Connected, but protected

Monday, May 1, 2017

If hackers made their way into your Fitbit and messed with your daily step count — you might be confused and annoyed.

But what if a hacker altered the heart rhythms in your pacemaker or the brakes on your connected car? What if someone found a way to empty cash from your bank account by hacking the embedded chip in the digital device you carry around to make automatic payments?

With more personal information flowing through devices connected to the Internet, researchers are looking for new ways to protect personal privacy in the ever-expanding Internet of Things.

Catherine Gebotys

Catherine Gebotys, a professor in the Department of Electrical and Computer Engineering, is creating countermeasures to thwart two different techniques commonly used by information thieves.

Hackers use electromagnetic waves, laser beams, or a combination of the two, to produce information that helps them decode the encryption key in an embedded chip on a device.

“Currently, most labs focus on one type of attack and a countermeasure for that one particular attack, but we look at the impact of the combinations of attacks and develop countermeasures for a range of attacks,” Gebotys says. “This advantage allows us to develop more efficient countermeasures for companies to put in their devices.”

Gebotys, whose passion is solving real-world problems, has collaborated with industry for decades. She developed countermeasures for BlackBerry early in the game, which helped the company become a pioneer in protecting corporate and government smartphone data.

These days, Gebotys works with Canada’s Department of National Defence. “It’s especially important for military devices,” explains Gebotys. “If an adversary got hold of one of Canada’s military devices and was able to extract keys from it, then all of our communications would no longer be private.”

Everyone should be concerned about the cryptography in all devices that are connected through the Internet ... It’s a very high-risk area.


It’s forecast that by 2020 there will be 50 billion devices connected to the Internet of Things. While it might be fun to imagine a refrigerator that orders milk when you run out, or a vehicle that orders your latte before you get to the coffee shop, Gebotys warns that some consumer devices have cheap processors that can be easy targets for high-tech criminals.

“Because there are so many of these devices built by so many different companies, we want to make sure the algorithms people use are secure and that people in the tech field will be able to know if there are any leakages of information,” Gebotys says.

The challenge, she says, is to develop countermeasures that are safe, reliable and affordable. With so many companies building small devices and so many consumers using them in their daily lives — you can’t have a security measure that costs too much or is so complex that it drains battery life.

“Everyone should be concerned about the cryptography in all devices that are connected through the Internet. If a company is designing a device that uses sensitive personal data, they should be required to have appropriate levels of secure cryptography in their devices,” Gebotys says. “It’s a very high-risk area and they should have resistance to these kinds of attacks.”

Staying secure from the start

Before buying a connected device, ask questions to ensure it was designed with security front of mind.

Smart consumers routinely change their passwords but they should also be asking questions about how secure their private information is whenever they buy devices connected to the Internet, says a Waterloo math alumnus.

Mark Malchiondo

“It’s really no different than purchasing a cellphone,” says Mark Malchiondo, co-founder of ecobee, a Toronto company that sells smart thermostats. “You want to look at customer reviews. You want to understand if the company or products have been exposed to attacks in the past. You need to know if they do frequent upgrades.”

Ecobee’s servers are in a facility with tight security — everything from fingerprint identification to bullet-resistant doors. Certificate-based authentication is used to verify both the server and the device and there are no inbound connections into the device. Everything is outbound to the servers only, says Malchiondo.

“That really limits an attacker’s ability to gain access to the device, either over the home’s Wi-Fi or over the Internet.”

This article was originally featured on University of Waterloo Magazine.