2023–24 Projects:
The Internet of Things (IoT) is, in some sense, no different from just the internet. IoT devices have IP addresses, they communicate via various familiar protocols, they can run both client and server software, etc.
But many IoT devices (e.g. webcams, smart thermostats) also have characteristics that make them different from the more familiar networked devices (e.g. laptops, phones, routers). For example, many IoT devices are manufactured with no mechanism for providing software updates. Many are also set up with hard-coded administrator login credentials that are either unchangeable or typically left unchanged by their owners. In short, many IoT devices have serious security problems.
The insecurity of IoT devices started getting wide-spread attention in late 2016, when the Mirai software was used to create large botnet consisting mostly of IoT devices. This botnet was then used to launch a huge distributed denial-of-service attack against internet infrastructure companies like Dyn, and later against security researcher/journalist Brian Krebs. Since then, some IoT device manufacturers have started working to improve their security, and there are also larger-scale efforts underway (e.g. the recently announced Android Things 1.0).
But the security problems don't stop at devices that are easy to hack. There are also well-secured devices that may or may not be behaving the way their owners might wish them to. For example, what information, exactly, is your always-on-and-listening Amazon Echo sending to the mother ship? Maybe it's behaving like a model network citizen and only sending to the servers exactly the information you authorize by saying "Alexa" and then making a request. On the other hand, maybe it's also aggregating other information about your speech and sending that along to the servers with your next query. How would you know? Even if you trust Amazon, there's an increasing collection of IoT devices with microphones and cameras. And of course even trustable companies' software and hardware will have bugs that might be exploitable by attackers.
For the paranoid computer scientist, all of this creates a need for tools to help us keep track of what our devices are up to. Which devices are talking to which servers and when? Are their communications encrypted or in the clear? Are they running software with known vulnerabilities? Lemme just see if I can hack into my refrigerator...
For this project, you will play the role of this paranoid computer scientist and create an IoT monitoring tool. The feature set will surely evolve during your comps, but the top goal will be to create an easy-to-use tool for keeping track of the network behavior of the IoT (and other) devices on your local network.
Of course, we're not the only ones interested in developing such a tool. There are many other such products and projects. But building our own tool will be a great opportunity to develop your skills in network programming, protocol analysis, data visualization, etc.
The project will involve:
Also, as a weird perk of the project, you'll get to shop for a few example IoT devices, at least some of which you'll select for their known security problems.
Ideally, each member of this project will have taken either CS331 Computer Networks or CS231 Computer Security. But as long as most of the team has taken one of those courses and the rest are willing to work hard to learn the relevant networking concepts, the team should be fine. CS344 Human-Computer Interaction and CS314 Data Visualization would also be handy courses for at least one member of the team.