past seven years, the NSA has had a collection of universities they call ‘lablets’ that execute a collection of projects for the agency. This year, we were one of six selected to host these lablets,” said Perry Alexander, AT&T Foundation Distinguished Professor of EECS and Director of the Information and Telecommunication Technology Center at the University of Kansas. “These are places where the NSA contracts foundational research in the style of the National Science Foundation — big thinking research. Lablets are centered on the NSA hard problems, specific problems the agency feels they need to solve if they’re going to make progress towards solving our cybersecurity problems,” Alexander said.
Every day, more and more people interact with the Internet of Things (IoT) in daily life. The IoT includes the devices and appliances in our homes — such as smart TVs, virtual assistants like Amazon’s Alexa or learning thermostats like Nest — that connect to the internet. The IoT also includes wearables such as the Apple Watch or Bluetooth chips that keep track of car keys. Our cars themselves, if equipped with sensors and computers, are also part of the IoT.
“Traditionally, when you think about the internet, it’s someone on a computer communicating with something out in the world — usually someone else on a computer,” Alexander said. “The ‘Internet of Things’ is called that because now we have things talking to other things on the internet without human intervention.”
But in an age where data theft and cyberattacks are increasingly routine, the IoT has security vulnerabilities that must be addressed as the popularity of IoT devices grows.
“These devices are characterized by being low-capability,” Alexander said. “The security story with the IoT is pretty awful. Because these devices are cheap and small, you can’t add much capability to achieve the level of security you might want to achieve.”
Now, Alexander is leading a multidisciplinary team at KU including computer scientists, electrical and computer engineers, psychologists, sociologists and philosophers that will tackle the fundamental science underpinning the security of the IoT.
One aspect of the research at KU will investigate solutions to “side-channel attacks,” which include Spectre and Meltdown, vulnerabilities recently revealed to exist in central processor computer chips manufactured in the past two decades.
“A side-channel attack is a way of communicating that’s unintended,” Alexander said. “When you go on your web browser to a website, that path is intended. Unfortunately, in any computer system there are ways to communicate that are unintended. Those are side-channel attacks. A bad guy can use these vulnerabilities in everything from a state-sponsored attack to taking credit card numbers.”
Other efforts will focus on securing information in the “cloud,” where data is saved on remote servers instead of a personal or local machine.
“Almost all IoT devices share or store their information in the cloud,” Alexander said. “If you have an IoT in your house, you probably have a hub that talks to the cloud. How do you protect the information coming from your house, take it into the cloud and protect it while it’s there?”
The team also plans to find ways to enhance resilience, improving IoT devices’ ability to withstand unforeseen interruptions, or come back online as soon as interruptions are solved.
“If you think about a car hitting a telephone pole or a switch going bad or a lightning strike — this pulls part of your network off line,” Alexander said. “Resilience means understanding what capabilities you still have when part of your system goes down and making sure your network can recover once the problem is fixed. You as a human being are very resilient. When you cut your finger making dinner, you don’t collapse. Your skin grows back — in a week you don’t even know it happened. What properties does your skin exhibit that we could take and put in computer systems that would allow them to behave in a similar way?”
Alexander and his colleagues also hope to improve trust between computers that theoretically could scale upwards to encompass all the computers on the world wide web.
“When my computer accesses another computer, how do I trust that computer to be in a good state? If you and I wanted our computers to talk, and I wanted to trust your computer hadn’t been damaged or compromised in some way, that’s doable. Now, think about all the computers on a college campus — that’s still tiny. Now think about all the computers in the world, that’s different. Originally, you could draw all the nodes for the entire internet on the back of a napkin. Now we don’t even know how big it is, it’s so expansive and pervasive,” Alexander said.
Much of the work under the new contract combines expertise in computing and communications with multidisciplinary expertise in human behavior and thinking.
“A lot of cybersecurity is related to human behavior — things as simple as are you using strong passwords, or how are you using the internet?” Alexander said
Researchers from KU participating in the new contract include Electrical Engineering & Computer Science and ITTC researchers Alexandru G. Bardas, Prasad Kulkarni, Fengjun Li, Bo Luo, Garrett Morris, James Sterbenz, Andrew B. Williams and Heechul Yun. Additionally, Michael Vitevitch from the Department of Psychology, William Staples from KU’s Department of Sociology and John Symons from KU’s Department of Philosophy will be involved in the work. Colleagues at Kansas State University, University of Oklahoma, Marquette University and Syracuse University will also participate in the investigation.
Alexnader attributes the presence of interdisciplinary centers at KU, such as ITTC, for bringing together investigators from such a wide spectrum of academic specialties around a common set of problems, such as security of the IoT.
“We have people in research centers who otherwise may not talk to each other,” Alexander said. “But when the NSA call for proposals came out, I had a team from departments across campus in my head in an hour — I knew on a first-name basis the people who could help out. That’s way ahead of most places. KU’s prominence as a liberal arts institution made huge contribution.”
The work builds on Alexander’s decade-long experience working on projects with the NSA, as well as a Scholarship for Service program with the NSF. Much of the work under the new effort will help train a next generation of cybersecurity experts and extend their knowledge into the private sector in the region and nationally.
“The majority of our funding goes for research assistants,” Alexander said. “That’s typical for all of our awards. One objective for the NSA is building a cybersecurity community. We will hold a workshop once a year on the Edwards Campus that does outreach to companies that have an interest in the cybersecurity area. We want to bring in companies that we feel are underserved. Part of that will include tutorials and student presentations. Training graduate students and getting them out in the community is something the NSA wants us to do.”
The KU faculty that comprise the NSA Science of Security Lablet. From left, Heechul Yun, assistant professor of electrical engineering & computer science; Garrett Morris, assistant professor of electrical engineering & computer science; Prasad Kulkarni, professor of electrical engineering & computer science; Bo Luo, associate professor of electrical engineering & computer science; Perry Alexander, AT&T Foundation distinguished professor of electrical engineering & computer science; Victor Frost, Dan F. Servey distinguished professor of electrical engineering & computer science and department chair; John Symons, professor of philosophy and department chair; Michael Vitevitch, professor of psychology and department chair; Fengjun Li, associate professor of electrical engineering & computer science; and Michael Branicky, former Dean of Engineering.