How can we make the Internet of Things more secure? Author interview with Paul Fremantle
This month PeerJ Computer Science published “A survey of secure middleware for the Internet of Things” by Paul Fremantle and Philip Scott from the University of Portsmouth. With the continuing growth of the number of devices connected to the internet, the security of these tools (and the apparent lack of security!) present some unique problems for individual citizens and organisations alike.
Middleware, defined in the article as “Software that acts as a bridge between an operating system or database and applications, especially on a network”, are crucial to discussions of security and the Internet of Things. Paul Fremantle talks through his new study which presents a matrix of security and privacy threats alongside a literature review of middleware. Shockingly, out of 54 systems analysed, 35 didn’t have any real security model that could be analysed.
PJ: Can you tell us a bit about yourself?
PF: I co-founded a company (WSO2) back in 2005, and then after nearly 10 years I decided to take a break and study for a PhD, so I’m quite a bit older than the average PhD researcher. My supervisor is Dr. Benjamin Aziz at the University of Portsmouth, on the South coast of England, about 90 minutes from London. I’m researching security and privacy of the Internet of Things.
Three Layer Privacy model applied to IoT.
PJ: Can you briefly explain the research you published in PeerJ?
PF: The physical world is being connected to the Internet at a phenomenal rate: new cars upload data from sensors and can be controlled remotely, smart homes let you control the heating, lighting and monitor aspects. Similarly, health and fitness monitors, smart cities, connected factories and many more examples mean there are now more Internet-connected systems than people on the planet. I am very concerned about our privacy and the security of our world in this model. I can see the benefits of the technology, but unless we solve the security problems we will be in trouble. As part of my research, I analysed the threats and then used this analysis to look at more than 50 IoT systems which had published papers.
PJ: Do you have any anecdotes about this research?
PF: This kind of literature based research is not the most exciting. I think the biggest concern is how many of the systems had no security at all. Out of 54 systems, 35 didn’t have any real security model that could be analysed. I originally started this analysis two years ago. When I updated it, I expected a higher proportion of the more recent systems to have addressed security. Unfortunately, that wasn’t the case.
PJ: What kinds of lessons do you hope the public takes away from the research?
PF: I think the real lesson here is to be wary of the kind of security you are getting if you buy a smart home, smart car, connected device. For example, late last year the whole US East Coast Internet was disrupted by an attack that was mainly launched from thousands of internet-connected CCTV cameras.
…unless we solve the security problems we will be in trouble…be wary of the kind of security you are getting if you buy a smart home, smart car, connected device…
It isn’t easy to evaluate the security of these things – even for experts in the field. My own approach on this is to first identify if there is a real benefit to what I’m doing. Secondly, make sure I have done everything to enable privacy controls. Thirdly, I make sure that I choose devices from reputable manufacturers who will keep updating and improving the systems.
PJ: How did you first hear about PeerJ, and what persuaded you to submit to us?
PF: I was actually at a talk given by a traditional journal publisher who mentioned new approaches to publishing!
I was attracted by the fast review time and the pre-print service. My pre-print of this article has had nearly 3000 downloads and has been cited already, so I’m pretty happy.
PJ: How would you describe your experience of our submission/review process?
PF: I really liked the online submission system and web application. Compared to some other journals where it feels like your submission has fallen into a black hole, it is refreshing to get status updates and to know the status of your article.
PF: Yes definitely.
PJ: Anything else you would like to add?
PF: I really appreciated the encouragement to publish the reviews and review proceedings. It’s not something I would have thought about, but I think it adds a lot to the provenance of the research.