The risks of connected lives

Securing devices and data on the internet of things

Turn on the radio, set the timer for dinner, turn down the temperature, shut off the lights. With the internet of things (IoT), all of this is possible from the comfort of the couch or while sitting on the bus. As noted by a New York Times journalist, IoT makes homes, offices and vehicles “smarter, more measurable and chattier”.

An increasing number of devices in homes are now connected to networks

The research firm IoT Analytics estimates that in 2018 the total number of connected devices in use worldwide exceeds 17 billion, of which seven billion are defined as IoT devices (i.e. excluding smartphones, tablets, laptops and fixed line phones). It estimates that the number of IoT devices will reach 21,5 billion by 2025 although Business Insider offers even higher estimates, at more than 55 million IoT devices in use by 2025. While individual predictions may vary, the numbers remain high overall.

Defining IoT

The internet of things (IoT) refers to any device that can connect, collect and share data within a network. Generally, it is understood to be a physical object that is connected and controlled via the internet. According to IEC Electropedia, the internet of things is the “link between clearly identifiable physical objects (things) and services and a virtual representation in an internet-like structure”. Digital intelligence is added to a physical device, allowing for the merger between the physical and digital worlds.

The phrase internet of things was coined by a young manager at Proctor and Gamble, Kevin Ashton, who wanted to use RFID tags to better understand his company’s supply chain and, specifically, why a certain colour of lipstick was rarely available at his local supermarket. While Ashton concedes that the term internet ‘for’ things would be more correct, grammatically speaking, he notes that the “internet ‘of’ things deliberately describes something deeper: the interconnectedness of all our tools and supplies”.

All sorts of devices have been connected to the IoT sphere, from video cameras and light bulbs to television sets, thermostats and fitness bands. IoT devices are not only applicable to consumer goods but can also be incorporated into larger systems such as buildings, transportation networks and utility grids. Combined with the analysis of data, this can ultimately lead to the emergence of smart buildings, smart factories and smart cities.

Vulnerability of IoT devices

Living a parental nightmare, a young mother in New York discovered that a complete stranger was talking to her young son through the video camera in his bedroom. Although she immediately disconnected the camera, it is unclear how long this stranger had been watching the family. It could have been someone playing a prank or with malicious intentions.

Connected devices like security cameras are prime targets for hackers. Like many connected devices, they have little built-in security. In one study, researchers found two specific models of webcams - with 100,000 units currently in use - could be hacked with ease.

These security vulnerabilities can also be exploited as an entry point into a wider network. This was the case with a smart thermostat in a fish tank that cyber criminals used to hack into the network of a casino and steal data, including the banking details of its customers.

The threat posed by IoT devices has been recognized by national governments given that the consequences of hacking into a network via an IoT device can be devastating. Consider a hospital being forced to shut down or cars that are driven off the road.

The weak security inherent in IoT devices is due to a number of reasons. These include the use of default passwords that can be easily exploited, the lack of a mechanism for software updates and limited hardening to secure the system, such as the ability to install firewalls or disable cookies.

Because the cost and complexity of making a device ‘smart’ has decreased significantly, manufacturers can easily offer ‘smart’ devices. But for manufacturers of low-margin appliances, they have little incentive to maintain security. And even fewer will possess the necessary expertise.

Guarding personal privacy

IoT devices collect a significant amount of data about their users. In a home, this data can include wake-up and sleep times, the films that are watched, the purchases that are made, and the times when someone is – or is not - in the house. Voice-enabled assistants are continually monitoring conversations and can potentially record every word spoken in a home. This data can then be sent back to the device manufacturer.  

It is not clear what happens to this data and how useful it could be. But the many bits of data taken together can create a detailed profile of an individual which can then be used for marketing – or other - purposes. In a recent speech at the European Parliament, Tim Cook, the CEO of Apple, noted that “these scraps of data…each one harmless enough on its own…are carefully assembled, synthesized, traded, and sold. Taken to its extreme, this process creates an enduring digital profile and lets companies know you better than you may know yourself”.

Cook also lauded the European Union for its adoption of the General Data Protection Regulation (GDPR) which places stringent requirements on the collection, storage and sharing of personal data gathered online. The GDPR includes such concepts as the individual’s ‘right to be forgotten’ as well as the right to ‘data portability’ which allows the individual to transfer personal data between service providers easily.

Elsewhere, regulatory action to protect privacy has been limited. According to one academic, Bruce Schneier, the economic and technical incentives of the IoT industry are not aligned with the security and privacy needs of society. It is for this reason that he believes that government regulation and standards are necessary to help protect citizens.

The need for Standards

International Standards provide a robust and reliable framework, based on best practices for gathering, storing and processing sensitive data. Within ISO/IEC Joint Technical Committee (JTC) 1 on information technology, Subcommittee (SC) 27 on IT security techniques has developed the ISO/IEC 27000 family of Standards. It offers a complete toolkit and methodology for data security management as well as best practices in the areas of data security, information exchange, storage protection and processing.

JTC 1/SC 41, which addresses the internet of things, has recently published its reference architecture. ISO/IEC 30141 provides a framework for IoT which serves as a basis from which to develop specific IoT architectures and systems. One of the aims of this Standard is to protect privacy by ensuring that data cannot be hacked. According to its Chair, François Coallier, “it is crucial for users to feel they can trust IoT systems. Trustworthiness was one of the key concepts that guided our work in this document". SC 41 is currently working on two other projects with trustworthiness as a guiding principle: a trustworthiness framework and a methodology for implementing and maintaining trustworthiness of IoT systems.

Because not all risks are technology-based, the technical staff responsible for managing data requires training, knowledge and skills. The work of the Committee on Conformity Assessment (CASCO) - a joint effort by IEC and ISO - is vital to the process of determining whether an organization meets the requirements related to its technical competence in this area.

In addition, cyber security is the focus of the IEC Conformity Assessment Board (CAB) Working Group (WG) 17 and the Certification Management Committee Task Force of IECEE, the IEC Conformity Assessment for Electrotechnical Equipment and Components.