Internet of Things Security and Privacy Concerns
“Internet of Things” was first coined by the co-founder and Executive Director of MIT’s Auto-ID lab, Kevin Ashton in the mid-1990s1. Major vendors and technology leaders are announcing initiatives to leverage the Internet of Things’ opportunities, and define IoT differently, according to each of their area of specialty. Nevertheless, there are salient attributes across array of definitions, such as sensors, things, people, process, automation, data, network, connectivity, convergence, and intelligence. Hence, Internet of Things can be defined as “Intelligent interactivity between human and things to exchange information & knowledge for new value creation”.
Characterising IoT by referencing the number of connected devices or connection is oversimplifying the phenomenon. IoT is a complex eco-system encompassing all aspects of the Internet, including analytics, the cloud, application, security and much more. Technologically, connecting things to the Internet can be accomplished with the existence of three main technology components (Figure 1), namely physical devices and sensors (connected things), connection and infrastructure, and analytics and applications.
Physical devices and sensors are able to gather and sense first-hand and multidimensional information, and evidence of the objective condition of an event autonomously without human intervention. In addition, when devices function to capture information with embedded intelligence, devices can act and react. Environment context will then be modified and the devices will respond differently. As such, this circular process will be repeated continuously.
Connection and infrastructure, such as cloud, security, storage, security, privacy and processing, facilitate continuous, real-time data and information flow and feedback loops.
Figure 2: Internet evolution2 Analytics and applications transform sensor-generated information to a new and key source of knowledge for action-taking. They enable users to leverage the large amount of data gather, converge information for further analysis provides actionable insight for the enterprise for productivity enhancement, offer unique solutions, and enhance life experience. Figure 1: Components of the Internet of Things18
The Internet has evolved (Figure 2) to become an ever more pervasive and critical infrastructure underpinning society and commerce around the globe. In 1990, with the creation of worldwide web (a method of publishing information on the Internet) by Tim Berners-Lee, Internet became the richest source of information, and since then the number of websites has exploded. Yesterday’s Internet was a universe of interlinked human and creates new generations of interactive experiences. Internet usage had exploded since 1995 to reach the first billion users in 2005. The second billion was in 2010, and the third billion is expected to be reached by the end of 20142. The next phase of the Internet will be IoT: a world of networked smart devices equipped with sensors, connected to the Internet, all sharing information with each other without human intervention.
Table 1 : Usage prediction of IoT
With the rise of connected devices and connected individuals, technology experts forecast four interwoven and interaction technology pillars which will fuel and shape the IoT, namely big data, cloud, social media, and mobile devices and things.
With the variety and enormity of data and information collected by the sensors, Big Data technologies will be the cornerstone in extracting meanings and insights of this exponentially increased data, which will enrich the user experiences and enable new business processes and models.
Cloud serves as delivery platform of information and functionality to users. Cloud allows information and knowledge to be accessed and delivered to anyone, anytime and anywhere.
Social media is transforming interaction and communication modes between individuals in new and unexpected ways. Information will be sourced from physical movement and interactions happening in the Web 2.0. Interconnected societal promote engagements, share information, collaborate and innovate.
Mobile devices/things are the platforms of social communication and network in both personal and work spheres. With the diminishing cost of device that drives the revolution of sensors and connected things, data capturing is no longer restricted by locations and a single dimension. Data collection process escalated both in speed and scale and multi-dimensional variables can be captured simultaneously within the same environment.
Several challenges need to be addressed in order to encourage higher growth rate of IoT and subsequently provide opportunities for Universities and the industry to capture new competencies and capacities Several thematic challenges have been identified from various stakeholders of the IoT ecosystem.
Infrastructure is the catalyst to reach an interoperable, trustable, mobile, distributed, valuable, and powerful enabler for emerging applications such as Smarter Cities, Smart Grid, Smart Building, Smart Home, Intelligent Transport Systems, and ubiquitous healthcare, to name a few. The massiveness of sensors and smart things to be connected to the Internet will pressure the adoption of IPv6, which is a technology considered most suitable for IoT, as it offers scalability, flexibility, tested, extended, ubiquitous, open, and end-to-end connectivity11.
The tremendous volume of data that pours in from devices presents a huge challenge for service providers in the IoT ecosystem. Big Data solutions will be instrumental in overcoming this challenge by giving IoT service providers the capacity to analyse data, and discover relevant trends and patterns. Issues including privacy related to personal data, and data sharing12 will emerge, denoting the importance of trust in establishing the ecosystem that supports consumers in donating their data for public good.
Connected devices can communicate with consumers, transmit data back to service providers, and compile data for third parties such as researchers, health care providers, or even other consumers. The supply chain of information in the era of IoT brings new challenges for regulators, enterprises and consumers. Findings from TRUSTe Internet of Things Privacy Index reveal that UK consumers’ comfort level varies widely depending on responsibility, ownership and usage of collected personal data13.
The IoT revolution is already under way. ‘Things’ (for example, everyday objects, environments, vehicles and clothing) will have more and more information associated with them, and are beginning to sense, communicate, and produce new information, to become an integral part of the Internet. Added value services using the IoT could reach £200bn a year worldwide14, with new business models, applications and services developing across different sectors of the economy. These will also stimulate innovation and growth in areas such as components, devices, wireless connectivity, system integration and decision-support tools.
As more connected devices join the IoT ecosystem, researchers has run a range of security tests to expose IoT vulnerabilities, and make the world aware of the potential security concerns of connecting devices without proper security measures. The key threat vectors are described as below:
Since many devices contain inherent values by their design and nature of functions, a connected device presents a potential target to be exploited by an attacker. A connected security camera could expose personal information, such as user’s location when compromised. As devices will be trusted with the ability to control and manage things, they are also capable of impacting things. This could be something as simple as controlling the lights in house or business premises, or something as malicious as controlling an automobile or medical device in a way that could cause physical harm.
Threat over communication link involves monitoring and intercepting messages during a communication session. Due to the volume and sensitivity of data traversing the IoT eco-systems, attacks of targeting communication link are especially dangerous, as messages and data might be intercepted, captured, or manipulated while in transit. For example, an attacker could track the energy usage to learn of the downtime or uptime of a system (for example business premises) to plan an attack on the entire core smart cities command & control systems; the other attacker could manipulate the data transmitted to the utility company and alter the information. Successful breaches, such as these examples, may compromise the trust in the information and data transmitted across IoT infrastructure. Manipulation of Connected Cars Security researcher Chris Valasek and Charlie Miller15 in their research discovered the vulnerability of connected cars. The duo experimented a Toyota Prius and a Ford Escape and plugged the exploits tools into the vehicle’s diagnostic port. This allowed the team to manipulate the cars headlights, steering, and breaking systems. Threats to Medical Devices Security researchers Scott Erven16 and his research team released the results of a two-year studies on the vulnerability of medical devices. The results demonstrated the possibility of remote manipulation of medical devices, including those that controlled the dosage levels for drug infusion pumps and connected defibrillators. The results exposed the severity of threats posed to the security of patients and medical system. Threat on the Master Threats against IoT device manufacturer and cloud service providers have the potential to compromise the entire IoT ecosystem, as manufacturer and IoT cloud are entrusted with hosting trillions amount of data, some of which is highly sensitive by nature. This data is important because it represents an analytics, which is a core, strategic asset, it is a significant amount of competitive information in the eyes of underground APT group if exposed. If the Master is compromised, this would give the attacker opportunity to manipulate many devices at once, some of which may have already been deployed in the field. For example, if a provider who issues frequent firmware / software have the mechanism compromised, malicious code could be introduced to the devices.
IoT will be a game changer in many aspects. At the fundamental level, IoT security depends on the ability to identify devices, protect IoT hosting platform, and protect the data that the devices capture and share:
A trusted device is required to be reliably identifiable and associated with a manufacturer or provider. The devices should be able to communicate with the intended hosting services.
A trusted master must have secure communication with dependent sensor devices, and issue firmware/software updates to those devices in a way that provides assurances that the code is authentic, unmodified and non-malicious.
As sensitive data in-transit travels through the IoT cloud hosting, it should be encrypted in network layer to prevent interception. Likewise, stored data should be in active-active mode and seamlessly encrypted to avoid data theft.
Given that the IoT is built on a network of uniquely identifiable devices, public key cryptography plays a huge role in establishing trusted identities in the IoT. The Dangers of the Smart Grid Security researchers Scott Erven16 his research team released the results of a two-year studies on the vulnerability of medical devices. The results demonstrated the ability to remotely manipulate devices, including those that controlled dosage levels for drug infusion pumps and connected defibrillators. The results of their work exposed serious threats to the health record and safety of patients. Public key cryptography19 is based on the concept of a special and unique relationship between two distinct keys that are used to encrypt data. One of the keys is made public (the public key) and the other is kept private (the private key). Only when the two are put together is the relationship seen to be true. It is also known as asymmetric encryption because it uses one key to encrypt and a related key to decrypt. This is effectively done by a Certification Authority (CA) issuing a digital certificate to confirm the authenticity of the device. Similarly, a digital certificate contains several fields that help to establish and validate the identity of a device or system as it relates to a corresponding public key. These certificates will be used to identify devices, sign firmware / software updates, and facilitate encrypted communications.
The entire identity infrastructure described above is built upon the foundation of public and private keys. It is necessary to make the public keys freely available, but the private keys, however, must be kept secret and secure, or else the credibility of the key in securing an identity is compromised. Figure 3: Security Model for IoT18 The secure generation and storage of these keys is therefore paramount (Figure 3). PKI should be secure by design and ideally implemented in or protected by tamper-resistant hardware. A root of trust effectively creates a barrier between software on the server and cryptographic key material. This approach greatly mitigates the attack vector which seeks to access sensitive cryptographic keys.
The sensitivity of data collected, transmitted, and stored as a result of IoT necessitates the use of encryption to secure that data. Encryption plays a vital role in securing data when being passed between devices over the cloud. • Data-at-Rest Protection Encrypting data is all about providing scalable, cost-effective storage, and fast processing of large data sets that facilitates the availability and usage of the said data. Typically, this data will be stored in clusters spread across hundreds to thousands of data nodes. This data is largely unprotected, making each data node a potential entry point for a rogue insider or malicious threat, and leaves sensitive data in clear view should an unauthorised user or service gain access. This presents a tremendous, and potentially costly, risk for organizations. To overcome this challenge, organizations need to be able to lock down sensitive data at rest in big data clusters without impacting performance. Doing so requires transparent and automated file-system-level encryption that is capable of protecting sensitive data at rest on these distributed nodes.
Encrypting communication as data moves through the IoT ecosystem presents a unique challenge. As data moves from one location to another, it is highly vulnerable to attacks such as fibre tapping. An attacker can attach an evanescent fibre coupling device to the cable without detection. This allows the attacker to record all activity that runs across the network, and data is captured and stolen without the owner’s knowledge. Worst, this type of attack can also be used to change data, and has the potential to override the controls on the entire system. IoT communication over public networks will need to be secured in much the same way we protect other communications via the Internet. Transport layer security (TLS)20 is a good example of encryption protocols that could be used for this purpose. Encryption is also needed at the back-end infrastructure level of manufacturers, cloud service providers, and IoT solution providers.
Security at the device level, protecting the master, and encrypting communication links are critical to the secure operations of IoT. In addition, leveraging PKI for the IoT ecosystem will allow devices to implement uniquely authentication in order to counteract counterfeits. Securing IoT ecosystem does not require a revolutionary approach. The techniques that have proven success in modern IT environment can be adapted to address the challenges brought by IoT. Instead of searching for a new method, or proposing a revolutionary approach to security, universities and the industry should focus on delivering the current state-of-the-art security controls, and optimise the new and complex embedded applications to drive the further adoption of IoT. References
Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hkf Joint Universities Computer Centre Limited (JUCC) c/o Information Technology Services The University of Hong Kong Pokfulam Road, Hong Kong Page Directory: sites -> default -> files -> services -> infosec -> awareness -> newsletters files -> Northern England’s set-jetting locations files -> Nstructions for Acquiring Excess Equipment online, through the 1033 Program files -> Occupational health and safety files -> The Black Panther Party’s Ten Point Program files -> International programs roel profile files -> Fermi Questions a guide for Teachers, Students, and Event Supervisors Lloyd Abrams, Ph. D. DuPont Company, cr&D/ccas experimental Station Wilmington, de 19880 files -> Personal Information Name: Maha Al-Ammari Nationality: Saudi Relationship Status newsletters -> Information Security Updates Mobile Security Best Practices for General User Download 47.77 Kb. Share with your friends: |