Carnegie Mellon University
August 04, 2016

CyLab Faculty Receive $1.1M NSF Award To Help Secure Internet of Things

Daniel Tkacik / 412-268-1187 /

Vyas Sekar

CyLab faculty members Vyas Sekar, pictured above, and Yuvraj Agarwal and Srinivasan Seshan have received a $1.1 million grant from the NSF to help secure the Internet of Things.

Over six billion devices will be connected to the internet by the end of this year according to a recent Gartner forecast. While the explosion of the so-called Internet-of-Things (IoT) has the power to transform society, security experts have exposed vulnerabilities in everything from internet-connected Barbie dolls to SUVs.

"The problem is that these are really low-end, cheap commercial devices with little to no incentive for anyone to build with security," said Carnegie Mellon University CyLab faculty member Vyas Sekar, an assistant professor in the Department of Electrical and Computer Engineering. "This is a huge problem because these are things actually interacting with your physical environment. There are serious security and privacy risks."

The National Science Foundation (NSF) has awarded Sekar a four-year, $1.1 million grant to help develop a software-based solution to the problem of IoT security. Sekar is collaborating with two other CyLab faculty members: professors Yuvraj Agarwal and Srinivasan Seshan from CMU's School of Computer Science.

Traditional security solutions like antivirus programs or software patches are fundamentally at odds with the realities of the IoT because of the huge diversity of platforms these devices run on — in IoT, it's not as simple as Windows or Mac. Other challenges include poor security practices by the devices' vendors, as well as hardware constraints.

To combat these challenges, the team is taking a network-based approach to a solution.

"All bad things happen on the network," Sekar said. "If you intercept that point of entry — the network — you can envision applying a software-defined shield around each device."

Sekar likens the proposed software-defined shield to a micro-Kevlar vest that fits any device under any conditions. This "vest" will act as a gateway for each device, intercepting any illegitimate traffic entering, such as malware or malicious commands, or exiting, like sensitive data. "In some sense, we are starting from the premise that these so-called 'things' are fundamentally fragile and unfixable," Sekar said. "These things will be broken — they have vulnerabilities."

Sekar said any security infrastructure, not just IoT, could be broken down to three components. First, there is the point of enforcement where the infrastructure must distinguish between good and bad traffic. Second, policy abstractions specify the definitions of good and bad, and lastly, the infrastructure must be able to learn what traffic is good and what is bad in an evolving environment.

"IoT is a game changer in the sense that we need to fundamentally rethink how we have been doing each of these tasks in traditional security solutions, because of the cyber-physical interactions and the diversity of these platforms," Sekar said. "The hope is, even though you have these fundamental flaws in these devices, you will still have a resilient, functional IoT system that keeps the bad guys away."

Carnegie Mellon CyLab is a bold and visionary effort that is developing new technologies for measurable, secure, available, trustworthy, and sustainable computing and communications systems. CyLab is a world leader in technological research and the education of professionals in information assurance, security technology, business and policy, as well as security awareness among cybercitizens of all ages.

Building on more than two decades of Carnegie Mellon leadership in information technology, CyLab is a university-wide initiative that involves more than 50 faculty and 100 graduate students from more than six different departments and schools.