Control your smart home via voice commands and a display – keep an eye on your door, fridge and heating at all times. That’s the promise of a device from a major online retailer. But what sounds convenient has a downside: it’s vulnerable. Hackers can use the smart home to gain access to your connected home.
Researchers from the Bavarian research consortium “Security in Everyday Digitalisation” (ForDaySec) discovered the device’s vulnerabilities and informed those responsible. “As a result, even the press spokesperson for this major online retailer had to grapple with our research findings,” explained Professor Stefan Katzenbeisser from the University of Passau at the consortium’s closing event in Munich on the topic of “Beyond Awareness – Cybersecurity in Everyday Life”.
Over the past four years, the interdisciplinary consortium, coordinated from Passau, has investigated security vulnerabilities in everyday digital life. What sets this project apart is that the focus was not primarily on the technical perspective, but rather on users who wish to continue using outdated yet functional devices, as well as on manufacturers and their responsibilities beyond the point of purchase. In addition to IT security researchers, the project also involved researchers from the fields of sociology, ethnography and law. “Security must not be viewed solely as a technical matter; one must also take people into account,” explained Professor Katzenbeisser.
He received support for this stance from the prominent guest speakers at the event, including Caroline Krohn-Atug from the Federal Office for Information Security (BSI). Her aim: to get consumers on board with cyber security. Whilst there is much talk about data centres, private households are often at greater risk. Raising awareness alone is not enough. A cultural shift is needed.
As an example, she cited so-called ransomware attacks, in which data is encrypted and only released in exchange for a ransom payment. These cause around 200 billion euros in damage annually. They often begin with phishing emails – fraudulent messages designed to trick users into revealing sensitive data. Around 360 billion emails are sent every day – and every single one can provide an opportunity for attack. “It is not enough to tell consumers: ‘Don’t click on the link in the email.’ The BSI is therefore trying to reduce risks at an early stage so that people do not find themselves in the awkward position of having to act as the last line of defence in the first place.” She emphasised the importance of interdisciplinary research within the ForDaySec network, as this provides important impetus for authorities such as the BSI.
The keynote speech by tech journalist Eva Wolfangel took a similar line. Through her research, she highlighted just how professionally cybercrime is organised today: specialists create deceptively authentic bank websites, others use psychological know-how to gain people’s trust, whilst others deliberately cover their digital tracks. In an emergency, individual users thus find themselves up against a whole armada of cybercriminals. It is therefore unrealistic to rely solely on consumers’ common sense.
At the same time, Wolfangel criticised traditional training methods in companies. These include, for example, simulated phishing emails used to test employees. She argues that such measures have little effect. “When in doubt, users think: ‘I’m simply too stupid to spot emails like that.’” Wolfangel therefore calls for a shift in thinking within the IT sector: it is not the users who are the weak link, but the system. “The biggest problem in IT security is not the person sitting in front of the screen, as is so often claimed, but security measures that are impractical for most people,” she says.
To address the problem described at the outset, ForDaySec developed a prototype in the form of a security monitor. This is deployed in front of devices with potential security vulnerabilities. Put simply, the security monitor carries out a kind of digital identity check for devices. It uses cryptographic signatures – forgery-proof digital credentials that can only be generated on a specific device. Even if attackers intercept data, they cannot reproduce it. The process runs automatically in the background – without any extra effort for users.
Legal issues also played a role in the research consortium. The situation is complex, says Prof. Dr Thomas Riehm of the University of Passau. Various interests need to be weighed against one another. “On the one hand, there is the public interest in IT security, which we all share,” explains the holder of the Chair of German and European Private Law, Civil Procedure and Legal Theory. “On the other hand, there is the interest of users in retaining a device that functions as they had envisaged, meaning its operation is not subsequently altered by updates.”
A key finding of the consortium: interdisciplinary collaboration is crucial for addressing the challenges of everyday digital security. “The importance of Bavaria-wide networking and interdisciplinary work cannot be overstated,” says Professor Dominik Herrmann, holder of the Chair of Privacy and Security in Information Systems at the University of Bamberg and moderator of the event in Munich. It is only the interplay of technology, law and the social sciences that makes solutions possible which stand the test of everyday life.
This text was machine-translated from German.
Since April 2022, the Bavarian research consortium “Security in the Digitalisation of Everyday Life” (ForDaySec) has been investigating innovative technical approaches to cybersecurity for private households, small and medium-sized enterprises, and public administration. In addition to the University of Passau, which coordinates the consortium, participants include the Technical University of Munich, Friedrich-Alexander University Erlangen-Nuremberg, Otto Friedrich University of Bamberg and Ludwig Maximilian University of Munich. The consortium is funded by the Bavarian State Ministry of Science and the Arts.
Further information:
![[Translate to Englisch:]](/fileadmin/_processed_/8/1/csm_IMG_0010-4_706d7ba1b8.jpg "[Translate to Englisch:]")
