Title: Smart Home Security
Duration: ongoing since April 2022
Research Area: Architectures, Scalability, Security
Currently, Internet-of-Things (IoT) or Smart-Home devices can be found everywhere in everyday life, from electric cars and smart TVs to washing machines and smart toothbrushes. This creates many new risks, e.g., new attack vectors over the Internet, the potential lack of firmware function updates in the future, or device failures at home due to the bankruptcy of a cloud provider abroad. Those risks are particularly challenging because users with no knowledge of cybersecurity operate complex, networked IT devices. Thus, potential security issues are not apparent to the user. For example, the Mirai botnet and its successors have been spreading via insecure IoT devices since 2016, unnoticed by their owners. Often, security loopholes were exploited that are actually effortless to fix, such as factory-default passwords or outdated software packages with known vulnerabilities.
This project aims for two objectives: First, we want to use machine learning and AI to detect potential security issues automatically, i.e., without the help of a user that does not possess cybersecurity knowledge. This includes not only intrusion detection mechanisms, but also fingerprinting approaches to learn the structure and the context of the Smart Home network. Second, we strive to use generative AI models to deal with the user’s lack of expert knowledge. Thus, the AI might explain detected security issues, potential false alarms and possible security measures in a comprehensible, intuitive language to the user. Because this means that sensitive information from the internal network is sent to an external AI model, approaches such as encryption play an important role.
Our objectives are challenging. From a processural perspective, a comprehensive risk catalog and adequate measures for Smart Home and IoT devices do not yet exist. Using intrusion detection approaches in the envisioned way requires a different IT Security process and an adapted IT Security lifecycle. From a technical perspective, it is unclear how to replace missing expert knowledge about security issues reliably, without creating new attack vectors. Finally, our approach is connected to various ethical and privacy-related research topics.
We have already investigated a broad range of practical use cases. For example, we have developed a risk catalog by using a smart fridge as a prominent example for IoT technologies used in a Smart Home context. We are developing ChatIDS, an intrusion detection system that communicates security issues in a natural language to the user. We have tested the applicability of homomorphic encryption to smart-mobility use cases, and more examples will follow. Furthermore, we have developed a practical lab course to explore our approaches together with students.
We build on many technologies, such as various intrusion detection systems, large language models or homomorphic encryption libraries.
Our research is quite at the beginning. With any new use case, we extend our treasure trove of potential risks, applicable technologies and open issues for upcoming research. In the near future, we will consider further use cases, and we will develop well-explainable demonstrator applications to draw attention to our lines of research and foster interdisciplinary collaborations.