07 IoT Security & Privacy
Posted by Superadmin on December 11 2015 05:35:29
There is one huge problem with IoT however, and reading the last section may well have alerted you to this. For manufactures, vendors and marketers, this availability of consumer data flowing from the devices to their CRM and analytic engines is wonderful. However, there are serious privacy issues. Now it is important we do not trivialize these issues because for some consumers – and probably a large percentage – IoT’s incessant data gathering and propagation will actually lead to a more stressful life rather than be
beneficial. A brief example, consider the following:

- Having IoT devices such as a smart car self-diagnose a potential fault and send data to the service centre so that they can arrange an appointment for repair
- Having light bulbs automatically reorder replacements when they sense an imminent failure
- Having your toothbrush notify your dentist of a potential cavity so that he they can arrange an appointment

These scenarios may sound like some utopian dream to the wealthy. However, it is not likely to be seen that way by those that struggle to make ends meet financially every month. Indeed for the financially challenged, it is likely to be more stressful than beneficial. Certainly, it will allow people to be more proactive in organizing their lives.

However, when struggling financially during the weeks before payday, will that person want the vehicle service center, dentist and hardware store pestering them for business?

Furthermore, let us consider smartphones, these are real existing ubiquitous IoT devices, packed with sensors and communication channels. When smartphones were initially introduced, they found wide acceptance by the public. This public acceptance came without them actually being aware what these devices were doing in the background. Few consumers knew for example that many mobile applications could switch on the camera
and microphone, or ascertain the owner’s GPS location to effectively spy on them. Developers receiving this data through back channels could tell where that person was, how fast they were moving, what they had been browsing, on what brand and model of phone they were using. Subsequently, the app developers realized there was a market for this data, as advertising agencies would pay for this information as it enabled them to focus their advertising on current location.

Here lies one of the major inhibitors to IoT adoption, the inherent issue with IoT security and privacy. The point here is that many consumers were unaware that their smartphone was collecting and forwarding their personal data to the application developers or subsequently to marketing houses. Consumers are no longer naïve they have learnt from the smartphone experience and they want to know how can vendors secure the data and protect their privacy without effectively disabling the device?

Security, privacy and safety concerns are the largest single barrier to IoT and M2M technology adoption with regulation and compliance issues a close second on the list. However, both of these are key components of identity and access management and that is one of the major clues to how we go about addressing both these concerns.

The Challenges need to address the common paradox of security versus convenience. The individual issues are:
- Device identification
- Device authorization
- Device user-association
- Classification of the data

The latter item involves determining the nature of the data collected, stored and forwarded by the devices as that will determine the priority and security levels. However, in order to find a solution, we will need a technique that has low human intervention, as that would defeat many of the goals of IoT.

Other challenges that arise that are not unique to IoT but are also not suitable, though considered traditional security measures, are due to devices having the following characteristics:
- Low resources
- Low encryption capabilities
- Limited clock synchronization
- Limited upgrade capacity

These characteristics of low processor and memory resources are major challenges as encryption even on modern PC and Laptops consume large amounts of available resources handling encryption. Similarly, for encryption to be effective in the TCP/IP digital world there has to be connectivity to exchange keys and synchronization between devices in order to know when to refresh the keys.

Although the challenges of IoT security differ from traditional network security, due to the size and capabilities of the devices, the actual security design goals remain the same.
- Design in security – don’t try to add it later
- Keep security simple
- Use existing standards
- Security by obscurity is no security at all
- Encrypt all sensitive data at rest and in transit
- Use existing tested cryptographic blocks
- Always implement Identity and Access Management – it is not optional
- Develop a realistic threat plan through diligent risk assessment

For network security the goals and techniques are the same as with traditional networks, in so much as you should limit the open ports to only those strictly necessary. Also, test for vulnerabilities and mitigate common exploits such as buffer overflows and DoS attacks. It should also be assumed that the devices are both accessible from the internal and external networks and treat threats as such. Other common security steps should be to ensure default settings are changed and strict authentication applied via an IAM solution. The use of Identity Access Management is vital in IoT due to the potential size of the networks – there may be thousands of nodes. Furthermore, in IT and business scenarios IoT will have to meet the same stringent regulatory compliance measures as any other IT device. IAM can alleviate much of the pain, and save a lot of money and man hours, which would be otherwise spent manually trying to administer, audit and report on compliance and regulatory issues.

Authenticating and authorizing devices goes a long way to securing an IoT network. However, one of the most common failing regards network security is not with the devices themselves but with the data in transit. Often either the front or the backend traffic is transported unencrypted leaving it susceptible to interception and replay through man in the middle attacks. For that reason, traffic should always be encrypted between devices using secure channels that use strong keys with good length and good algorithms.

Privacy Concerns

Privacy differs from security in so much as security’s task is to secure the confidentiality, integrity and availability of the data. However, security doesn’t really care what the contents of the data are and this is where privacy comes into play. Privacy concerns itself with devices only extracting information about their environment that is relevant to their function. Therefore, when we implement privacy we need to consider:
- Collect only the minimum necessary data that allows a device to function
- Do not collect information ‘on the fly’ the owner of the device should be aware what data is being collected, stored and forwarded, and why
- Ensure any collected data is encrypted
- Ensure the device properly protects personal data
- Ensure IAM provides authorization to forward data to other nodes or third parties
- Ensure there are no backdoors or back communication channels to vendors, developers or manufacturers

Security, Privacy and compliance issues are the main barriers to IT adopting IoT.
However, with careful consideration, these concerns can be mitigated and the devices and sensors secured. One of the key points is to design and build in security/privacy and don’t put convenience before security. However, as always, well-implemented IoT security will be simple and transparent to the consumer. It should be designed to match the IoT model, of sensors, connectivity and processes.