Dr Kevin Curran
With a multitude of consumer devices coming online from fridges to home heating systems the potential of IoT technology is undeniable. IoT devices can allow us to be informed of what is stocked in our fridge, or who is ringing the front doorbell from remote locations – homes are truly becoming connected. But despite all of the potential benefits and almost a decade of hype, a number of security and privacy concerns are beginning to arise.
In the rush to bring the technology to the mass market, the vital step of adequately ensuring security is embedded has led to IoT devices becoming an easy entry-point for large scale cyberattacks. Cyberattacks, such as NotPetya and WannaCry, have crippled entire organisations with denial of service attacks. The security of individual IoT devices are a concern as a single vulnerable device could lead to an entire network being compromised. It is vital the users ensure that their systems are protected at the device level as any piece of hardware connected to the internet, even an air-conditioning unit or smart bulb, is a potential weak point to be exploited by a hacker.
Security of data is another major issue that IoT throws up. As we have seen from the issues with Facebook and Cambridge Analytica, consumers are becoming more aware of the data they produce and are concerned about how that data is being stored, handled and used. The use of personal data by third-party companies was once seen as part and parcel of using social media networks but consumers now want ultimate control over their personal data and have become more vocal on the topic. As connected devices become commonplace and begin to collect more and more data on our daily habits, movements and health, the security of this data becomes increasingly important. This is particularly worrying when considering access to data from home smart locks, heating systems, lights and home appliances can allow hackers to know the times when home owners are not present.
As the industry evolves, the need for a standard becomes more important to ensure interoperability and security for the system as a whole. A standard would prevent most basic security breaches and keep infrastructure safe from low-level attacks. At this moment, there is no pressure on manufacturers of IoT devices to provide a roadmap for essential security updates. While breaches are inevitable, making it as difficult as possible for hackers is vital.
Data breaches have become far too frequent an issue in recent years for consumers to implicitly trust that their data is safe. The onus is now on the organisations that are collecting and handling the data to provide reassurances that customers’ data is either safely secured on a server or completely deleted. In both instances, consumers also need to have complete control over their data, able to access or delete their personal data with ease. IoT manufactures need to develop privacy policies that outline in detail outline what data is being collected and how it will be processed, stored, and whether it will be shared with third party partners. This is of course in line with GDPR and means all IoT organisations, who would have previously not had to worry about such issues, will need to outline how they handle personal data as even household appliances will soon be collecting data.
IoT will continue grow at great speed with more devices coming online and offering solutions to a number of known and unknown issues. The focus on the standardisation of process and security will need to catch up. It is vital for the future of IoT that security of devices and data are guaranteed, not only to build public confidence in IoT but also protect from future personally identifying breaches.
Connected devices make use of many communication technologies from near field to far field, often utilising low cost always-on links. Without the proper controls, both on the wire and on the device, these connected devices can be, and often are open to attack. Add to that the multitude of sensors present on a device and the repositories they are connected to and we then have not only motive for prying eyes, but realistic exploitations that deliver potentially sensitive information or controls to those not authorised to have it.
These devices are entities that process data and are very much in scope concerning privacy regulations. There are many governing laws around privacy. We had the data protection act, now the GDPR and ePrivacy coming next year. They apply to data processors and data controllers who run or supply these devices and aim to protect the subjects, or users. We see governments and unions introducing new laws in reaction to:
data controllers who have amassed huge amounts of data, considering it to be ‘the new oil’ but not adhering to local legislation.
increasing volumes of databases without proper controls and protections.
previous fines not being enough of a deterrent for some of the largest most powerful entities who collect this data without following correct procedures.
Devices run software and that software is designed to access, process and communicate data and give access to functions. However what can be, and is often missed in the design stage, or incorrectly implemented in the realisation stage is what data and functions the software should regulate or restrict access to. This is where the bad things happen. Proper control mechanisms must be levied at all times via processes and policy. This is most effectively done though a deliberate software security initiative while carefully adhering to what are now globally active privacy regulations.