As most of us weigh the conveniences and challenges of Internet-connected “smart houses,” Adwait Nadkarni is thinking on a higher level altogether.
Nadkarni, an assistant professor in William & Mary’s Department of Computer Science, is thinking about smart cities.
“Smart-city technology is becoming more and more prevalent,” Nadkarni said. “We are seeing cases like New York, which has released a public wifi system, where the city now is your service provider, your ISP.”
It’s not just New York; Chicago is smartening up its traffic control system using Internet of Things (IoT) technology. And the trend continues: Even Williamsburg has launched a pilot program to provide free broadband. Nadkarni is the principal investigator on a project titled “A Systematic Evaluation of Smart City Security and Privacy,” funded by the Commonwealth Cyber Initiative (CCI).
CCI was established by the Virginia General Assembly in 2018 to bring together the research and innovation power of select commonwealth universities to address issues of cybersecurity technology and to support the state’s growth in the area.
To encourage inter-institutional collaboration, the CCI funds projects that involve researchers from two or more Virginia universities. Accordingly, the co-principal investigator on Nadkarni’s smart city project is Yuan Tian, assistant professor of computer science at the University of Virginia.
The goal of their project is to understand the full range of the tensions between security/privacy and functionality of the systems, then to design technology from the ground up to alleviate concerns and increase adoption of the smart features.
“It’s a measurement project,” Nadkarni explained. “‘Smart cities’ is a very broad term, because there are a number of projects going on. So, we want to see what those projects are doing. We want to know what the regulators think. We want to know what the designers themselves think.”
He gave the example of a city-wide wifi system. One of the first questions would concern the organization of the system: “Is there a central administrator or a bunch of administrators across the system?”
Then, attention can be directed about data collection, Nadkarni said. “What data is being collected? How privacy-sensitive is it?” he explained.
“And we want to know what the people using the system think,” he continued. “What do they think the city is planning to do with this data? We want to know what the actual concerns are.”
Nadkarni says managers of cities who are deploying IoT technology worry about security and privacy, just as do homeowners with smart doorbells and intelligent thermostats. But, he said, there are differences between a smart city and a smart home, and it’s not just a matter of scale.
“It’s not just the size,” he explained. “One thing we’re dealing with in this project is the sheer heterogeneity of the devices and deployments.”
Even the typical smart home is a heterogenous assembly of devices from different vendors, each of which follows a different version of a technology stack. For instance, he said some smart home hardware uses low-energy protocols to communicate with a hub, while other devices can connect directly to the internet.
“At the smart-city level that just explodes,” Nadkarni said. “Now you have different ecosystems of vendors and devices. And cities don’t buy things the way we do at home.”
He said a homeowner looking to buy a smart camera will likely read reviews, looking for a device that balances cost with features and offers reasonable privacy. “And maybe wait for Black Friday to get your best bang for your buck,” he added. “Cities don’t work like that.”
Nadkarni explained that the municipal procurement system typically begins with a short list of vendors. The vendors submit proposals to the city based on price, features and other aspects.
“This may or may not result in cities getting the best or the most secure technology. That’s just the fact,” he said. “And they might even buy multiple pieces from multiple vendors and expect those pieces to just magically work together. That never happens.”
Increased scale plus increased heterogeneity can quickly make a smart city dumb. To keep cities reasonably intelligent Nadkarni and Tian are starting at the whiteboard to map out a smart city.
“We want to determine what components and technical artifacts exist that we can evaluate,” Nadkarni said — mobile applications, cloud services, user interfaces and such. “Then we can perform systematic security evaluation on those individual artifacts to see exactly how secure they are.”
He said he and Tian are both familiar with smartphone security and privacy issues, so they will try smartphone-based approaches to a smart city project, but said “We may have to invent something else as well.”
It makes sense to start with smartphones, as Nadkarni says that from a security analysis perspective, the mobile application is often the weakest point in the system architecture.
“Users as well as administrators most often interact with the system using mobile apps,” Nadkarni said. “That’s the first place to look if you want to find a vulnerability.”