The Internet of Things (IoT) represents a convergence of ubiquitous computing and communication technologies, with emerging uses that actuate in the real world. No longer do ubiquitous computing systems simply sense and respond digitally, now they physically interact with the world, ultimately becoming embodied and autonomous. At the same time, the game is changing from one of privacy, where it is often (contestably) cited that “users don’t care”, to one of user safety, where users (along with regulators, governments, and other stakeholders) certainly do care. Likewise, industry needs to become aware that this shift also changes the legal basis under which companies need to operate, from one of disparate and often weakly enforced privacy laws, to one of product liability.
The current widely adopted approach in which cloud services underpin IoT devices has already raised major privacy issues. Importantly in an actuated future, untrammelled communications implicating a plethora of heterogeneous online services in their normal operation also brings with it resilience challenges. We must ensure the integrity of actuating systems, which will require greater local autonomy alongside increased situated accountability to users. This problem applies in many areas: industrial control, autonomous vehicles, and smart cities and buildings, including the intimate and shared context of the home.
Our research seeks to address the challenge in the context of the home, where the network infrastructure protection is minimal, providing little or no isolation between attached devices and the traffic they carry. Scant attention has been paid by the research community to home network security, and its acceptability and usability, from the viewpoint of ordinary citizens.
This research is also deeply rooted in pragmatism and recognises the ‘real world, real time’ conditions that attach to the IoT:
– that the cyber security solutions currently being defined for IoT systems will not deal with legacy issues and will never achieve 100% adoption
– that extant businesses limit the period of time for which they will provide software and security updates (if they even remain in business)
– that cyber security is an arms race and threats will continue to emerge in future
– and that the public will never become network security experts.
Relevant previous work: