Toward Building a Safe, Secure, and Easy-To-Use Internet of Things

IOT CONNECTION

Toward Building a Safe, Secure, and Easy-to-Use Sal glances at the display near her office door and sees that her next meeting is in 10 Internet of Things minutes. One participant is out of town and the other two people are running late, but the meeting room is still occupied Infrastructure by several people. The display also suggests it might be a Yuvraj Agarwal and Anind K. Dey, Carnegie Mellon University good time to get coffee because the lines are short at the cafe downstairs. Her good friend Joe Carnegie Mellon University is leading a happens to be at the cafe, too. multi-institutional effort to build an open Sal checks an app she recently built and sees that the coffee is infrastructure to support the Internet of Things. freshly brewed. “That simplifies things,” she thinks to herself as she heads toward the cafe.

safe and secure world enabled by the Inter- This is the unique promise of a successful IoT, and is net of Things (IoT) promises to lead to truly what we are aiming for with GIoTTO, the IoT program connected environments, where people and at Carnegie Mellon University (CMU) named after the things collaborate to improve the overall famous Renaissance painter. qualityA of life. The IoT will give us actionable information at our fingertips, without us having to ask for it or NEED FOR AN OPEN INFRASTRUCTURE even recognizing that it might be needed. Consider this Although numerous commercial and academic programs example that combines many simple uses of the IoT to cu- focus on building IoT systems, it’s clear that for any IoT mulatively form an omnipotent assistant: stack to be widely adopted, it must be open—without a

singular organization claiming own- ership. We must involve the commu- FROM THE EDITOR nity with the IoT’s design, develop- Building on our inaugural column from February, this month’s article presents an open ment, and deployment—that means program that sets out to explore the Internet of Things’ (IoT’s) value proposition. Just truly open source development, as as the Internet belongs to all of us, I believe this program embodies the principles we exemplified by Linux and Android. hope will be the driving forces behind an equally successful IoT architecture. In this We also believe that an IoT stack must column, researchers from Carnegie Mellon University eloquently outline the tenants provide immediate value to anyone and goals of the GIoTTO software stack. —Roy Want wanting to deploy and use it, without requiring substantial integration work upfront. Practically, this means that it must provide important first- software, and services to develop an IoT apps/App store/End-user environments class features such as robust machine interconnected world. Although the IoT development environments learning, easy end-user programming, vision of an IoT-enabled future is enor- security, and privacy. Our vision of the mously compelling, several key chal- Abstractions/Analytics/Machine learning GIoTTO stack, which we are develop- lenges must be addressed before it can Time-series datastore/Controls ing at CMU, is shown in Figure 1. become a reality. These challenges are

GloTTO stack Edge analytics and cloudlets GIoTTO is an open source infra- related to three critical questions: structure intended to support the con- Data integration and middleware struction, maintenance, and use of ›› How can we build an IoT infra- Sensors and actuators IoT-enabled environments. We formed structure that is safe, secure, our team at CMU shortly after Google and private from the ground up? held an open call for proposals on the Safety implies that IoT devices Figure 1. The GIoTTO open source stack. Open Web of Things. We responded won’t do anything unexpected and received the lead award on what or unintended. Security implies is now known as the IoT Expedition that IoT devices only allow au- with the multitude of other (www.iotexpedition.org), which in- thorized entities, whether com- technologies that showed much cludes partners at Cornell Tech, the puter programs or humans, to promise only to be ignored after University of Illinois, and Google. The access their services. Privacy im- deployment. IoT Expedition’s goals match those of plies that IoT devices don’t access GIoTTO, and the project has adopted or leak private user data either SECURITY, PRIVACY, GIoTTO as its software infrastructure. directly or indirectly without a AND SAFETY Each partner will contribute to and clearly defined, and verifiable, A key design decision we’re address- build on GIoTTO to demonstrate its purpose being presented to and ing in our GIoTTO software stack is to value through a series of living labora- accepted by users. face these concerns from the ground tories at each site. ›› How can we leverage the huge up rather than retrofitting later. Al- amount of data being collected by though these concerns have some IOT CHALLENGES sensors embedded in all objects? natural overlaps (for example, safety The number of IoT-connected devices This calls for machine learning concerns sometimes imply security is- is expected to grow to 21 billion by and data analytics to be inte- sues), we’re looking to devise solutions 2020 (www.gartner.com/newsroom grated at every level from sensors for each one. Safety in IoT means being /id/3165317), presenting a major mar- and actuators to end users. able to reason about the behavior of ket opportunity for established hard- ›› How can we enable end users IoT devices, especially actuators, and ware (such as Intel, Apple, Qualcomm, of varying technical ability to being able to detect and prevent unin- ARM, Samsung, and LG) and software manage, interact with, and even tended or unexpected behavior. This vendors (such as Google, Microsoft, control and program IoT-enabled is a very difficult problem because it and IFTTT) across the world, in addi- environments? For the IoT to requires not only understanding “nor- tion to spawning new entrepreneur- be truly pervasive, IoT systems mal” behavior, but also being able to ship opportunities. These companies must be accessible to end users, develop models for device interactions are working on producing IoT devices, or they might be discarded along and devising mechanisms to enforce

APRIL 2016 41 IOT CONNECTION

safety properties. The challenges in en- more conservative data model might apparent that people won’t be able to suring the safety of IoT devices are also only reveal whether a user is “on cam- consume all the data. Most IoT efforts due to extreme heterogeneity, lack of pus” or “in a meeting.” This approach support sensing, simple computation, standardization, and ineffectiveness of controls who has access to which tier communication, distribution, and traditional defenses like end-host fire- of data, but also supports privacy pol- actuation, but not analytics and ma- walls and antivirus software. We be- icies and audits. Our goal is to even- chine learning. In contrast, we treat lieve the underlying network provides tually expose mechanisms where IoT all these aspects as core functions of a key vantage point to not only observe applications must specify a clearly any IoT infrastructure. these device-to-device and device-to- defined set of purposes of data access At the lowest level (collecting data cloud interactions, but also to enforce that can be checked by our GIoTTO from sensors embedded in the environ- safety and security using techniques stack and reported to users who own ment or objects), data analytics can be from network middleboxes. We’re ex- that data. applied to reduce overall power usage. Instructions sent to sensors to collect data at a particular rate can be config- ured in real time using power consump- A key design decision we’re addressing tion analytics. The configuration must in our GIoTTO software stack is to face security satisfy all current requests for data (in- and privacy concerns from the ground up cluding just storing the data), while op- rather than retrofitting later. timizing for power consumption. As another example, we’re currently working on developing algo- ploring methods to represent these Security in IoT means providing ac- rithms to identify novel patterns IoT device interactions (for example, cess control mechanisms and policies present in sensor data and in people’s crowdsourcing) and devise models for and being able to enforce them, par- behaviors (as captured by sensors). safety policies that can be dissemi- ticularly in the face of the tremendous Identifying these patterns creates nated to IoT users. number of heterogeneous devices. In new, higher forms of data from low- IoT privacy challenges stem from the GIoTTO stack, we’ve implemented a level data. We call these components sensors directly or indirectly leaking robust access control layer to allow flex- that can capture complex high-level private information about users, often ible security policies to be expressed patterns—or even ones that perform unbeknownst to them. Although use- as well as abstractions to manage the simple analyses such as averaging ful for controlling appliances when number of rules that must be specified. across sensors—virtual sensors. Vir- users aren’t home, occupancy sensors Done naively, one would need to have tual sensors take input from one or can also be used by attackers to deter- as many rules as the number of devices more physical or virtual sensors and mine how often homeowners are out multiplied by the number of users. We produce some new output. An IoT in- of town. Information about users and leveraged ideas from role-based access frastructure must be able to support their behavior can be inferred from control, and mechanisms for grouping the production of simple and sophisti- sensors indirectly or by combining in- users and sensors to reduce the num- cated virtual sensors. formation from seemingly unrelated ber of rules that need to be specified. A third example we’ve implemented sensors. With the GIoTTO stack, we Furthermore, we developed a flexible is support for programming by demon- propose several ideas to help manage tagging (key-value attributes) system stration. Typical end users might not privacy. First, GIoTTO provides multi- for users and sensors or actuators to al- have the technical know-how to build ple tiers of access to sensor data, from low access control rules to be expressed their own virtual sensor, but GIoTTO the most sensitive (highest granular- more concisely and be verified at run- provides a tool that allows end users to ity, such as microphone data) to the time with minimal performance over- demonstrate a phenomenon that they least sensitive (low granularity, such head. We also use industry standard want their environment to capture, as processed audio data to extract protocols (such as SSL and OAuth) to and direct the tool to automatically amplitude and frequency features). secure the other layers of the network build a classifier. Let’s say a user wants Second, GIoTTO provides a set of core protocol stack. to know whether she left her window services along with models for people, open. Without knowing what sensing places, and things—app developers MACHINE LEARNING exists in her environment, she can can access these shared data models, AND DATA ANALYTICS simply launch the tool and provide ex- which are updated constantly in the With the huge amount of data that amples of the window being open and stack. Although there might be a raw will be captured and stored in IoT the window being closed. The tool ex- sensor for a user’s exact location, a infrastructures like GIoTTO, it’s amines all data being collected during

42 COMPUTER WWW.COMPUTER.ORG/COMPUTER both situations and identifies the sen- would select the object based on a e currently have a single in- sors that are most predictive of the set of predefined criteria. Similarly, stallation of GIoTTO on the window’s state. It calculates statistical a virtual actuator could cause collec- WCMU campus, supporting features on the sensor data and trains tions of actuators to perform an action four living laboratories spread over a model in near real time. Within sec- simultaneously (for example, lights three different buildings. The living onds, the end user has a virtual sensor blink and a phone buzzes), where the laboratories include two academic re- that can detect window state. specification should be as simple as search labs, one office, and one pub- Much like the rest of GIoTTO, the possible for end users. lic indoor space. We’re continuing to machine-learning components are We’re actively working to support develop the GIoTTO infrastructure to intended to be pluggable, allowing end users in programming their IoT address the challenges laid out in this a system administrator to select the environments, including providing a article. The first version of the infra- appropriate components to deploy, range of visually based programming structure was released in March 2016, whether they’re widely available (such platforms that would allow users to and updates will follow quarterly. Our as TensorFlow or Azure) or bespoke. create their own simple if–then rules, future plans also include adding more and building applications with more academic and industrial partners to the END-USER EXPERIENCES complex logic. In addition to user-cre- IoT Expedition—we hope you’ll con- In addition to allowing end users to ated applications, through our living sider joining. build their own virtual sensors, a core labs at CMU we’re supporting a num- tenet of GIoTTO is strong user support ber of scenarios for the campus envi- for the installation, maintenance, ronment that GIoTTO users can repli- and control of an IoT environment, cate and use at their own sites (such as YUVRAJ AGARWAL is an assistant whether it’s a one-room office, a multi the coffee example described earlier). professor of computer science in room home, or a large factory. In all A future goal is making installa- the School of Computer Science at cases, the user experience should be tion as simple as possible, where new Carnegie Mellon University. Contact simple and seamless. objects are automatically added to the him at [email protected]. In addition to supporting virtual IoT environment and communicate sensors, we’re also working to support seamlessly with GIoTTO through sim- ANIND K. DEY is the Charles M. virtual actuators. A virtual actua- ple discovery protocols. Similarly, for Geschke Professor and director of tor can represent multiple actuators maintenance, built-in data analytics the Human–Computer Interaction where users can specify the action support should identify sensors and Institute at Carnegie Mellon Uni they want to occur, but don’t have to actuators that are malfunctioning or versity. Contact him at anind@ specify the object that performs the need new batteries, and alert users cs.cmu.edu. action. Instead, the infrastructure about how to fix them.

Subscribe today!

IEEE Computer Society’s newest magazine tackles the emerging technology of cloud computing.

The CLOUD CONVERGENCE computer.org/ 20 + Interoperability Challenges 42 + Sensor Data in the Cloud cloudcomputing 10

28 + Datacenter Trends and Challenges + Practical Cloud Security

+ Some amazingJULY 2014 also here MAY 2014 22 www.computer.org/cloudcomputing+ Some amazing also here 22 www.computer.org/cloudcomputing

SEPTEMBER 2014 www.computer.org/cloudcomputing APRIL 2016 43