Without much hope, Sara Nieves Matheu (Murcia, 29 years old) filled out a couple of applications at the beginning of the year to participate in two computer research competitions. One summer day, he received a call. The next day, another. He had both won. One of them was the research award from the Spanish Scientific Information Society and the BBVA Foundation, which awarded six awards in this category, each worth 5,000 euros. Matheu is the only woman to receive it this year. Since she was little she has been passionate about numbers and, while studying a pilot program in Mathematics and Computer Science at the University of Murcia, she discovered cybersecurity, the perfect synergy between both branches. He confesses to having suffered machismo in the cyber world on more than one occasion. On one occasion, a repair shop clerk blamed her for the computer not working: ” I had to convince a fellow race to be him because the clerk thought she was a crazy person who was tinkering with the computer without having no idea”.
The awarded research values his doctoral thesis, carried out at the same university from which he graduated. For four years, Matheu has designed a system to assess the security of smart devices connected to the Internet of Things. As he explained during a conversation at the BBVA Foundation headquarters hours before receiving the award, the devices that surround us at home and at work can be vulnerable to computer attacks, with different consequences. From toys used by children to a washing machine with Wi-Fi, any appliance can be affected. Matheu proposes that, just as household appliances have an energy efficiency label, home surveillance cameras or the chattering doll are also analyzed and classified. The OCU went so far as to request in 2017 that toys connected to the network that posed insecurities be withdrawn. With the labeling system proposed by the young Murcian, consumers could know in advance what they are exposed to.
Question: Most of the population drives a car without knowing its mechanism. In the same way, the internet of things is becoming more and more part of our life even though we do not know what it exactly consists of. Could you explain it?
Answer: It is quite simple: they are all those tiny devices that surround us and that are connected to the internet sharing information, be it the washing machines, the bracelets that we all wear on our wrist to measure the heartbeat or the steps, the smart cards, the cameras that we have in our homes in case they enter to rob … All that is the internet of things.
P: His research focuses on discovering how the security of these devices can be compromised. What do you propose to make them safer?
R: I analyze how they can be violated and to what extent they are protected, so that the consumer knows it when they go to buy them. The idea is to create a way to evaluate these devices that is easy and cheap, as well as automatic. The manufacturer of a sensor or a camera, for example, cannot wait a year, because in that time another version has already been launched on the market. The system we propose is also objective: there is a list with which the expert evaluates the security and sees if the device meets each parameter or not. This is linked to empirical tests, the system is attacked and certain metrics and numbers are obtained that provide the level of security. With that number, we create the label.
P: What would that label be like?
R: It’s basically a spider diagram, so the larger the area, the higher the risk. It has a visual aspect – similar to energy efficiency – that sticks to the device. When you go to buy it, you can see if it has a lot of security or little. It is also important that it is dynamic, because something can be evaluated today, but tomorrow it suffers an attack and the label no longer works. The idea is that it has a QR code so that it can be updated.
P: What does it take to get that system up and running?
R: Above all, support is needed from the European Union. It is finally going to implement a regulation and they are focusing mainly on the internet of things, the cloud and 5G. They are taking ideas from us, like the label and the profiles. The profiles serve to take into account the contexts: it is not the same to speak of military security than of security in a hospital. From there, this generic evaluation mechanism could be created at the European level, but the support of the entities that regulate the laws is needed.
P: How long can it take for people to see it on the gadgets they buy?
R: Since they expressed their intention to start in Europe until now, I think three or four years have passed, so maybe in three or four more years we will start to see labels on the products. Anyway, there are already organizations in the US, for example, that also propose this system. There is a breakthrough and a will to establish it.
P: What kinds of devices can be most vulnerable?
R: It depends on the function they fulfill. The problem is that, even if it is a very silly device, such as a surveillance camera (that if they hack it, they can enter and steal), if cybercriminals agree and attack the devices of many houses in the world at the same time to reach more important servers, such as those of an electric company or those of a hospital, the consequences can be very serious. And it is more common than it seems.
P: We often think that only companies and organizations suffer cyberattacks …
R: It also happens in homes. I was also attacked recently. There was a well-known application to scan documents with your mobile and it was discovered that it had a vulnerability and that hackers used it to mine bitcoins from your mobile. In this case you were annoyed by the performance of the phone, but it could be more serious. It happens with children’s toys, which are a very sweet target. I remember a case of a talking toy … The hacker attacked him and talked to the boy saying he was Santa Claus. He could obtain information about the child, conversations … and store recordings that would help him convince other children that he was one of them, so that cases of pedophilia could occur. There have been several toy brands that have come under attack. The system that we propose would serve for these cases.
P: Do you think that labeling will end up being a mandatory measure?
R: In the evaluation system there are several levels: from when the company itself evaluates the safety of the product, until the organization goes to the company, evaluates the product, attacks it and certifies that it is safe. Perhaps in Europe the minimum level does end up being mandatory.
P: Where is your research headed?
R: Until now, we have focused on isolated devices, but a system is made up of many, many devices. Imagine an automatic car that has a bunch of internet of things devices. If one fails, others may fail due to the cascade effect. The idea now is to analyze these dependencies and make them part of the security measure that we are obtaining. We also want to be able to share the information if a device manufacturer discovers a vulnerability in the product. We are linking that with certification. If a vulnerability is discovered, we want it to reach the entity that makes the certifications, the product is revalued … and the label is updated.
You can follow EL PAÍS TECNOLOGÍA at Facebook and Twitter or sign up here to receive our newsletter semanal.