Background and Motivation
The IoT revolution has just started to take off and the IoT market is quickly increasing, giving us connected devices targeting e.g., wearables, cars, homes, cities, industry, transportation and healthcare. New business opportunities give rise to many new products and in order to be competitive, the manufacturer has to be efficient and implement a strategy that optimises the time to market (TTM) and minimises the price. This often means using existing open source software.
When new vulnerabilities are found, it is crucial to efficiently determine the potential damage and to decide on a plan for patching the device. In this project we will develop a semi-automated and cost efficient decision support system for assessing the need for updating a device and the impact such an update will have on a device or system.
Publicly available vulnerability information is often too general and cannot immediately be applied to a device with a specific configuration operating in a specific environment. Taking these parameters into account, a much more accurate and reliable assessment can be performed.
A viable solution to cost efficient updates for connected devices has a potential to increase the security in different parts of the society and the privacy of users. Considering the expected penetration of these devices, such a service has an almost unlimited potential.
Brief Project Outline
The projects is a cooperation between Lund University, Advenica, Axis, Ericsson, Prevas, Sensative, SICS and T2 data. All aspects needed to conduct a successful project are covered by consortium partners, ranging from security researchers and developers, to system integrators and device manufacturers.
The projects consists of several parts, e.g.,
- An analysis of the current situation in industry, conducted through discussions and interviews with e.g., manufacturers, developers and integrators.
- Development of tools that can be used to analyze new vulnerabilities in the context of a specific device with a given configuration.
- Research in machine learning and automated methods that can be used to simplify and make the vulnerability analysis more cost-efficient
- Development of APIs that can be used to integrate the results in current development environments.
The project will result in a set of demonstrators, showing how the tools can be used in different use cases in order to improve the analysis of new vulnerabilities.
IoT is a rapidly developing and expanding area, and security in IoT is of uttermost importance. It is natural that the use of, and regulations surrounding, connected devices will develop during the project. In order to develop tools that will be useful also in a longer perspective, the IoT development regarding laws, regulations, standards and protocols, will be audited throughout the project.
Project Goal and Long Term Effects
The project goal is to improve the way manufacturers and integrators work with and analyze software vulnerabilities. We hope to be able to help the Swedish and international industry to work more efficiently with software security. This will lead to improved privacy protection for end users and higher security in IoT products.