Josef Ressel Center for Security Analysis of IoT Devices

The world we live in is becoming more and more digital. An important step in this digitization process is to equip objects or "things" from the physical world with the functionality to connect to other "things" via a network, usually the Internet, and thus exploit jointly collected data. The umbrella term that encompasses all of these networked "things" is the Internet of Things (IoT). IoT devices are increasingly being used by both industry ('Industrial IoT' (IIoT)) and citizens ('Consumer IoT' [CIoT]). Typical CIoT devices include routers, smartphones, but also formerly "non-smart" everyday objects such as smartwatches, refrigerators, light bulbs, door locks, toys or washing machines. Concepts such as the "Smart City" are also becoming increasingly widespread, with the primary aim of making public infrastructure smarter and more digital.

As IoT devices become part of our daily lives, it is becoming increasingly important to evaluate their security. For example, at the end of October 2021, the European Commission decided that all wirelessly connected devices and products launched within the EU will have to meet certain security standards from around mid-2024.

The goal of this JR Center is to evaluate the security of a wide variety of IoT devices in a systematic, reliable, and ideally fully automated manner. The need for this analysis arises from several aspects. For example, due to certain limitations, the application of standard security technologies for non-IoT devices to IoT devices is not yet possible. Such limitations may include computing power, storage space, power supply, or data rate. However, as long as consumers have little awareness of the security of their devices and are therefore not willing to spend more on more secure products, manufacturers have little incentive to invest in more secure IoT devices.

The sheer number of different IoT devices available demands that security evaluation happens in an automated way. Accordingly, the focus of this JR Center is an automated security evaluation of (C)IoT devices, also in the Smart City context. Furthermore, the JR Center is dedicated to answering the question of how physical attacks and the entire data transmission can also be included in this security evaluation. This is the first time that an independent certification of these increasingly important devices is within reach and a possibility is created to verify the conformity of IoT devices to given security guidelines. Furthermore, the research results can form a basis for evaluating IIoT or IoT e.g., in the healthcare sector. All these topics are expected to remain relevant to society far beyond the lifetime of the JR Center.