The CSPL will address a wide range of security and privacy issues that have profound impact on securing the cyberspace. In particular, it focuses on problems related to the financial technology, mobile applications, Internet of Things (IoT), and the underlying Internet infrastructure. As the financial industry is quickly adopting ICT for various kinds of transactions, notably mobile payment and banking, security and privacy is obviously a determining factor for its sustainability. Smartphones and many mobile apps are vulnerable to various forms of attacks that could compromise the device or leak out personal information. Furthermore, many IoT devices, such as home routers, RFID and smart tags, are prone to cyberspace attacks or become attack sources themselves. Finally, common to various cyberspace applications is the security of the Internet infrastructure which provides a common backbone for different applications.
1. Financial Technology Security and Privacy
FinTech, or the use of technology and innovative business models in financial services, is changing the ways financial services are being offered. It covers payments, financial data analytics, financial software, digitized process and payment platforms. It is estimated that in 2015, the market size of FinTech reaches $20 billion, a number that has increased by more than 60% from previous year. While FinTech could be the next game changer, especially for small businesses, it also brings new risks. Needless to say, security is of utmost important when we are working with financial data. FinTech is highly relevant to our society as Hong Kong is a leading financial center around the globe. The CSPL plans to contribute towards the vision of having Hong Kong as a FinTech Hub, through working closely with all stakeholders to help protect the software, platforms, and infrastructures against existing and upcoming attacks.
2. Mobile Security and Privacy
As smartphone has become an indispensable part of our daily lives, users are very concerned about the security and privacy of their smartphones and the sensitive information therein. On one hand, the rapid growth and the sheer number of mobile malwares pose a severe threat to users and great challenges to malware analysis techniques. On the other hand, lots of apps are vulnerable to various attacks and even major mobile operating systems have been hacked for many times. The CSPL plans to develop novel methodologies and systems to defend against advanced mobile malware, to discover vulnerabilities in mobile apps and mobile operating systems, and to protect mobile users from various attacks.
3. IoT Security and Privacy
IoT has become a major paradigm in using the Internet for a wide range of applications, from smart tags to cyber cars. However, security problems in IoT have not been fully solved. Security issues in RFID systems include signal collision resolution, tag ID privacy protection and trust management. Security issues in WSNs comprise cryptographic algorithm design, key management, secure routing protocol and trust management of data and nodes. Transportation lay security problems involve the access network security, e.g., Wi-Fi security and 3G/4G security, and traditional core network problems, e.g., DoS attacks and prevention. Application-layer security problems include various security threats to distinct IoT applications, service interruption and attacks. The CSPL lab will perform research in different layers of IoT systems.
4. Internet Infrastructure Security and Privacy
Internet protocols, web services, and other infrastructural elements have suffered from different kinds of attacks since 2000. Among them, distributed denial-of-service (DDoS) attack remains the most serious and hard-to-defend attacks. Not only the scales of the attacks are on the rise, they are increasingly motivated by monetary profits. Many Internet protocols and systems, such as BGP and DNS, are also susceptible to attacks, because they were not designed initially with security goals. On the end-to-end communications, business and many non-business transactions in the Internet rely on SSL/TLS for end-to-end encryption and authentication. However, research communities and industry continue to find new and serious vulnerabilities in the latest SSL/TLS. The CSPL plans to investigate, for example, how data centers and ISPs can work together to diffuse DDoS attacks, and how routing protocols and SSl/TLS can be further secured for electronic payment and other FinTech applications.