I aspire to design a trustworthy Internet of Things (IoT). In contrast with traditional ubiquitous computing, IoT devices use new user-interaction modalities, are more complex, and are interconnected. Thus they introduce new attack surfaces which can result in financial, emotional and physical harm to individuals: the Mirai botnet exploited myriads of insecure IoT devices to bring down a swathe of popular online services; adversaries took advantage of vulnerable smart baby monitors to scream at babies; intelligent vehicles were remotely attacked allowing an adversary to take control of steering, brake and transmission functions.
My work has focused on smartphone security, which is the de facto user interface to consumer-facing smart environments and devices. I have unearthed design flaws in real-world systems, which affect millions of users. In particular, I discovered new side channels on Android, found connectivity issues with wireless devices and exposed remote code execution threats. In response I designed new security mechanisms that can be directly integrated into popular smartphone operating systems, application markets and network routers.
Throughout my career, I fostered collaborations between more than 40 researchers across 11 international high-caliber institutions from both industry and academia. My work resulted in publications in top-tier systems and security conferences but also had industry impact. Google introduced security enhancements to Android after we unearthed system flaws; Samsung and Hewlett-Packard Enterprise recognized my work with prizes while some of the technology I invented resulted in patents. I continue building on my collaborations with industry and academia to help solve more pressing real-world problems in emerging consumer-facing IoT devices and environments.
I'm currently the Director of the Applications and Systems Security Lab (apss) at the Department of Computing at Imperial College London. At apss, we leverage a multitude of techniques to study mobility (localization, navigation etc.) and security aspects (confidentiality, integrity, authentication and authorization) in emerging application domains. In particular, we utilize access control, optimization, machine learning and natural language processing among others to tackle prevalent threats and challenges in an ever-connected world.
Authentication, Authorization and Access Control
GOAL: Study of effective and efficient authentication, authorization and access control mechanisms.
Operating systems rely on authentication to verify that subjects (the users and programs) sharing the platform and OS resources are who they claim to be. Lack or weak authentication can result in untrusted parties having access to privileged operations. Authorization schemes determine the privileges a subject has on the system. To enforce the authorization constraints and to help manage the distribution, revocation and enforcement of privileges in a particular context or system, we design effective and efficient access control schemes. Modern operating systems employ a variety of such access control schemes, such as discretionary access control, mandatory access control and application permission models.
- Resolving the Predicament of Android Custom Permissions. Tuncay, Güliz Seray; Demetriou, Soteris; Karan Ganju; Gunter, Carl. 25th Network and Distributed System Security (NDSS) Symposium, February 2018
- HanGuard: SDN-driven protection of WiFi smart-home devices from malicious mobile apps. Demetriou, Soteris; Zhang, Nan; Lee, Yeonjoon; Wang, Xiaofeng; Gunter, Carl; Zhou, Xiaoyong; Grace, Michael. 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), July 2017
- Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android. Tuncay, Güliz Seray; Demetriou, Soteris; Gunter, Carl. ACM Conference on Computer and Communications Security (CCS), November 2016
- What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources. Demetriou, Soteris; Zhou, Xiaoyong; Naveed, Muhammad; Lee, Yeonjoon; Yuan, Kan; Wang, XiaoFeng; Gunter, Carl. 22nd Network and Distributed System Security (NDSS) Symposium, February 2015
Mobile Devices and IoT Systems Security
GOAL: Study of adversarial capabilities and development of novel defense strategies for smartphone and IoT systems.
With smartphone penetration soaring and the rapid advancements in internet connected devices, mobile and IoT device security guarantees are needed more than ever. Adversaries can leverage the fact that mobile devices are equipped with a multitude of sensing and their always present nature to launch sophisticated inference attacks to violate users’ confidentiality and the platforms’ integrity. This research thrust aims to study such adversarial capabilities in smartphone and IoT systems in consumer and enterprise settings.
- BEEER: Distributed Record and Replay for Medical Devices in Hospital Operating Rooms. Hojjati, Avesta; Long, Yunhui; Demetriou, Soteris; Gunter, Carl A. 6th Annual Hot Topics in the Science of Security (HoTSoS), April 2019
- Toward an Extensible Framework for Redaction. Demetriou, Soteris; Nathaniel D. Kaufman; Jonah Baim; Adam J. Goldsher; Gunter, Carl A. . 1st International Workshop on Security and Privacy for the Internet-of-Things (IoTSec), April 2018
- Ghost Installer in the Shadow: Security Analysis of App Installation on Android. Lee, Yeonjoon; Li, Tongxin; Zhang, Nan; Demetriou, Soteris; Zha, Mingming; Wang, XiaoFeng; Chen, Kai; Zhou, Xiaoyong; Han, Xinhui; Grace, Michael. 47th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), June 2017
- Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going To Be. Nan Zhang, Soteris Demetriou, XiangHang Mi, Wenrui Diao, Kan Yuan, Peiyuan Zong, Feng Qian, Xiaofeng Wang, Kai Chen, Yuan Tian, Carl A. Gunter, Kehuan Zhang, Patrick Tague, Yue-Hsun Lin. arXiv preprint arXiv:1703.09809. March 2017
- Free for all! Assessing User Data Exposure to Advertising Libraries on Android
Demetriou, Soteris; Merrill, Whitney; Yang, Wei; Zhang, Aston; Gunter, Carl. 23rd Network and Distributed System Security (NDSS) Symposium, February 2016
- Inside Job: Understanding and Mitigating the Threat of External Device Mis-Bonding on Android. Naveed, Muhammad; Zhou, Xiaoyong; Demetriou, Soteris; Wang, XiaoFeng; Gunter, Carl. 21st Network and Distributed System Security (NDSS) Symposium, February 2014
- Identity, location, disease and more: Inferring your secrets from android public resources. Zhou, Xiaoyong; Demetriou, Soteris; He, Dongjing; Naveed, Muhammad; Pan, Xiaorui; Wang, Xiaofeng; Gunter, Carl; Nahrstedt, Klara. ACM Symposium on Computer and Communications Security (CCS), November 2013
Mobile Sensing and Localisation
GOAL: Study of novel sensor fusion solutions for outdoor positioning and security for AI in connected and autonomous vehicles.
Mobile devices are equipped with numerous sensors which allow them to offer efficient and effective personalized services and applications. For example, connected and autonomous vehicles (CAVs) feature advanced sensing capabilities, including multiples of range sensors (Lidar and Radar), 360° cameras, onboard GPUs, and high-speed connectivity: Tesla Motors uses a forward radar, a front-facing camera, and multiple ultrasonic sensors to enable its Autopilot feature; Google’s and Apple’s version of CAV uses Lidar and cameras to support autonomous driving; Ford and Uber are also actively experimenting with CAVs.
These advanced capabilities open up a plethora of exciting opportunities for next generation services related to better localization and navigation and traffic optimization. At the same time, their reliance on sensing data and machine learning algorithms for route prediction, collision avoidance and object detection and recognitions, introduces new attack surfaces. Given the widening gap between autonomy and security in this application domain, in tandem with their safety repercussions, there is an impending need for novel solutions that can guarantee trusted outcomes from such sensor-fusion and machine learning algorithms.
- Determining Car Positions. Puneet Jain, Soteris Demetriou, Kyu-Han Kim, US 10380889 B2, 2019
- CoDrive: Improving Automobile Positioning via Collaborative Driving. Demetriou, Soteris; Jain, Puneet; Kim, Kyu-Han. IEEE International Conference on Computer Communications (IEEE INFOCOM), April 2018
- CamForensics: Understanding Visual Privacy Leaks in the Wild. Srivastava, Animesh; Jain, Puneet; Demetriou, Soteris; Cox, Landon; Kim, Kyu-Han. 15th ACM Conference on Embedded Networked Sensor Systems (SenSys), November 2017