IoT, Security and Privacy

This is a lightly edited transcript (in three parts) of a docent lecture given by Andreas Jacobsson, IOTAP, Malmö University.

Threats and Betrayal on the Internet | Andreas Jacobsson docent lecture.

I would like to introduce you to the issues of security and privacy in the domain of Internet of Things (IoT) — what we could call the “dark side” of IoT.

What is IoT?

Basically, it’s when everything is connected or rather everything that benefits from being connected is connected. In this sense, connectivity is ubiquitous — it’s connecting everything, everywhere, all the time. This is done mainly for two reasons: The first and foremost is that we have knowledge about how to do it; the second is that this technology has become affordable.

IoT more precisely

If you were to describe IoT in more detail, I would say that IoT is a network of interconnected objects that process data. That means that IoT is highly specialized and often embedded in things such as jackets, shoes or coffee-brewing machines. By that, IoT is also a user-oriented paradigm. And since IoT is so “playful”, it’s also an area where there are multiple stakeholders involved, representing multiple different perspectives, adding a very complex digital ecosystem of actors.

IoT is usually integrated in legacy systems or in an independent infrastructure. When we talk about IoT, we actually talk about a cyber-physical system; that is, a system where the digital side of things enters the physical side of things. As it is a part of the Internet family, you can also say that it inherits all the characteristics from this sort of old-school Internet, and by “old-school” Internet I primarily mean when you sit by your computer and interact with the Internet.

In this domain, obviously, there are just as many application areas as there are physical application areas in the world. I mentioned a few here, for instance homes: When a home gets connected to the Internet, it becomes a smart home. The same goes for cars and sports. Instead of doing sport monitoring and governing your sport activities in a lab environment, where you have people in white lab coats overviewing your activities, you can simply go out and run or play on the field and have equipment attached to you that measures your performance and help you understand how to improve your health or your performance. The same goes with healthcare.

And I was adding this morning “kids’ toys” to this list because I suddenly remember that my oldest daughter plays with a doll that she also plays with through an app in her mobile phone. And not only that, she plays with some of her friends who has the same sort of doll so they can really play together even though they’re not sitting in the same room.

Internet of everything and everywhere

If it’s still not clear, I would like to remind you of some interesting updates on “the Internet of everything and everywhere.” You see a lot of predictions about how big the Internet of Things will be, but we can say that at the end of 2012, around 8.7 billion things were connected to the Internet. In 2020, some institutes predict that there will be 50 billion connected devices and 8 billion people on this planet. However Ericsson, for instance, assumes that by 2030 there will be 500 billion devices given the development of 5G. No matter what figures you look at, we can conclude that there are quite many connected devices in the world today, and there will be even more — so many that it will be difficult to comprehend.

However, in a recent report, Accenture (a management consulting services company) found that the majority of people have not yet heard of the term Internet of Things (87 percent of those asked had no acquaintance with this term). This is interesting, especially since the term was added to the Oxford Dictionary as late as in August 2013. And I think they also provide a very crisp definition of IoT. They say that the Internet of Things is “The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.”

If you want to find connected things, you tend to not be able to go to Google. Instead you might turn to the world’s first search engine that finds connected things around the world, and that’s Shodan. Even though it’s a bit complex to use, when you get used to it, you can not only find stuff but you can also play around with them.

By 2020, a quarter of a billion vehicles will be connected to the Internet, giving us completely new possibilities for in-vehicle services, automated driving and car safety.

90 million people will live in smart homes by the end of next year. Having a connected kitchen could save the food and beverage industry as much as 15 percent by 2020. By sharing information about what and how much we eat and drink, we can learn about what really needs to be produced and where it needs to be distributed to.

In 2015, more than 1.4 billion smartphones were shipped. By 2020, we will have a staggering 6.1 billion smartphone users. Today, nearly 60 percent of consumers that shop online use smartphones to shop. The interesting thing is that shopping through the smartphone has proven to fortify customer loyalty, and this is something that online companies have been struggling with for years; that is, finding ways of strengthening customer loyalty so that they will return to their online store as a customer.

While these are not only interesting but also quite positive facts, I would like to remind you that a recent study shows that more than 80 percent of the connected devices that they investigated leaked private information such as name, email, home address, bank account details, and health data. And I can only confirm this: One and a half years ago, we had a student project where students tried to eavesdrop on information that was sent through IoT sports equipment such as Fitbit, and they could easily get hold of personal information, movement tracking, etc.

What’s the difference?

Having said all this, if you compare the new Internet of Things paradigm with the old traditional Internet where you interact through mainly a computer — is there a difference? And what is the difference? I can think of at least five:

1. The fact that there is a device. IoT is truly a hardware-intense computer paradigm. And, in that sense, ease-of-use is almost always at odds with security, especially when it’s such user-oriented as it is in the IoT.

2. The longevity of the device. Updates are definitely harder to make than when you update software in a computer, and sometimes they are impossible.

3. The size of the device. With small computing devices integrated in for instance an environment such as the home, there are limited capabilities, and this is especially something that has an effect on the level of crypto that can be enforced in such a system. And crypto is really important in terms of security. It’s the closest thing to a silver bullet you get in the security area, so encryption solves many of the problems that we otherwise would have difficulties in managing in terms of security.

4. The data. When there are tons of connected devices that constantly overlook or read interactions in an environment, there’s a lot of data that is going to be gathered, and since the data often concerns people, the data is often highly personal and thus very sensitive.

5. The final difference here might be the mindset. Appliance manufacturers don’t always think like established software developers do in terms of, for instance, security and quality criteria in the development phase. Quite the contrary, actually. And the embedded systems that make out the Internet of things, they are often developed by grabbing existing chips and designs, etc, and who knows what sort of quality or security criteria that has been involved in the development process there.

Cool! So, what’s wrong?

These four things spring to mind.

1. Pervasiveness. As we’ve seen in the predictions from Ericsson, Cisco or Forbes, you won’t have one (1) Internet of Things connected device. You’ll have ten, or twenty, or two hundred, and that’s really a lot of new attack surfaces to your life, your business, your home or your car.

2. Uniqueness. Something that we learned to manage in the old-school Internet is to make generalized security protection measures; that is, if it works on one Mac, it usually works on every Mac. The same goes, in principle, for the IoT, but since IoT devices are a Wild West of mixed technologies, uniqueness makes it hard to enforce security. And how do you patch firmware in this multitude of devices, and which random vendor made the hardware inside this or that device you were using? And again, what type of security criteria was used?

3. There’s also an ecosystem perspective here. The vendor you might be using maybe leverages six or sixteen or sixty-six other vendors. Where is your data going once it has entered that IoT device, and who has access to your network via the proxy connections that you have enabled?

4. In a scenario of rapid development, fierce competition and a dynamic ecosystem — who has the time or energy to think about security?

There’s a shift underway

The IoT growth that we’re expecting will not just be from large vendors such as Belkin, Google or Ericsson. There are a lot of organizations out there, for example Postscapes, Iotlist and Wolfram Alpha, that list some hundred or even thousands of IoT-related companies. Many of the new IoT devices that we will be using are produced by crowdfunding websites where users go together to fund the development of new, cool stuff that we all want to use. As a final note here, entrepreneurs, the ones that are driving this development, are likely to have no experience with security whatsoever nor the budget to afford help.

IoT security concerns

Security is all about the protection of something from harm caused by someone or something.

1. Objects are small, everywhere and connected. This means that the connected objects are prone to environmental influences. They can be found in unprotected places such as shops and stores and thereby encounter unnoticed manipulation. And since the possibilities for calculation and memory power are so weak, it means limited means for crypto.

2. The objects are working autonomously. At least to some extent, they’re acting without user awareness or even control.

3. Cyber attacks increasingly physical. In the old-school Internet, cyber attacks were mainly digital or vertical. Cyber attacks in an IoT connected scenario — where more and more of all of the everyday items that we interact with are connected to the Internet — get increasingly physical. Just take the example of the computer system in smart cars that was vulnerable to on-board attacks, which was very popular in the media reporting on IoT a few years back. If you think about it, traveling in an Internet of Things-connected car is really like traveling in a big Internet connected computer. And the same goes for airplanes.

4. In short, this is an attacker’s dream.

IoT privacy concerns

Privacy is a very difficult concept to define and even more difficult to translate. Most languages don’t have a truly properly reflecting definition of privacy. Swedish is one such language. But in English, we usually say that privacy is “the right to be let alone”.

1. A data explosion. With the IoT, where there are multiple connected sensors and actuators and things around us that constantly collect data about us and distribute that data, there is an explosion of data. There are massive amounts of data; there are more data available than the world has ever seen before.

2. A single object can reveal lots of information about the specific individual. And since it’s information about an individual, many times it’s personal and thus it’s sensitive. We now see more means to spy on people, for instance in their own homes, than the world has ever seen before.

3. IoT also introduces new ways of collecting and processing such information from objects. That can be the collection of data from different sources, for instance in a home. If you have access to that data, you can correlate and associate information and thus create rather extensive information portfolios on the people living in that home. And that means that the abuse potential is higher than ever.

4. There’s also a lot of the decisions about the personal information that takes place without the user’s awareness or control. So where does that leave privacy “as the right to be let alone”?

IoT privacy challenges

Privacy has an ethical side. We, the human population of the Earth, have agreed that there are some principles that “the right to be let alone” must be reflected in accordance with. An easy way of getting into these privacy principles is simply asking these questions:

1. How do you obtain informed consent? This is really the foundation for sharing personal information, or for a company to be able to use and take advantage of personal information that they collect about customers. They need the customer’s informed consent in order to do that.

2. How can individuals have overall control over their data? On the user’s side, you need to be able to control the data that is being collected, and you also need to be able to erase the data. How do you do that in an Internet of Things connected scenario where there are multiple systems with multiple sensors that collect and distribute information about your movements, for instance, in a house or in a home?

3. Who is responsible? How can rights be exercised? If information is collected, who then is responsible? How can your rights be exercised? I mean this is difficult as it is in the old-school Internet; moving into in a scenario of Internet of Things, that complexity increases.

4. How can data be safeguarded? You need to be able to trust that the company that you share your data with can actually take responsibility and safeguard your data so it won’t end up in the hands of malicious actors. And if attacks do occur, how do you detect them? How do you even detect espionage activities that might take place in the home? How do you overview or evaluate damages?

You just read Part 1: IoT, Security and Privacy. Also read Part 2: On Privacy and Security in Smart Homes and Part 3: Security in Agile Software Development.

Andreas Jacobsson leads the IOTAP project Intelligent Support for Privacy Management in Smart Homes (iSMASH).