Internet of Things Security and Privacy Challenges
There is one huge problem with IoT however, and reading our previous section may well have alerted you to this.
For manufactures, vendors and marketers, this availability of consumer data flowing from the devices to their CRM and analytic engines is wonderful. However, there are serious privacy issues.
Now it is important we do not trivialize these issues because for some consumers — and probably a large percentage — IoT’s incessant data gathering and propagation will actually lead to a more stressful life rather than be beneficial.
A brief example, consider the following:
- Having IoT devices such as a smart car self-diagnose a potential fault and send data to the service centre so that they can arrange an appointment for repair
- Having light bulbs automatically reorder replacements when they sense an imminent failure
- Having your toothbrush notify your dentist of a potential cavity so that he/they can arrange an appointment
These scenarios may sound like some utopian dream to the wealthy. However, it is not likely to be seen that way by those that struggle to make ends meet financially every month. Indeed for the financially challenged, it is likely to be more stressful than beneficial.
Certainly, it will allow people to be more proactive in organizing their lives.
However, when struggling financially during the weeks before payday, will that person want the vehicle service center, dentist and hardware store pestering them for business?
Furthermore, let us consider smartphones, these are real existing ubiquitous IoT devices, packed with sensors and communication channels. When smartphones were initially introduced, they found wide acceptance by the public.
This public acceptance came without them actually being aware what these devices were doing in the background. Only a few consumers know for example that many mobile applications could switch on the camera and microphone, or ascertain the owner’s GPS location to effectively spy on them.
Developers receiving this data through back channels could tell where that person was, how fast they were moving, what they had been browsing, on what brand and model of phone they were using.Subsequently, the app developers realized there was a market for this data, as advertising agencies would pay for this information as it enabled them to focus their advertising on current location.
Here lies one of the major inhibitors to IoT adoption, the inherent issue with IoT security and privacy.The point here is that many consumers were unaware that their smartphone was collecting and forwarding their personal data to the application developers or subsequently to marketing houses.Consumers are no longer naïve they have learnt from the smartphone experience and they want to know how can vendors secure the data and protect their privacy without effectively disabling the device?
Security, privacy and safety concerns are the largest single barrier to IoT and M2M technology adoption with regulation and compliance issues a close second on the list.However, both of these are key components of identity and access management and that is one of the major clues to how we go about addressing both these concerns.
The Challenges need to address the common paradox of security versus convenience. The individual issues are:
- Device identification
- Device authorization
- Device user-association
- Classification of the data
The latter item involves determining the nature of the data collected, stored and forwarded by the devices as that will determine the priority and security levels. However, in order to find a solution, we will need a technique that has low human intervention, as that would defeat many of the goals of IoT.
Other challenges that arise that are not unique to IoT but are also not suitable, though considered traditional security measures, are due to devices having the following characteristics:
- Low resources
- Low encryption capabilities
- Limited clock synchronization
- Limited upgrade capacity
These characteristics of low processor and memory resources are major challenges as encryption even on modern PC and Laptops consume large amounts of available resources handling encryption.
Similarly, for encryption to be effective in the TCP/IP digital world there has to be connectivity to exchange keys and synchronization between devices in order to know when to refresh the keys.
Although the challenges of IoT security differ from traditional network security, due to the size and capabilities of the devices, the actual security design goals remain the same.
- Design in security — don’t try to add it later
- Keep security simple
- Use existing standards
- Security by obscurity is no security at all
- Encrypt all sensitive data at rest and in transit
- Use existing tested cryptographic blocks
- Always implement Identity and Access Management — it is not optional
- Develop a realistic threat plan through diligent risk assessment
- For network security the goals and techniques are the same as with traditional networks, in so much as you should limit the open ports to only those strictly necessary.
- Also, test for vulnerabilities and mitigate common exploits such as buffer overflows and DoS attacks. It should also be assumed that the devices are both accessible from the internal and external networks and treat threats as such.
- Other common security steps should be to ensure default settings are changed and strict authentication applied via an IAM solution.
- The use of Identity Access Management is vital in IoT due to the potential size of the networks — there may be thousands of nodes.
Furthermore, in IT and business scenarios IoT will have to meet the same stringent regulatory compliance measures as any other IT device.
Intrusion monitoring can alleviate much of the pain, and save a lot of money and man hours, which would be otherwise spent manually trying to administer, audit and report on compliance and regulatory issues. Authenticating and authorizing devices goes a long way to securing an IoT network.
However, one of the most common failing regards network security is not with the devices themselves but with the data in transit.
Often either the front or the backend traffic is transported unencrypted leaving it susceptible to interception and replay through man in the middle attacks. For that reason, traffic should always be encrypted between devices using secure channels that use strong keys with good length and good algorithms.
Privacy differs from security in so much as security’s task is to secure the confidentiality, integrity and availability of the data.
However, security doesn’t really care what the contents of the data are and this is where privacy comes into play.
Privacy concerns itself with devices only extracting information about their environment that is relevant to their function. Therefore, when we implement privacy we need to consider:
- Collect only the minimum necessary data that allows a device to function
- Do not collect information ‘on the fly’ the owner of the device should be
- aware what data is being collected, stored and forwarded, and why
- Ensure any collected data is encrypted
- Ensure the device properly protects personal data
- Ensure IAM provides authorization to forward data to other nodes or third parties
- Ensure there are no backdoors or back communication channels to vendors, developers or manufacturers Security, Privacy and compliance issues are the main barriers to IT adopting IoT.
However, with careful consideration, these concerns can be mitigated and the devices and sensors secured. One of the key points is to design and build in security/privacy and don’t put convenience before security.
As always, well implemented IoT security will be simple and transparent to the consumer. It should be designed to match the IoT model, of sensors, connectivity and processes.
Sensors, Connectivity and Processes
The IoT model is driven by a combination of sensors, connectivity, people and processes. In some definitions, people are also ‘things’ as they are often the intelligent decision making component at the heart of the system.
IoT relies on sensors to provide data about their environment they are the central nervous system of the IoT network.
These sensors can be the eyes and ears, cameras and microphones, or provide details of the environment through humidity, temperature, chemical, liquid level and pressure sensors.
They can provide information on objects such as acceleration, proximity, motion and velocity.
In short there are sensors to just about anything you want and that you want and what is more they are miniaturized to such an extent that a fully functional microprocessor with a radio antennae can be constructed to be only 1mm x 1mm x 1mm.
Similarly, a fully functional camera with radio antennae is of the same dimensions. It is the advance in sensor miniaturization, which has enabled IoT to be feasible in applications such as medicine and science.
Another technical enabler to IoT is advances in connectivity through both wired and wireless technology. Wi-Fi is now ubiquitous in the home and workplace.
However, it is the longer distance GSM/3G/LTE radio networks, which enable long distance, and wide coverage connectivity that is necessary for data backhaul and remote access.
However, sensors need lightweight IP protocols to communicate over short distances and the choice of connectivity typically is:
Different devices from vendors use different technologies so hubs are necessary to interconnect diverse protocols however these can be simply home routers or even smartphones.
People and Processes
Sensors and connectivity provide the technology foundation to create bi-directional systems that integrate data, people and processes to enable better decision making.
People driven applications are typically CRM, Financial, Logistics, Maintenance, Asset Management, Retail, Building Management, Fleet Management and Analytics.
Process driven applications, are in control & automation, supply chain management, security, environmental control, energy efficiency and traffic management.
The combination of sensors, connectivity and people & processes has lead to some distinct vertical markets such as:
- Home Consumer — infotainment, lights, heating/AC, pet feeding, refrigerators, cookers …
- Transport — trains, planes, cars, buses, telemetric, shipping, parking, traffic control …
- Health — elderly monitoring, remote diagnostic, bio-wearable’s, equipment monitoring …
- Buildings — HVAC, Lighting, Occupancy, structural integrity, emergency alerts, elevator …
- Cities — emergency services, surveillance, maintenance, waste management, signage etc
As simple as it sounds, with careful implementation and back-to-basics approach IoT is not that tricky after all!