Advanced Security in Smartphone and IoT Systems

Module aims

In contrast with traditional ubiquitous computing, IoT devices use new user-interaction modalities, are more complex, and are interconnected. Thus they introduce new attack surfaces which can result in financial, emotional and physical harm to individuals: the Mirai botnet exploited myriads of insecure IoT devices to bring down a swathe of popular online services; adversaries took advantage of vulnerable smart baby monitors to scream at babies; intelligent vehicles were remotely attacked allowing an adversary to take control of steering, brake and transmission functions.

IoT is broad topic encompassing different disciplines and applications. In this module we aim to explore security and privacy challenges in different application domains of IoT. We will explore classical and state of the art security and privacy papers in the consumer space (smartphones, smarthome systems, drones and automobiles) and the industrial domain (power grid). The module aims to familiarize students in these emerging application domains of IoT and help them through paper reviews, presentations and discussions, to develop research and critical thinking skills to both assess and design the security of such systems. The module has one term-long project aiming to produce either a technological entrepreneurial solution for IoT or a conference/workshop quality research paper. The best projects will win awards and the instructor’s commitment to help towards submission at a renowned conference.

Learning outcomes

• Analyze Smartphone and IoT designs from a security and privacy point of view
• Understand security and privacy issues across a range of IoT application domains: smartphones, smarthomes, automobiles, avionics, scada
• Learn how to understand and evaluate up-to-date research literature focusing in consumer and industrial IoT security and privacy
• Develop presentation, communication and research skills

Module syllabus

  • Introduction to Smartphone and IoT Security and Privacy
  • Smartphone OS and Application Security: permissions/access control; side-channels; information flow; Applied NLP & ML for Smartphone Security;
  • SmartHome IoT Platform and Application Security
  • User Authentication (or not!) leveraging new User Interaction Modalities (e.g. voice assistants): general concepts of speech recognition;
  • Attacks and Defenses for Connected and Autonomous Vehicles
  • Connected Manufacturing: insider threats and side-channel attacks
  • Security and Privacy in Unmanned Aerial Vehicles (UAV) i.e. drones, and GPS systems
  • Security in Supervisory and Data Acquisition Systems (SCADA). The case of the power grid.

Pre-requisites

Required:
• General understanding of fundamental CS concepts: algorithms, data structures, operating systems, networking, software engineering.
• 445H (Advanced Security) - This module goes into an in-depth discussion of the general topics discussed in the following Lectures of 445H)
• Mobile: Mobile platform security and mobile privacy
• Topics: IoT and device security
 

Recommended (not required):
• CO211 (Operating Systems)
• CO212 (Networks and Communications)
• CO331 (Web and Network Security)

Teaching methods

Instructor, and student-led lectures, discussions/defense of paper reviews, research or entrepreneurial group project.

The initial few weeks will be taught by the instructor. This aims to introduce the field and the topics that will be covered in the class. The rest of the module will be based on student-led presentations of related defining or state-of-the-art academic papers. There will be two 20min student/group presentations per hour followed by discussions of those papers. Students will be required to read the papers before class and submit paper reviews. Also the students are required to propose and make substantial progress towards a research or entrepreneurial project related to smartphone and IoT security and
privacy.

Group Presentations
Each presenter student/group will present one paper in total. Each presenter student/group will select a topic of interest and pick one paper from an available list of papers that they want to present (assignment on a FCFS basis). Groups are expected to deliver a
polished presentation, and supporting material (demo, text, video, audio etc.). The rest of the class scores the presenter groups. Student scoring will count towards 50% of the presentation score. The other 50% comes from the instructor.

Reviews
Students are required to submit 3 short (1-2 pages) reviews of selected (FCFS) session papers throughout the term. A paper review is due midnight before the day of the class in which the selected paper will be presented. In each session, and after each presentation the instructor will ask the student reviewers to defend their reviews (counts towards participation points) of the presented paper. The best reviewers per session will be acknowledged. The best reviewers over all sessions will win an award. Students will have access to all the reviews.

Group Projects
Students will also be asked to form groups and propose a research or entrepreneurial project. Project groups will have to submit a project proposal (2, pages, double-column, 12pt), a short topic survey (4 pages, double-column, 12pt), a project progress report (6 pages, double-column, 12 pt), and a final report (10-12 pages, double-column, 12pt). During revision week, groups will pitch their projects and the rest of the class will score the projects. This counts towards 50% of the project score. The other 50% comes from the instructor. At the end of the class, the best group projects will win an award.

Assessments

Students will be asked to form groups (up to 3 people) and propose a research or entrepreneurial project related to mobile and IoT security. Entrepreneurial projects must make a technological and a reasonable business case for an innovative product or service in consumer, enterprise or industrial IoT security. Research problems must identify
and address a gap in the literature of IoT security and privacy, and contain a theoretical and/or empirical evaluation. Project groups will have to submit a project proposal (2 pages total, double-column, 12pt), a short topic survey (4 pages, double-column, 12pt), a project progress report (6 pages total, double-column, 12pt), and a final report (10-12 pages total, double-column, 12pt). At the end of the class, the best reviewers and the best group projects will win an award. There is no final exam.

Module leaders

Dr Soteris Demetriou