Ubicomp Security: A Proposal for a Study of Current Ubicomp Products
Imagine if you left your brand-new smartwatch on a table in your office for five minutes. This smartwatch contains a calendar with your daily schedule, personal health information, and maybe even important emails. The smart watch could have a built-in feature that allows for transferring data onto different devices. If malicious actors were to try to retrieve data from your smartwatch, how much information could they secure within five minutes? Could they bypass any logins on the watch (assuming a passcode/password feature exists)? Given how this kind of technology is designed to be subconsciously used by the wearer, conveniences may give way to vulnerabilities.
As technology has changed, so has the security threats and remediation measures needed to counter those threats. Not only will/does this inevitably apply to ubicomp technology, but our future everyday reliance on ubicomp technology and greater physical access to networks will make ubicomp security top priority. Therefore, there’s no better time than now to study the potential security risks of current technology, as the abundance of ubicomp products on the market allow for plenty of case studies. I’m proposing that security experts study a small sample of popular ubicomp products in order to paint a picture of what current vulnerabilities exist for the current ubicomp generation, and what remediations producers of such technology can implement.
For the setup, the research team should gather an inventory of products to be tested. For larger, interconnected systems such as SimpliSafe, a test home will need to be rented or volunteered. The research team will need to contact and work with the product producers since the security integrity of their devices will be broken as part of the study. Finally, the team will need a space where hackers and researchers can interact and carry out hacking activities and examine devices. Optionally, both hardware and software engineers may be brought in to better examine the hardware and interfaces of the various devices.
The products to be studied should combine the three main categories of ubicomp technology: wearable, off-person public, and home technology. “Wearable” refers to any ubicomp technology embedded in or making up pieces of clothing. While smart clothing is not yet widely popular yet, it will certainly be a subject of study if it becomes widely and regularly used in the near future. For now, smartwatches such as the Apple Watch will be a good place to start. The Apple Watch is an internet-connected device that’s taking out in public and can have access to certain personal data. For these kinds of devices, protection when using public Wi-Fi and physical protection for misplaced/left-alone items will be necessary.
“Off-person public” refers to ubicomp devices found in public that are not carried or worn on-person. Within public offices and school buildings, these could be smart boards or Weiser-like “pads” and “tabs” that could make up smart desks. These devices could be considered more as “home” devices, depending on how publicly accessible and secure the office spaces and classrooms are. To focus on something that’s more truly public, researchers can use self-driving cars and smart cars. Physical security is (theoretically) a greater concern for these devices compared to the other two categories, as users don’t take them when they move on foot.
Finally, “home” or domestic technologies are found in private, secure spaces. While these technologies are not as exposed to the public (physically or on a network), the data stored in these private systems may require just as much, if not more security. While we may be some time away from a Weiser-like smart home, plenty of home/private office ubicomp products are already becoming a part of everyday activities. For simplicity, researchers can focus on popular home (not office) products such as Google Nest (or other voice-activated multi-purpose device) and interconnected sets of security devices (a system of cameras, sensors, automatics locks, etc.) such as SimpliSafe.
Physical access and network connectivity will be the focus for security vulnerabilities as is for any computing/data device. Looking for physical and network vulnerabilities that are unique to ubicomp technology is one of two ultimate goals for this study.
For physical access threats, ubicomp’s focus on devices that can be used with little conscious effort could mean easy access for attackers who make physical contact with a device. For wearable devices, this is primarily an issue when items such as Apple Watches are lost. For technology such as self-driving/smart cars and home products, unwanted device contact occurs when vehicles and homes are infiltrated. For each device, we must document how physical access is gained by a user and what credentials are required. Through in-person hacking events, hackers who are skilled with interface interaction and/or knowledgeable of hardware can be tested to see how quickly and easily these credentials can be bypassed) and what information can be quickly accessed and downloaded to a separate device.
As a study example, to summarize a list of possible physical security questions for the Apple Watch and self-driving cars:
· If a hacker temporary steals an Apple Watch off a table, how many minutes does it take for the hacker to bypass or crack any passcode or login menu?
· What data on a regularly used Apple Watch (two weeks’ worth of emails, workout data, etc.) can be accessed after bypassing the login and how quickly?
· What devices could a hacker send Apple Watch data to, and how quickly?
· Can a self-driving/smart-tech car’s technology be accessed without turning on the vehicle?
Similarly, for network/internet security, white hat hacking events should be held to see how ubicomp devices can be attacked via internet, server, and/or network connections (including access from other ubicomp devices if testing an interconnected system). Along with hostile data collection, these hacking tests will show how ubicomp systems can be controlled, altered, or even damaged (based on the goals set up for each given challenge). With this knowledge, researchers can predict how the lives of users how use ubicomp regularly would be affected by a breach of product systems. This is important to determine since ubicomp is meant to be unconsciously integrated into everyday life.
To summarize a list of possible network security questions for SimpliSafe and Google NEST:
· How can the SimpliSafe base station or NEST devices be accessed via Wi-Fi?
· Can an external attacker remotely shutdown devices within a SimpliSafe kit, and how many?
· Can information collected by NEST be remotely accessed and acquired?
Researchers are to work with security experts to determine possible remediations. For example, can operating SimpliSafe be limited to a specific, identified controlling device, or can the system activate an emergency reboot if an unidentified device is attempting to alter current system activities? Specific information regarding how these measures will be implemented should not be included in the study and shared only between the researchers and the product creators. The study will instead provide general explanations of what will be implemented.
The ultimate value of this study will be that both customers and producers of ubicomp technology will be aware of how secure their systems are and what can be done by both groups to better protect their data (and livelihood if ubicomp dependence is high enough). The study will also serve as a model for future studies, which will be extremely vital as new products and generations of technology arise. The researchers carrying this out would benefit from an annual hackathon and gathering event to collect information for continuation of this topic.
Bibliography
· Weiser, Mark. “The Computer of the 21st Century” Scientific American, 1999, https://www.ics.uci.edu/~corps/phaseii/Weiser-Computer21stCentury-SciAm.pdf. Accessed 9 Apr 2021.
· “The Essentials Security System” SimpliSafe.com, https://simplisafe.com/home-security-system-essentials. Accessed 9 Apr 2021.
· Driscoll, Luke. “Ubiquitous Computing Examples in 2020” Darwin Recruitment, https://www.darwinrecruitment.com/blog/2018/10/ubiquitous-computing-examples. Accessed 9 Apr 2021.
· Erwin, Joshua. Photo of an Apple Watch. “Five Smartwatch Apps You Should Bring to Work” by Erwin, 27 Apr. 2016. PGi.com, https://www.pgi.com/blog/2016/04/5-smartwatch-apps-bring-work/.
· RBR Staff. Photo of a Self-Driving Car. “Consumer Acceptance of Self-Driving Cars Soars, Study Says” by RBR, 9 May. 2019. Robotics Business Review, https://www.roboticsbusinessreview.com/unmanned/consumer-acceptance-of-self-driving-cars-soars-study-says/.
· Katherina, Erica. Photo of the SimpliSafe Security System. “This SimpliSafe Security System kit gets a 30% price cut for Amazon’s Prime Day” by Katherina, 5 July 2019. Digital Trends, https://www.digitaltrends.com/dtdeals/simplisafe-security-system-amazon-prime-day-deal/.
· Gurgaon. Employees, customers, and NGOs hack and collaborate to build solutions for the world. “Driving cultural transformation — Microsoft hosts world’s largest private Hackathon” by Gurgaon, 24 July 2019. Microsoft, https://news.microsoft.com/en-in/driving-cultural-transformation-microsoft-hosts-worlds-largest-private-hackathon/
· Kostyshyn, Serhiy. Cybersecurity Image “Security and privacy issues of ubiquitous computing in the office setting” by Kostyshyn 23 Aug. 2013. Cyber Safety Unit, https://cybersafetyunit.com/english-security-and-privacy-issues-of-ubiquitous-computing-in-the-office-setting/?lang=en
