Imperial College London

  • CO447H: Advanced Security in Smartphone and IoT Systems (Spring 2019)

In contrast with traditional ubiquitous computing, IoT devices use new user-interaction modalities, are more complex, and are interconnected. Thus they introduce new attack surfaces which can result in financial, emotional and physical harm to individuals: the Mirai botnet exploited myriads of insecure IoT devices to bring down a swathe of popular online services; adversaries took advantage of vulnerable smart baby monitors to scream at babies; intelligent vehicles were remotely attacked allowing an adversary to take control of steering, brake and transmission functions.

IoT is broad topic encompassing different disciplines and applications. In this module we aim to explore security and privacy challenges in different application domains of IoT. We will explore classical and state of the art security and privacy papers in the consumer space (smartphones, smarthome systems, drones and automobiles) and the industrial domain (power grid). The module aims to familiarize students in these emerging application domains of IoT and help them through paper reviews, presentations and discussions, to develop research and critical thinking skills to both assess and design the security of such systems. The module has one term-long project aiming to produce either a technological entrepreneurial solution for IoT or a conference/workshop quality research paper. The best projects will win awards and the instructor’s commitment to help towards submission at a renowned conference.

University of Illinois at Urbana-Champaign

I have been teaching the Mobile Security Topics in CS463 and CS563 at the University of Illinois at Urbana-Champaign since 2014.

I usually lead two 75-minute lectures in the context of the “Computer Security II (CS463)” course at the University of Illinois at Urbana-Champaign. The goal of the lectures is to introduce students to security and privacy issues related to mobile devices with a focus on smartphones. We draw a comparison between traditional computer security and how the attack surface transforms with the advent of smart mobile devices.

Topics covered in the first lecture include iOS security mechanisms and Android security models. In the second lecture we cover mobile advertising and risks on Android, side channel attacks on Android and defense mechanisms; bluetooth attacks on Android, attacks on external resources on Android, SELinux on Android. The lectures are commonly augmented with a machine problem to provide students with a hands on experience on how adversaries can take advantage of mobile OS security limitations. In the past we have asked students to develop a side-channel privacy attack from a userspace mobile application and to simulate a privacy attack by a malicious mobile advertising library .

For this class I introduce state of the art papers in security and privacy in mobile advertising. Papers presented include but are not limited to the following: “Unsafe exposure analysis of mobile in-app advertisements” by Grace et. al; “AdSplit: separating smartphone advertising from applications” by Shekhar et. al; and “AdDroid: privilege separation for applications and advertisers in Android” by Pearce et. al.

In Fall 2017, I presented a lecture on IoT Security, introducing all academic work and articles reported on the WWW from 2010 until 2017. I classified the papers into attack and defense papers. Next I discussed each paper with respect to five main problem areas in IoT, different solution approaches and a variety of security assessment properties.