ShareThis Page

Carnegie Mellon professor gets $1.1M to secure appliances

| Wednesday, July 27, 2016, 11:00 p.m.

How secure is your toaster?

It's a question you're probably not asking now, but one that Vyas Sekar, an assistant professor in Carnegie Mellon University's department of Electrical and Computer Engineering, says we should consider.

Hackers will have many more gateways into personal data, business accounts or public infrastructure as more and more toasters, refrigerators, light switches, garage doors, outlets, thermostats, cars and other items are connected to the Internet.

“There's a saying in network security that your network is only as secure as your weakest link, and these could become the weakest link,” Sekar, a faculty member in CMU's CyLab Security and Privacy Institute, said.

The National Science Foundation recently awarded Sekar $1.1 million over the next four years to design a shield that can protect the Internet of Things from cyber attacks. The Internet of Things, shortened to IoT, is Wi-Fi enabled light switches that sense when a room is empty and turn off, thermostats that automatically change temperatures throughout the day, cars that can talk to each other and traffic signals, baby monitors that stream to your mobile phone and even refrigerators that can access your Google calendar.

Gartner Inc., an information technology research and advisory company, predicts 6.4 billion things will be connected to the Internet of Things by the end of the year. About 5.5 million new things will be connected every day. By 2020, 20.8 billion things will be connected.

Sekar said most connected appliances, machines and devices aren't designed with robust cyber security measures in mind. They often won't allow anti-virus or malware software and can't be updated to protect against emerging threats. Connected devices can store personal data, like when you leave and return to your house; provide gateways for hackers to get into personal networks where credit cards might be stored and be vulnerable to someone else taking control.

“This is a conversation we should be having right now. These kinds of threats are not hypothetical,” Sekar said.

“Imagine I take over a car, and this car goes crazy and starts causing accidents.”

Pittsburgher Chris Valasek and Charlie Miller, of St. Louis, hacked into and remotely controlled a Jeep Cherokee last year. Baby monitors have been hacked to let strangers spy. Hackers turned at least one refrigerator into a spam machine as part of botnet attack in late 2013 and early 2014 that sent out more than 750,000 emails.

Greg Puschnigg works in the Internet of Things. He is CEO of BOSS Controls in Pittsburgh's Bloomfield neighborhood, which sells smart plugs and switches that are connected to a network to monitor power usage and can be turned on and off remotely to control it. His plugs were installed last week in the City-County Building as part of the city's efforts to monitor and cut energy costs. Puschnigg said his products can cut energy use by 30 percent for small- to medium-sized buildings.

BOSS connects its products over a Wi-Fi network, and Puschnigg said with the right encryption and security controls, the networks can be safe. The problem, he said, is that many people don't take the steps necessary to protect their networks.

“Our devices go on the network, so we are as secure as the network,” Puschnigg said. “When you don't follow the rules, it can be hacked, and that's what happens.”

Puschnigg said his company set up a separate network at the City-County Building to connect the outlets. If someone could hack in, they wouldn't have access to information stored and sent over a different network. They might be able to turn on all the lights in the middle of the night.

“I assure you, no hackers are interested in that,” Puschnigg said.

Aaron Aupperlee is a Tribune-Review staff writer. Reach him at 412-320-7986.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.