Security vs. Innovation

Carnegie Mellon's exploration of new Internet of Things technologies pairs innovation with security research.

• By Rhea Kelly
• 08/11/15

Last month, Carnegie Mellon University announced it would lead an expedition to explore new technologies for the Internet of Things (IoT). The Google-funded venture will "saturate the CMU campus with sensors and infrastructure, recruit students and other campus members to create and use novel IoT apps, and eventually expand these efforts to the wider Pittsburgh community," according to a university statement.

The project is geared toward innovation and openness, encouraging the deployment of IoT sensors across the campus and allowing anyone to participate in their use. "An early milestone will include the development of our IoT appstore, where any campus member and the larger research community will be able to develop and share an IoT script, action, multiple-sensor feed, or application easily and widely," said Anind Dey, lead investigator of the expedition and director of CMU's Human-Computer Interaction Institute. For example, researchers have already created an app called Snap2It, which allows users to connect to a printer or projector by taking a photo of it with their smartphone, and Impromptu, which accesses apps as needed for a particular location (such as a public transit app when the user is at a bus stop).

The flip side of all that innovation is the need to manage security and privacy. A second team of CMU researchers will develop "personalized privacy assistants," technology that will "help users configure the many privacy settings necessary to ensure that they retain adequate control over their data," said Norman Sadeh, a professor of computer science at CMU.  

But will that be enough? "Smart" IoT devices are notoriously dumb when it comes to security. In a recent conversation with me about cybersecurity issues in higher ed, a CISO from a major university recalled nixing a proposal for a networked vending machine because it processed credit card transactions yet did not have adequate security tech in place. The device may have seemed innovative to students, but could not stand up to PCI compliance requirements. Overall, a lack of standardized security protocols and the sheer variety of devices and sensitive data make for a complicated IoT security landscape — one the average user is ill-equipped to navigate.   

Users' lack of awareness about cybersecurity issues is a perennial problem that goes beyond the Internet of Things, as discussed in this month's feature, "Data Security in Higher Ed: A Moving Target." Not only are universities a tempting target — with "huge repositories of monetizable data," as CDW Director of Security Solutions Sadik Al-Abdulla noted — but faculty, staff and students often fail to realize that the information they have access to may be sensitive.

"People don't think a class roster is sensitive data, but it can be," Jessica States, information security officer at Fort Hays State University, told us. "They look at a list and think that nobody cares about all these names and addresses, but I look at it and think, 'Oh no!'"

With a campus full of IoT sensors and a heck of a lot of data flying around, CMU's security researchers certainly have their work cut out for them.