Smart devices: “Every household needs a digital chimney sweep”

Bluetooth toothbrushes, deeply embedded software, treacherous doorbells: At the heart of the International Conference on Applied Cryptography and Network Security (ACNS), which is taking place from 23 to 26 June, is the question of how we can make our increasingly connected everyday world more secure. Co-organizer Professor Johannes Kinder, Chair Professor of Programming Languages and Artificial Intelligence at LMU, explains how ordinary people can secure their households, what manufacturers need to do – and why lawyers and ethnographers are researching digital security.

Enlarge

From Wi-Fi routers to smart household devices to fitness trackers, we’re surrounded by digital technologies every day. How secure is our data?

Johannes Kinder: It depends what devices enter our homes: Many users have no idea that their refrigerator, robot vacuum cleaner, or television have long been part of the so-called Internet of Things (IoT) – that is to say, smart devices connected via the internet. Often these devices can no longer be purchased without internet connectivity.

Then we have smart doorbells like Amazon’s “Ring,” which constantly upload video data to the manufacturer’s servers, and high-end toothbrushes that transmit cleaning statistics to an app via Bluetooth. And if you buy a cheap smart lamp from an obscure provider, goodness knows where the collected data ends up – or whether the lamp ever gets security updates. All these devices have long been part of our infrastructure – but frequently without any maintenance.

Why are users so vulnerable?

One of the main reasons is the lack of updates. With cheap IoT devices, the manufacturer often disappears after the sale and security gaps are left forever unaddressed. In addition, a lot of data automatically goes to the cloud – effectively, the provider’s servers. If this data is not encrypted end to end, it is possible not only for hackers to access it, but also support personnel – from cloud service providers, say, or the manufacturer.

And last but not least, users are simply overwhelmed. Many people, for example, can’t handle the plethora of technical decisions when installing a new smartphone. This leads to resignation – and then even basic protections get overlooked. It’s important to talk about the risks of such smart everyday devices in the interests of lasting security. We need solutions that can be integrated as smoothly as possible into everyday life and do not require special technical knowledge.

Understanding software, discovering vulnerabilities in digital devices

Enlarge

Which research approaches are you employing in order to achieve this?

In some situations my team and I focus on exact, logical techniques that allow certain security characteristics to be mathematically demonstrated, while in others we work on pragmatic analyses. Sometimes it’s about “understanding” software without having its source code – that is, the original program text written by the developers.

This is relevant, for example, in the case of older smart TVs, cheap devices from some obscure brand, or devices made by manufacturers who have long disappeared from the market. Then we look directly at the firmware binary files – in other words, the program code embedded deep within the device. Our IT tools help identify known weaknesses – such as outdated open-source libraries that have never been updated. Increasingly, we’re also employing artificial intelligence and machine learning to this end.

How do they help?

They’re expanding our capabilities in places where classical analytical methods reach their limits – by automatically recognizing complex patterns and risks. This is particularly helpful in the case of large, complex, or poorly documented systems. A neural network can recognize, for example, that different programs contain the same internal fault – even if they look totally different on the outside. This makes it possible to identify known weaknesses even without access to the source code.

Large language models help us prepare legal data protection rules such that they can be technically verified. A formulation like “personal data must be processed only with consent” is clear for humans – but for a computer it’s not comprehensible in the first instance. AI can translate such instructions into verifiable rules in the form of code or logic – and, conversely, check in the code whether these rules are being observed.

In addition, AI helps reveal human errors of reasoning in the code, unconscious faults that are often not recognizable to other people. AI can uncover such patterns specifically in the case of devices for which there are no more updates – and prepare targeted repairs.

What users should look out for

What can users themselves do to better protect themselves?

I advise people to look at security features when buying a device. So not just the camera quality, the voice control, or the apps, but also the update policy and whether the device also works without connection to the cloud. After all, when I buy a new car, I don’t just want it to look good, but for it to be safe as well.

Furthermore, I recommend activating end-to-end encryption everywhere. If you activate “Advanced Data Protection” for the iCloud, for instance, you shield your photos from prying eyes – even if you must accept as a price that Apple cannot help if you lose your password.

It’s also a good idea to separate networks. Having a separate WLAN for smart light bulbs or curtains prevents malware jumping from there to laptops or NAS systems. And finally, a device inventory. Most people own much more connected technology than they realize – including gifts they tried once out of politeness and have been lurking unnoticed in the network ever since.

What manufacturers of smart devices should do

How must digital infrastructure change for users to be able to protect themselves more effectively?

I wish manufacturers would develop devices with a focus on data protection and security from the beginning. In the case of new devices, for example, privacy protections should be preset as standard – and not have to be laboriously activated. There should be updates across the entire life cycle of a device – and transparent information about security testing. In addition, we need smart home platforms that work locally, without constant data transfer to the cloud. And clear quality marks: With cars, we all accept they need regular servicing. Why not have a digital inspection system for routers or connected household devices? Regular, verifiable, mandatory.

Interdisciplinary research for digital security

The Bavarian research association ForDaySec is addressing digital security on an interdisciplinary basis. Why is this important?

Because to achieve sustainable solutions that are suitable for everyday life, we have to combine technical and social perspectives. At ForDaySec, therefore, IT disciplines – ranging from cryptography to human-computer interaction – collaborate with lawyers, sociologists, and ethnographers. Researchers from the University of Passau, for example, are clarifying the effects of software updates on product liability. Sociologists in Nuremberg are investigating how companies deal with data in their everyday business – as a lot of problems are not technical in origin, but organizational. And an ethnographer is visiting households to research how devices are used. Many people are surprised how many unsafe devices they own.

On what project are you yourself working in the ForDaySec association?

We’re developing security solutions for devices that are more or less beyond updating. To this end, we extract the firmware, analyze the code, and compare program parts, say, against the CVE list – an international catalog of known weaknesses. Then we install targeted, extremely small binary patches – that is, changes to the program code – entirely without source code or manufacturer help.

Our goal is to subsequently make this minimally invasive micro-patching automatically available for many device types. It would be conceivable to have local testing services that regularly visit households, check devices, and repair them on site as required – sort of a digital chimney sweep. And for cases where this is technically no longer possible, we’re working on warning systems that at least alert users: “This device is potentially dangerous – please replace.”

Why is a conference like ACNS important right now in particular?

With ACNS, we’re bringing top-level research to Munich – from post-quantum cryptography to practice-oriented information technology, showing how smart TVs, car keys, or medical devices could be hacked. Europe needs this exchange to set its own standards. Many top conferences in this area have traditionally taken place in the United States – with increasing visa barriers that exclude whole groups of researchers.

What tips do you give people for dealing with smart technologies?

I’d encourage users to engage with the fundamental questions of digital security. You don’t have to be a technology expert to make the right decisions – but you do have to engage with the issue. My barber recently told me: “Your cellphone hears everything anyway – there’s nothing you can do about it.” That’s not true of course. When you’re clued in, you can achieve a lot by simple measures – whether with your Bluetooth toothbrush or your smart doorbell. A good primer is available, for example, on the website of the German Federal Office for Information Security.

For more information on digital security, see:

International Conference on Applied Cryptography and Network Security ACNS 2025

Bayerischer Forschungsverbund ForDaySec

Cybersecurity: "There in no 100% protection“