Internet of Things Security and Privacy Challenges
However, there is one massive problem with IoT, and reading our previous section may have alerted you to this.
For manufacturers, vendors, and marketers, this availability of consumer data flowing from the devices to their CRM and analytic engines is lovely. However, there are serious privacy issues.
Now we mustn’t trivialize these issues because for some consumers — and probably a large percentage — IoT’s ongoing data gathering and propagation will lead to a more stressful life rather than be beneficial.
For a brief example, consider the following:
- Having IoT devices such as smart cars self-diagnose a potential fault and send data to the service center so that they can arrange an appointment for repair
- Having light bulbs automatically reorder replacements when they sense an imminent failure
- Having your toothbrush notify your dentist of a potential cavity so that he/they can arrange an appointment
These scenarios may sound like some utopian dream to the wealthy. However, it is not likely seen that way by those struggling to make ends meet financially every month. Indeed for the financially challenged, it is likely to be more stressful than beneficial.
Indeed, it will allow people to be more proactive in organizing their lives.
However, when struggling financially during the weeks before payday, will that person want the vehicle service center, dentist, and hardware store pestering them for business?
Furthermore, let us consider smartphones. These are existing ubiquitous IoT devices packed with sensors and communication channels. When smartphones were initially introduced, they found wide acceptance by the public.
This public acceptance came without them being aware of what these devices were doing in the background. For example, only a few consumers know that many mobile applications could switch on the camera and microphone or ascertain the owner’s GPS location to spy on them effectively.
Developers receiving this data through back channels could tell where that person was, how fast they were moving, what they had been browsing, on what brand and model of phone they were using. Subsequently, the app developers realized there was a market for this data, as advertising agencies would pay for this information as it enabled them to focus their advertising on their current location.
One of the major inhibitors to IoT adoption lies in the inherent issue with IoT security and privacy. The point here is that many consumers were unaware that their smartphone was collecting and forwarding their data to the application developers or, subsequently, to marketing houses. Consumers are no longer naïve they have learned from the smartphone experience, and they want to know how vendors can secure their data and protect their privacy without effectively disabling the device.
Security, privacy, and safety concerns are the most significant single barrier to IoT and M2M technology adoption, with regulation and compliance issues a close second on the list. However, both of these are critical components of identity and access management, which is one of the significant clues to how we address these concerns.
The Challenges need to address the standard paradox of security versus convenience. The individual issues are:
- Device identification
- Device Authorization
- Device user-association
- Classification of the data
The latter item involves determining the nature of the data collected, stored, and forwarded by the devices, which will determine the priority and security levels. However, to find a solution, we will need a technique with low human intervention, as that would defeat many of the goals of IoT.
Other challenges that arise that are not unique to IoT but are also not suitable, though considered traditional security measures are due to devices having the following characteristics:
- Low resources
- Low encryption capabilities
- Limited clock synchronization
- Limited upgrade capacity
These characteristics of low processor and memory resources are significant challenges as encryption, even on modern PC and Laptops, consumes large amounts of available resources handling encryption.
Similarly, for encryption to be effective in the TCP/IP digital world, there has to be connectivity to exchange keys and synchronization between devices to know when to refresh the keys.
Although the challenges of IoT security differ from traditional network security due to the size and capabilities of the devices, the actual security design goals remain the same.
- Design in security — don’t try to add it later
- Keep security simple
- Use existing standards
- Security by obscurity is no security at all
- Encrypt all sensitive data at rest and in transit
- Use existing tested cryptographic blocks
- Always implement Identity and Access Management — it is not optional
- Develop a realistic threat plan through diligent risk assessment
- For network security, the goals and techniques are the same as traditional networks, so you should limit the open ports to only those strictly necessary.
- Also, test for vulnerabilities and mitigate common exploits such as buffer overflows and DoS attacks. It should also be assumed that the devices are both accessible from internal and external networks and treat threats as such.
- Other standard security steps should be to ensure default settings are changed and strict authentication applied via an IAM solution.
- Identity Access Management is vital in IoT due to the potential size of the networks — there may be thousands of nodes.
Furthermore, IoT will have to meet the same stringent regulatory compliance measures as any other IT device in IT and business scenarios.
Intrusion monitoring can alleviate much pain and save a lot of money and man-hours, which would be otherwise spent manually trying to administer, audit, and report on compliance and regulatory issues—authenticating and authorizing devices go a long way to securing an IoT network.
However, one of the most common failures regarding network security is not with the devices but with the data in transit.
Often, the front or the backend traffic is transported unencrypted, leaving it susceptible to interception and replay through man-in-the-middle attacks. For that reason, traffic should always be encrypted between devices using secure channels that use strong keys with good length and good algorithms.
Table Of Contents
Privacy differs from security in so much that security’s task is to secure the data’s confidentiality, integrity, and availability.
However, security doesn’t really care what the contents of the data are; this is where privacy comes into play.
Privacy concerns itself with devices only extracting information about their environment relevant to their function. Therefore, when we implement privacy, we need to consider the following:
- Collect only the minimum necessary data that allows a device to function
- Do not collect information ‘on the fly” the owner of the device should be
- aware of what data is being collected, stored, and forwarded and why
- Ensure any collected data is encrypted
- Ensure the device adequately protects personal data
- Ensure IAM provides authorization to forward data to other nodes or third parties
- Ensure there are no backdoors or back communication channels to vendors, developers, or manufacturers Security, Privacy, and compliance issues are the main barriers to IT adopting IoT.
However, with careful consideration, these concerns can be mitigated, and the devices and sensors secured. One of the key points is to design and build in security/privacy and not put convenience before security.
As always, well-implemented IoT security will be simple and transparent to the consumer. It should be designed to match the IoT model of sensors, connectivity, and processes.
Sensors, Connectivity, and Processes
The IoT model is driven by sensors, connectivity, people, and processes. In some definitions, people are also ‘things’ as they are often the intelligent decision-making component at the heart of the system.
IoT relies on sensors to provide data about their environment. They are the central nervous system of the IoT network.
These sensors can be the eyes and ears, cameras and microphones, or provide details of the environment through humidity, temperature, chemical, liquid level, and pressure sensors.
They can provide information on acceleration, proximity, motion, and velocity.
In short, there are sensors for just about anything you want and want. Moreover, they are miniaturized to such an extent that a fully functional microprocessor with radio antennae can be constructed to be only 1mm x 1mm x 1mm.
Similarly, a fully functional camera with radio antennae has the exact dimensions. The advance in sensor miniaturization has enabled IoT to be feasible in applications such as medicine and science.
Another technical enabler of IoT advances in connectivity through both wired and wireless technology. Wi-Fi is now ubiquitous in the home and workplace.
However, the longer-distance GSM/3G/LTE radio networks enable long-distance and comprehensive coverage connectivity that is necessary for data backhaul and remote access.
However, sensors need lightweight IP protocols to communicate over short distances, and the choice of connectivity typically is:
Different devices from vendors use different technologies, so hubs are necessary to interconnect diverse protocols however these can be simply home routers or even smartphones.
People and Processes
Sensors and connectivity provide the technology foundation to create bi-directional systems that integrate data, people, and processes to enable better decision-making.
People-driven applications are typically CRM, Financial, Logistics, Maintenance, Asset Management, Retail, Building Management, Fleet Management, and Analytics.
Process-driven applications include control & automation, supply chain management, security, environmental control, energy efficiency, and traffic management.
The combination of sensors, connectivity, and people & processes has led to some distinct vertical markets, such as:
- Home Consumer — infotainment, lights, heating/AC, pet feeding, refrigerators, cookers …
- Transport — trains, planes, cars, buses, telemetric, shipping, parking, traffic control …
- Health — elderly monitoring, remote diagnostic, bio-wearable’s, equipment monitoring …
- Buildings — HVAC, Lighting, Occupancy, structural integrity, emergency alerts, elevator …
- Cities — emergency services, surveillance, maintenance, waste management, signage, etc
As simple as it sounds, with careful implementation and a back-to-basics approach, IoT is not that tricky!