A Systematic Evaluation of Smart City Security and Privacy
Coastal Virginia Node
Adwait Nadkarni, assistant professor of computer science and director of the Secure Platforms Lab (SPL), The College of William & Mary.
Yuan Tian, assistant professor, computer science, University of Virginia
Fueled by lessons learned from small-scale deployments (e.g., smart homes), we are beginning to see efforts at realizing the smart city vision—futuristic cities with various levels of autonomy and cyber-physical control over traditionally manual processes. However, the security and privacy implications of such large-scale deployments are understudied, with the primary challenge being their scale and complexity, caused by the deployment of devices and services with varied technology stacks, and for heterogeneous use cases, which is far beyond relatively small smart home deployments. This proposal seeks to bridge this gap by developing systematic methods to investigate the security and privacy of smart public spaces, i.e., larger deployments of IoT devices (e.g., in office buildings/streets) that constitute smart cities. We propose an empirical approach for evaluating smart public space deployments by formulating two research goals: (1) evaluating the security of network communication, and (2) analyzing the privacy implications of centralized management, particularly in terms of what administrators can observe, and how users perceive such observations. Our scalable research methodology systematically leverages well-founded techniques such as static and dynamic analysis, formal modeling, statistical language modeling, natural language processing, and user-studies. While our approach is general, we aim to evaluate it using the UVA Living Link Lab, a large-scale smart public space testbed. If successful, this proposal this proposal will develop a methodological understanding of the security and privacy challenges in smart city adoption, and an empirical foundation for future research on secure IoT communication as well as usable and privacy-preserving interfaces.