JR Centre for Security Analysis of IoT Devices

This JR Centre researches the possibilities of automated and independent analysis of “Internet of Things” devices in terms of their security and their impact on user privacy.

The world we live in is becoming increasingly digitalised. An important step in this digitalisation is equipping objects or “things” from the physical world with the functionality to connect to other “things” via a network, usually the Internet, and thus use jointly collected data. The umbrella term that encompasses all these networked “things” is the “Internet of Things” (IoT). IoT devices are increasingly being used both in industry (“Industrial IoT” [IIoT]) and by citizens (“Consumer IoT” [CIoT]). Typical CIoT devices include routers, smartphones, but also formerly “non-smart” everyday objects such as smartwatches, fridges, light bulbs, door locks, toys and washing machines. Concepts such as the “Smart City” (SC), which primarily aims to make public infrastructure more intelligent and digital, are also becoming increasingly widespread.

Due to the increasing prevalence of IoT devices, it is becoming more and more important to evaluate their security. For example, at the end of October 2021, the European Commission decided that all wireless networked devices and products entering the market within the EU must meet certain security standards starting around mid-2024.

The aim of this JR Centre is to evaluate the security of a wide range of different IoT devices systematically, reliably and, ideally, completely automatically. There are several reasons why this analysis is necessary. Firstly, due to certain limitations, it is often not possible to apply the security technologies to IoT devices that are standard for non-IoT devices today. Such limitations can include computing power, storage space, energy supply, or data rate. However, as long as consumers have little awareness of the security of their devices and are therefore not prepared to spend more on more secure products, manufacturers have little incentive to invest in more secure IoT devices.

The sheer number of different IoT devices available means that security evaluation must be automated. The focus of this JR Centre is therefore the development of an automated security evaluation of (C)IoT devices, including the SC context. The JR Centre is also dedicated to the question of how physical attacks and the entire data transmission can be included in this security evaluation. This brings independent certification of these increasingly important devices within reach for the first time and creates an opportunity to check the conformity of IoT devices with given security guidelines. Furthermore, the research results can form a basis for evaluating IIoT or IoT in the healthcare sector. All of these topics are likely to remain relevant to society far beyond the lifetime of the JR Centre.